Securing and Managing Site Content WHAT’S IN THIS CHAPTER? The administration hierarchy  Security terminology  User permissions  Permission levels  Security groups  Granting users access  As the capabilities and use of SharePoint technologies continue to increase, so does the amount of content stored in SharePoint sites. To maintain and manage this content, you need an effective security structure in place to ensure that this content is only accessed by users with the proper permissions. To assist administrators with this gargantuan task, confi guration options exist to grant users access with both broad and fi ne-grained settings. Additionally, you can confi gure this access at several hierarchical levels, making it easy to secure content throughout an environment. The security structure built at the onset of a SharePoint deploy- ment plays a major role in the overall success or failure of the solution and is not to be taken lightly. In this chapter you get an in-depth look at the security confi guration options available with SharePoint 2010 and how they can be used to lock down your environment. 8 196  CHAPTER 8 secUriNg aNd maNagiNg site coNteNt REVIEWING THE TERMINOLOGY Before diving into how site security can be set up, it is vital to understand the vocabulary that repre- sents the various components of user access. These terms are often dependent upon each other so it is easy to get subjects confused. Be sure to have a fi rm grasp of these concepts before moving on to the next sections: Permissions  — These are single units of access that represent specifi c tasks that can be performed at the list, site, or personalization level. Permission levels are made up of sets of permissions. SharePoint ships with a list of permissions. This list cannot be edited or added to, and per- missions cannot be deleted. Although you can’t delete a permission, you can control the permissions that are available for a site collection. For example, if you have a site collection that is storing archived content and you want to eliminate the possibility of users delet- ing list and library items, you can remove the permission to “Delete Items.” This type of confi guration can be made from Central Administration. Permission levels  — Permission levels are pre-defi ned sets of permissions that are used to grant users access to content in SharePoint. The level of access that users with the assigned permission have is based on the permissions that make up the permission level. Several per- mission levels are created by default. These permission levels vary according to the type of template you use to create your site collections and sites. Each permission level is covered in detail later in this chapter, in the section “Permission Levels.” Users  — The smallest value to which access can be granted. This value corresponds to an account in Active Directory or another host application for user accounts. Groups  — A group is a set of users who will have identical access needs. Users in the same group typically have the same role within an organization. Using groups, rather than granting per- missions to individual users, makes it easier to manage user access. Securable objects  — Securable objects are levels within SharePoint 2010 that can be “locked down,” or secured, by setting specifi c user access. Sites, lists, libraries, and items are all secur- able objects. User access at each of these levels can be customized so that only the appropri- ate or approved users have access to the content. Inheritance  — Inheritance is used to describe how user access is created by default within SharePoint. Whenever a securable object is created, it is created with the same user access as its parent. For new sites that you create, you specify whether you want the site to “inherit” permissions or whether the site should have customized permissions. When user access is inherited, any changes made to the parent securable object(s) will update the child securable object(s). When permissions aren’t inherited, no updates are made to the access users and groups have within the securable object(s). If you choose to customize your user access and not inherit from the parent site, it is paramount that you document any changes to your secu- rity structure so that your team is aware of which sites will not be automatically updated. Administration Hierarchy in SharePoint 2010  197 This does not mean that membership to groups will not be updated; it means that the access that users or groups have will not be updated. Group membership can be edited in any site within the site collection, but these changes will affect the group for the entire site collection. Site groups  — These are specific groups that are created for you by default when a new site is created. The types of groups that are created vary according to the site template used to cre- ate the site. The “Security Groups” section goes into more detail regarding the different types of groups and how they can be used within SharePoint 2010. ADMINISTRATION HIERARCHY IN SHAREPOINT 2010 User access can be set at several hierarchical levels in a SharePoint 2010 environment. This helps break up the task and responsibility of security administration. At the higher levels, IT members will most likely be responsible for managing security for the server farm down through the services, fea- tures, and site collection administrator levels. This gives your IT department control over the servers and provisioning and managing site collections. Once site collections and sites have been created, along with the corresponding lists, libraries, pages, etc., the responsibility of securing content should be redirected to the users that “own” the specified content. This takes a large burden off of your IT department, and allows them to focus on maintaining the SharePoint environment as a whole, rather than managing every little piece. At the site collection level is the site collection administrator. This is typically a manager or department head that oversees all the users and content within a given site collection. Moving down the chain, individual users or power users can be delegated control of child sites, lists, and libraries. Note that if you intend on having non-IT staff manage security at the lower levels, an extensive amount of training is recommended, as well as an effective backup/restore plan. Having such high access allows those users to perform a wide variety of tasks, some of which can be fatal for environments. In the next few sections, each hierarchical level is covered in more detail. Server or Server Farm Administrators The server farm access level includes two groups: Local Administrators  — Members of this group are also members of the Farm Administrators group. In addition to all the administrative tasks they can perform as farm administrators, local administrators can perform additional activities, even tasks unrelated to the SharePoint environment, on servers in the farm — including installing patches and service packs, admin- istering IIS, starting/stopping services, SQL maintenance, reviewing Event Viewer logs, etc. Like farm administrators, these users do not have access to SharePoint sites by default. To manage users in this group, you must do so from the server itself. Farm Administrators  — Members of this group have administrator access to all servers in the server farm. With this access they can perform any administrative task within the Central Administration site. Users in this group can also use PowerShell cmdlets for various adminis- trative activities and assign users administrative roles for service applications. By default, this group does not have access to SharePoint sites, but it is possible for them to give themselves access through a web application policy. 198  CHAPTER 8 secUriNg aNd maNagiNg site coNteNt To manage server farm administrators, follow these steps: 1. From Central Administration, select Site Settings  People and Groups. 2. Click Manage the farm administrators group. Here you can add and remove users from this group. 3. To add a user, click the New drop-down menu and select Add Users, as shown in Figure 8-1. FIGURE 81 4. To remove a user, click the checkbox next to his or her name and then click Actions  Remove Users from Group, as shown in Figure 8-2. FIGURE 82 Administration Hierarchy in SharePoint 2010  199 Although farm and local administrators do not have access to SharePoint sites by default, they can access and confi gure anything in Central Administration. With this access, they can grant themselves permissions by adding themselves to the Site Collection Administrators group for a site collection or by creating a web application policy that will grant them access to any site collection within that particular web application. Service Application Administrators Service application management is delegated to two groups. For more details check out Chapter 7. Service Administrators  — Delegated by members in the Farm Administrators group, these users can manage settings for a specifi c service application within the server farm. These users cannot access any other service application unless they are given access by a farm administra- tor. Members of this group cannot create new service applications or perform any farm-level operations. To manage the Service Administrators, go to Central Administration  Manage Service Applications (under the Application Management header). Highlight a service and in the Ribbon, under the Service Applications tab, click on Administrators. Feature Administrators  — Delegated by farm or service administrators, members of this group are associated with a specifi c feature within a service application. Users can manage the subset of service application settings related to this feature, but only for this feature. Most service applications do not have this fl exibility. An example of one that does have this capability is the User Profi le service application. Here you can drill down and give users very specifi c permissions such as the ability to only manage audiences or profi les. To manage the Feature Administrators, go to Central Administration  Manage Service Applications (under the Application Management header). Highlight a service and in the Ribbon, under the Service Applications tab, click on Permissions. If the service is available in the Permissions for user section you will see multiple permissions you can assign. Site Collection Administrators Members of the Site Collection Administrators group have Full Control permission level settings for all sites within the site collection. This access cannot be overridden for this site collection except through a web application policy, and this access is available to all content, whether the users are given explicit permissions or not. In addition to the administrative capabilities, the Primary and Secondary Site Collection Administrators receive additional notifi cations for quotas and user access requests. The Primary and Secondary Site Collection Administrators are specifi ed when the site col- lection is created. To manage users in a Site Collection Administrators group you have two options. For the fi rst option: 1. Open Central Administration. 2. Click Application Management. 200  CHAPTER 8 secUriNg aNd maNagiNg site coNteNt 3. Under Site Collections, click Change site collection administrators. On the Site Collection Administrators page that appears (see Figure 8-3), you must select a site collection, and then you can add users as Primary or Secondary site collection administrators. Only one user can be added as a Primary site collection administrator; likewise for the Secondary site collection administrator. User groups cannot be entered for either of these sections. FIGURE 83 The other option for managing the Site Collection Administrators group is from the site collection itself: 1. From the top-level site in your site collection, click Site Actions Site Permissions. 2. In the Permission Tools tab, click Site Collection Administrators to display the screen shown in Figure 8-4. 3. Here you can add and remove users from this group, similarly to the method shown earlier for farm administrators. FIGURE 84 Understanding Permissions  201 As a rule, the Site Collection Administrators group can never be empty. If you try to remove all the users, you will receive an error. If you fi nd a way to do it programmatically, very bad things happen. Site Administration Users in the Site Owners group have been added to the Owners group and have Full Control to con- tent on this site. Unlike site collection administrators, this access can be overridden by customizing permissions settings on a child site or lower level. By default, if you specify this at site creation, a [site name] Owners group is created. This group’s members will have full control to the site. Administration Beneath the Site Level Management of content below the site level does not always require group membership: Document library or list  — There is no specifi c group that manages content at this level, but permissions can be confi gured. This is useful when you want only a small portion of your content, on one site, to have restricted access. Individual items  — Similar to the previous level, there is no set group that administers indi- vidual items at this level, but permissions can be confi gured. Providing granular control over user access is a powerful feature in SharePoint 2010. UNDERSTANDING PERMISSIONS When SharePoint is installed, a set of permissions is created. This set can be viewed by opening Central Administration and clicking on Application Management  Manage Web Applications. From there, highlight a web application and click on User Permission (in the Ribbon, under the Web Applications tab). Not only can you view the available permissions, you can select the permissions that will be available for the web application and its site collections. It is these permissions that enable administrators to confi gure user access at a granular level and, by doing so, secure content at various levels within SharePoint sites. Each permission level is one of three types of permissions: List, Site, or Personal. As previously mentioned, these permissions are combined to create permission levels. This method is the recommended approach for confi guring SharePoint security. Figure 8-5 shows a partial list of the available options; for a more comprehen- sive look at permissions, see Table 8-1. This table provides the list of all permission levels, including what type of permission it is. It also displays the default permission levels that have each of these permissions out of the box. . and how they can be used within SharePoint 2010. ADMINISTRATION HIERARCHY IN SHAREPOINT 2010 User access can be set at several hierarchical levels in a SharePoint 2010 environment. This helps break. in Figure 8-2. FIGURE 82 Administration Hierarchy in SharePoint 2010  199 Although farm and local administrators do not have access to SharePoint sites by default, they can access and confi. gured. Providing granular control over user access is a powerful feature in SharePoint 2010. UNDERSTANDING PERMISSIONS When SharePoint is installed, a set of permissions is created. This set can be