Understanding Permissions 201 As a rule, the Site Collection Administrators group can never be empty. If you try to remove all the users, you will receive an error. If you fi nd a way to do it programmatically, very bad things happen. Site Administration Users in the Site Owners group have been added to the Owners group and have Full Control to con- tent on this site. Unlike site collection administrators, this access can be overridden by customizing permissions settings on a child site or lower level. By default, if you specify this at site creation, a [site name] Owners group is created. This group’s members will have full control to the site. Administration Beneath the Site Level Management of content below the site level does not always require group membership: Document library or list — There is no specifi c group that manages content at this level, but permissions can be confi gured. This is useful when you want only a small portion of your content, on one site, to have restricted access. Individual items — Similar to the previous level, there is no set group that administers indi- vidual items at this level, but permissions can be confi gured. Providing granular control over user access is a powerful feature in SharePoint 2010. UNDERSTANDING PERMISSIONS When SharePoint is installed, a set of permissions is created. This set can be viewed by opening Central Administration and clicking on Application Management Manage Web Applications. From there, highlight a web application and click on User Permission (in the Ribbon, under the Web Applications tab). Not only can you view the available permissions, you can select the permissions that will be available for the web application and its site collections. It is these permissions that enable administrators to confi gure user access at a granular level and, by doing so, secure content at various levels within SharePoint sites. Each permission level is one of three types of permissions: List, Site, or Personal. As previously mentioned, these permissions are combined to create permission levels. This method is the recommended approach for confi guring SharePoint security. Figure 8-5 shows a partial list of the available options; for a more comprehen- sive look at permissions, see Table 8-1. This table provides the list of all permission levels, including what type of permission it is. It also displays the default permission levels that have each of these permissions out of the box. 202 CHAPTER 8 secUriNg aNd maNagiNg site coNteNt TABLE 81: User Permissions PERMISSION DESCRIPTION TYPE PERMISSION LEVEL Manage Lists Create and delete lists, add or remove columns in a list, and add or remove public views of a list. List Full Control, Design, Manage Hierarchy Override Check Out Discard or check in a docu- ment that is checked out to another user. List Full Control, Design, Approve, Manage Hierarchy Add Items Add items to lists, and add documents to document libraries. List Full Control, Design, Contribute, Approve, Manage Hierarchy Edit Items Edit items in lists, edit docu- ments in document libraries, and customize Web Part pages in document libraries. List Full Control, Design, Contribute, Approve, Manage Hierarchy Delete Items Delete items from a list, and documents from a document library. List Full Control, Design, Contribute, Approve, Manage Hierarchy View Items View items in lists, and docu- ments in document libraries. List Full Control, Design, Contribute, Read, Approve, Manage Hierarchy, Restricted Read Approve Items Approve a minor version of a list item or document. List Full Control, Design, Approve Open Items View the source of docu- ments with server-side file handlers. List Full Control, Design, Contribute, Read, Approve, Manage Hierarchy, Restricted Read View Versions View past versions of a list item or document. List Full Control, Design, Contribute, Read, Approve, Manage Hierarchy Delete Versions Delete past versions of a list item or document. List Full Control, Design, Contribute, Approve, Manage Hierarchy Create Alerts Create alerts List Full Control, Design, Contribute, Read, Approve, Manage Hierarchy Understanding Permissions 203 PERMISSION DESCRIPTION TYPE PERMISSION LEVEL View Application Pages View forms, views, and appli- cation pages; enumerate lists. List Full Control, Design, Contribute, Read, Approve, Manage Hierarchy Manage Permissions Create and change permis- sion levels on the website and assign permissions to users and groups. Site Full Control, Manage Hierarchy View Web Analytics Data View reports on website usage. Site Full Control, Manage Hierarchy Create Subsites Create subsites such as Team sites, Meeting Workspace sites, and Document Workspace sites. Site Full Control, Manage Hierarchy Manage Web Site Grant the ability to perform all administrative tasks for the website, as well as man- age content. Site Full Control, Manage Hierarchy Add and Customize Pages Add, change, or delete HTML pages or Web Part pages, and edit the website using a Microsoft SharePoint Foundation compatible editor. Site Full Control, Design, Manage Hierarchy Apply Themes and Borders Apply a theme or borders to the entire website. Site Full Control, Design Apply Style Sheets Apply a style sheet (. CSS file) to the website. Site Full Control, Design Create Groups Create a group of users that can be used anywhere within the site collection. Site Full Control Browse Directories Enumerate files and folders in a website using SharePoint Designer and WebDAV interfaces. Site Full Control, Design, Contribute, Approve, Manage Hierarchy Use Self- Service Site Creation Create a website using Self- Service Site Creation. Site Read, Contribute, Design, Full Control continues 204 CHAPTER 8 secUriNg aNd maNagiNg site coNteNt PERMISSION DESCRIPTION TYPE PERMISSION LEVEL View Pages View pages in a website. Site Full Control, Design, Contribute, Read, Approve, Manage Hierarchy, Restricted Read Enumerate Permissions Enumerate permissions on the website, list, folder, docu- ment, or list item. Site Full Control, Manage Hierarchy Browse User Information View information about users of the website. Site Full Control, Design, Contribute, Read, Limited Access, Approve, Manage Hierarchy Manage Alerts Manage alerts for all users of the website. Site Full Control, Manage Hierarchy Use Remote Interfaces Use SOAP, Web DAV, the Client Object Model, or SharePoint Designer inter- faces to access the website. Site Full Control, Design, Contribute, Read, Approve, Manage Hierarchy Use Client Integration Features Use features that launch cli- ent applications. Without this permission, users must work on documents locally and upload their changes. Site Full Control, Design, Contribute, Read, Limited Access, Approve, Manage Hierarchy Open Allow users to open a web- site, list, or folder in order to access items inside that container. Site Full Control, Design, Contribute, Read, Limited Access, Approve, Manage Hierarchy, Restricted Read Edit Personal User Information Allow a user to change his own user information, such as adding a picture. Site Full Control, Design, Contribute, Approve, Manage Hierarchy Manage Personal Views Create, change, and delete personal views of lists. Personal Permissions Full Control, Design, Contribute, Approve, Manage Hierarchy Add/Remove Personal Views Add or remove personal Web Parts on a Web Part page. Personal Permissions Full Control, Design, Contribute, Approve, Manage Hierarchy Update Personal Web Parts Update Web Parts to display personalized information. Personal Permissions Full Control, Design, Contribute, Approve, Manage Hierarchy TABLE 81 (continued) Permission Levels 205 PERMISSION LEVELS Permission levels are the sets of permissions that administrators use to grant users access to site content. Depending upon the access a user or group of users require, an administrator can use the out-of-the-box permission levels or create one that will fulfi ll the user access requirements. Unlike permissions, permission levels are manageable from the site where they are being used. From the Site Permissions page, you can access the current permission levels available for your site. It is here you can create your own permission levels, delete existing permission levels, and modify existing permission levels. There are a few “best practices” when it comes to managing permission levels: It is not a good idea to modify a default permission level. If a default permission level is not confi gured the way you like, you can create a new permission level. When you create a new permission level, you are often only changing one or more permissions assigned to a default permission level. To ensure that you keep all the desired permissions, make a copy of the default permission level and then edit the permissions for the copied permission level. It is not recommended to delete a default permission level. If you don’t think you need it, there is no harm in keeping it. If you need it down the road, you won’t have to create it from scratch and risk not confi guring it the same way it was originally. By default, a set of permission levels is available when a new site is created. This set of permis- sions will depend upon the site template that was used to create the site. For team sites there are six default permission levels: Full Control — Users and groups with this permission level will have access to everything on the site and can perform any site administrative tasks. This shouldn’t be confused with site collection administrators. Users and groups with Full Control permissions cannot perform site collection administrative tasks. Design — Can view, add, update, delete, approve, and customize. A step up from Contribute, this permission also allows users to customize the site and its pages. Additionally, this group can approve items that are in containers with Content Approval enabled. For the most part, users and groups with this permission level can do anything on the securable object except for administrative tasks. Contribute — Can view, add, update, and delete list items and documents. This is the stan- dard permission level used to grant users access to content and containers when they need to add, edit, and delete content. 206 CHAPTER 8 secUriNg aNd maNagiNg site coNteNt Read — Can view pages and list items and download documents. This is the standard per- mission level for users and groups you want to access content, but not have the permissions to add, edit, or delete content. Limited Access — Can view specific lists, document libraries, list items, folders, or documents when given permissions. This permission level cannot be assigned. Instead, it is the result of customizing permissions for a securable object. In essence, when you see this permission level for a user or group, the users have access to a securable object in the current container, but not to all the securable objects in the container. View Only — Can view pages, list items, and documents. Document types with server-side file handlers can be viewed in the browser but not downloaded. The key concept here is that users and groups with this permission level can’t download copies of documents with server- side file handlers. Figure 8-5 shows the permission levels for team sites. FIGURE 85 To see all of the default permission levels, you have to create a site based on a Publishing site tem- plate. Only the Publishing site template deploys the total set of permission levels. These include the permission levels available with the team site as well as those in the following list: Restricted Read — View pages and documents. For Publishing sites only. This permission level is similar to the Read permission level, but it only has four of the eleven Read permis- sion level permissions. Key distinctions are that users with this permission level will not be able to create alerts, browse user information, or use client integration. View Only — View pages, list items, and documents. If the document has a server-side file handler available, users can only view the document by using that file handler. Again, this Permission Levels 207 permission level is based on the Read permission, but it doesn’t have all the same permissions. A few key distinctions are that users with this permission level will not be able to open list and document library items, browse user information, or use client integration. Approve — Edit and approve pages, list items, and documents. For Publishing sites only. This permission level is designed to work with the Publishing Approval workflow template. Users and groups with this permission level will be able to edit and approve items submitted, and leverage the Publishing Approval workflow. They will also be able to approve items in lists and document libraries that have Content Approval enabled. Manage Hierarchy — Create sites; edit pages, list items, and documents. For Publishing sites only. Similar to the Design permission, this permission level allows users to edit the design and components that make up the site. This permission level does not include all the permis- sions that users with the Design permission level have. A key difference is that users with the Manage Hierarchy permission level cannot approve items leveraging the Publishing Approval workflow or Content Approval features. Figure 8-6 shows the default Publishing permission levels when using the Publishing template. FIGURE 86 An important thing to remember when working with these permission levels is that, for the most part, moving down the hierarchy of permission levels, levels will contain all the permissions of the permission levels that precede them. Therefore, Full Control contains all the permissions of all the permission levels combined. The Contribute permission will have all the permissions of Read, Restricted Read, View Only, and Limited Access. . remove personal Web Parts on a Web Part page. Personal Permissions Full Control, Design, Contribute, Approve, Manage Hierarchy Update Personal Web Parts Update Web Parts to display personalized. gured. Providing granular control over user access is a powerful feature in SharePoint 2010. UNDERSTANDING PERMISSIONS When SharePoint is installed, a set of permissions is created. This set can be. Hierarchy Add and Customize Pages Add, change, or delete HTML pages or Web Part pages, and edit the website using a Microsoft SharePoint Foundation compatible editor. Site Full Control, Design,