Security Groups 211 The following procedure will walk you through editing a permission level that exists on a site based on the Team site template: 1. Follow the steps in the earlier instructions to navigate to the Permissions Level page. 2. Click the permission level you want to edit. If you select the Full Control or Limited Access permission levels, you will notice that all of the permissions are grayed out. You will not be able to edit these permission levels. If you select a permission level other than these two, you can deselect current permissions and/or add permissions. 3. When fi nished, click Submit. This will save the changes you have made. Note that this change will affect this entire site collection. Deleting a Permission Level In the event that you no longer wish a permission level to be available, you can remove it from the Permission Levels page: 1. Follow the steps in the earlier instructions to navigate to the Permissions Level page. 2. Select the permission level you want to delete. For this example, the Custom Permission Level 1 will be deleted. Select this permission level and click Delete Selected Permission Levels. As the option states, you can delete more than one permission level at a time if you so choose. 3. Once you click Delete Selected Permission Levels, a pop-up window will appear asking you to confi rm the deletion of the selected per- mission level (see Figure 8-11). Click OK. 4. The selected permission level will be deleted and will no longer be available from the Permission Levels page. When you delete a permission level it will no longer be available. When the permission level is removed, any users or groups that are leveraging this permis- sion level for access will be removed from the Site Permissions page. In order for these users or groups to have access again, you must grant them one of the avail- able permission levels. SECURITY GROUPS So far this chapter has covered the individual permissions that make up permission levels and how these permission levels are used to grant users and groups access to SharePoint content. Now it is time to discuss the users and groups that will be assigned the previously stated permission levels. FIGURE 811 212 CHAPTER 8 secUriNg aNd maNagiNg site coNteNt SharePoint Security Groups SharePoint security groups are groups of users that are created from within the browser and can be used within a given site collection. By default, SharePoint creates security groups (site groups) when a new site collection is created. The groups that are created vary according to the template that is used. The following are the site groups that may be created: Site Collection Administrators — This group is created for all site collection templates. It has Full Control permissions and can do anything on this site collection. These permissions cannot be overridden. When a new site collection is created, the creator has to specify a value for the primary site collection administrator, and he/she will have the option to enter a user for the secondary site collection administrator. These specified users are added to the Site Collection Administrators group and will be able to perform the administrative tasks associated with the site collection. These options are available from the Site Settings menu on the top-level site collection (see Figure 8-12). These users will also be the only users who can view the members of the Site Collection Administrators group. The Site Collection Administrators group is also accessible from the Site Permissions page of the top-level site, as shown in Figure 8-13. FIGURE 812 Security Groups 213 FIGURE 813 [Site collection name] Owners — This group is created for all site collection templates; by default, members of this group will have Full Control. [Site collection name] Members — This group is created for all site collection templates; by default, members of this group will have Contribute access. [Site collection name] Visitors — This group is created for all site collection templates; by default, members of this group will have Read access. Viewers — This group has View Only access, and is created for Collaboration and Meeting site templates. Approvers — This group has Approval access, and is created for Enterprise site templates and Publishing site templates. Designers — This group has Design access, and is created for Enterprise site templates and Publishing site templates. Hierarchy Managers — This group has Manage Hierarchy access, and is created for Enterprise site templates and Publishing site templates. Restricted Readers — This group has Restricted Read access, and is created for Enterprise site templates and Publishing site templates. Configuring Permissions During Site Creation When you create a new site, within an existing site collection, you select your template and then you enter a name, URL, and description for your site. To configure permissions during site creation, from the Create screen click the More Options button. The Permissions options will appear, as shown in Figure 8-14. The default value is to Use same permissions as parent site — that is, inherit permissions from the parent site. This means that access to the new site is the same as that used on the parent one. No new groups will be created. 214 CHAPTER 8 secUriNg aNd maNagiNg site coNteNt If you select Use unique permissions (as shown in Figure 8-14) and click Create, you will be prompted to configure three new user access groups: [New site name] Owners, [New site name] Members, and [New site name] Visitors (see Figure 8-15). This creates a customized security structure and only users who are members of these groups will have access to the site. FIGURE 814 FIGURE 815 Security Groups 215 The available default permissions will vary with the version of SharePoint 2010 you are running. SharePoint Foundation 2010 does not have all the same per- missions that SharePoint Server 2010 has. Adding a SharePoint Security Group In addition to site groups and groups that are created when a new site is created using unique per- missions, you can create your own SharePoint security groups, assuming you have suffi cient permis- sions. This group will be usable within the entire site collection, not just within the site in which it was created. When you assign a permission level to the group, that access applies to the current securable object and all child securable objects. This is an area where people are easily confused. When you create a SharePoint group, you can specify the group’s permission level or you can leave it blank. If you leave it blank, you can always confi gure the group’s access to another securable object. If you confi gure the group’s access, the access will only be for that securable object and any securable objects that inherit permissions from the parent. Once the SharePoint security group is created, you can navigate to any securable object’s permission settings page and add access for the group. To add a SharePoint security group, follow these steps: 1. Navigate to the People and Groups page in any site within your site collection by clicking Site Actions Site Settings. 2. Under the Users and Permission header, click People and Groups. By default, the page will display the fi rst SharePoint group that is listed in the Current Navigation under Groups. To see all groups within the site collection, click on the link for Groups (see Figure 8-16) to open the All Groups page. FIGURE 816 216 CHAPTER 8 secUriNg aNd maNagiNg site coNteNt 3. Click the New drop-down menu and select New Group, as shown in Figure 8-17. FIGURE 817 4. Enter a name and description for the new group. For this example the name will be New Group 1, with no description. Specify the Group Owner (only one user can be the group owner). Typically, the only people who can view the membership of the group are the mem- bers of that group. Additionally, only the Group Owner can edit the membership of the group. For obvious reasons, it is not a good idea to give several users this capability. You can also configure if and how you want to receive membership requests. 5. Click Create. Your group will now be created. Deleting a SharePoint Security Group Deleting a SharePoint security group is simple: 1. Navigate to the All Groups page (see steps 1 and 2 of the preceding “Adding a SharePoint Security Group” procedure). 2. When viewing the available groups, click the Edit icon for the desired security group. 3. Scroll down and click Delete. Managing SharePoint Security Groups in Current Navigation To manage SharePoint security groups, follow these steps: 1. Navigate to the People and Groups page (follow steps 1 and 2 of the “Adding a SharePoint Security Group” procedure). This procedure describes how to edit the groups displayed here. 2. Select Settings Edit Group Quick Launch, as shown in Figure 8-18. Security Groups 217 FIGURE 818 3. Enter or remove one or more security groups from the displayed groups. Adding Users to SharePoint Security Groups To add users to SharePoint security groups, follow these steps: 1. Navigate to the All Groups page (follow steps 1 and 2 of the “Adding a SharePoint Security Group” procedure). 2. Select a group by clicking on the name of the group. 3. Click the New drop-down menu and select Add Users. 4. Enter the user’s name and validate. 5. Select whether or not you want to have an e-mail sent to the user informing them of their new access. 6. Click OK. Deleting Users from SharePoint Security Groups To delete users from SharePoint security groups, follow these steps: 1. Navigate to the All Groups page (follow steps 1 and 2 of the “Adding a SharePoint Security Group” procedure). 2. Select a group by clicking on the name of the group. 3. Select the users you want to remove. 4. Click Remove Users From Group. 218 CHAPTER 8 secUriNg aNd maNagiNg site coNteNt The two preceding procedures are for adding and deleting users, but you can follow the same steps to add an Active Directory group to a SharePoint group. In the people picker, specify the Active Directory group, rather than the name of a user, and then validate the name. You can search for an Active Directory group the same way you search for a user. Active Directory Groups In addition to using SharePoint security groups, you can also use Active Directory (AD) groups. For security, you must use AD e-mail-enabled security groups. Distribution lists cannot be used. In order for an object to be used in security it must have a Security ID (SID) in Active Directory. User accounts have SIDs, so they can be used. Distribution lists do not have SIDs, which is why they can- not be used as security objects in SharePoint. AD groups and individual users are granted permis- sions in similar fashion. As such, their use is covered later in this chapter. SharePoint Security Groups versus Active Directory Groups Because you can use either SharePoint security groups or Active Directory groups, let’s discuss the benefi ts and downsides to using either option. In most cases, it really depends on the environment and the governance policy in place. In most environments, the AD structure is much older than the SharePoint implementation and already setup. If your SharePoint security structure needs match those of the current AD setup, then it will be much easier to deploy AD groups, rather than recreate the same structure and add users to SharePoint security groups. If this is not the case, and your SharePoint site structure has com- pletely different user access confi guration needs, this is a picture-perfect example of when to choose SharePoint security groups over AD groups. Another thing to consider is the user who will be managing the security structure and user access. With AD, it is almost always an information technology specialist, who may or may not have SharePoint access. With SharePoint, the site collection administrator or site owner may be an IT professional, but there is a good chance that it will be a manager or power user, who will not have AD access. Most organizations avoid turning control of IT application security over to a non-IT professional. In situ- ations where the site collection administrator and/or site owners are non-IT members, a combined approach is common. One signifi cant drawback to AD groups is discoverability. There is no way in SharePoint to see the members of an AD group, making it diffi cult or impossible to know who has access to something if AD groups are used. Special Groups and Authentication Options There might not always be a user or group that exactly fi ts the bill when you want to add permissions at a large level. If you need to provide access to a large group of people that is dynamic, you may need to employ some special tactics to open your content to everyone that needs access. All Authenticated Users — One AD group that can be very useful is the NT AUTHORITY\ Authenticated Users group. This group represents any and all users who authenticate to your Security Groups 219 AD domain. The advantage to using this group is that for environments that will be acces- sible by all your domain users, this guarantees access for all your users and is easy to manage. The downside is that this group represents all your users, granting them all access. Imagine if this group were given access to secure content. As such, this option should be used with caution. This also includes trusted domains, not just the domain your SharePoint servers are in. If you are using a trusted domain for extranet users, for instance, they will all also have access to any content secured with NT AUTHORITY\Authenticated Users. NT AUTHORITY\Authenticated Users is an Active Directory group. Use of this group requires Windows Integrated Security. Anonymous Access — This authentication method allows any user(s) to access your SharePoint sites. Primarily seen with Internet sites, this option is useful when the users who will be access- ing your content do not have corresponding user accounts in your domain. Anonymous Access can only be enabled at the web application level. Once enabled, it can be available for all site collections and sites within the web application. Since this is confi gurable at the site level, it is up to the site collection and site administrators whether they want this enabled in their environ- ments. Similar to using the NT AUTHORITY\Authenticate Users group, this option should be used with caution. Anonymous access can be confi gured from the Site Permissions page, as shown in Figures 8-19 and 8-20. Anonymous Access can only be confi gured at the site level once it is enabled in Central Administration in the authentication settings. FIGURE 819 220 CHAPTER 8 secUriNg aNd maNagiNg site coNteNt FIGURE 820 GRANTING PERMISSIONS Giving users access can be achieved in three ways: You can grant access to SharePoint security groups, to AD groups, or directly to users. Fortunately, the same procedure is used for each option. As previ- ously stated, you must grant access to the specific securable object. For many environments, users will have different access for the various sites in the SharePoint environment. For the following procedures, you will follow the first two steps to start: 1. Navigate to the securable object. In this example, the securable object will be a site. 2. Select Site Actions Site Permissions. Granting Access to a Top-Level Site To grant access to a top-level site, continue with the following steps: 1. Because this is at the top-level site, you do not have to worry about inheritance. Select Site Actions Site Permissions. 2. Click Grant Access. 3. Enter the user name(s), AD group name, or SharePoint group name and validate. 4. When granting permissions, you can add the desired user or AD group to an existing SharePoint group or you can give permission directly. The drop-down menu of existing SharePoint groups also shows the corresponding permission level for each group. Adding a new entry to this group gives that user the listed permission level. If you select Grant users permission directly, the permission levels options will be displayed and you can select the desired access (see Figure 8-21). . vary with the version of SharePoint 2010 you are running. SharePoint Foundation 2010 does not have all the same per- missions that SharePoint Server 2010 has. Adding a SharePoint Security Group In. coNteNt SharePoint Security Groups SharePoint security groups are groups of users that are created from within the browser and can be used within a given site collection. By default, SharePoint. created. Deleting a SharePoint Security Group Deleting a SharePoint security group is simple: 1. Navigate to the All Groups page (see steps 1 and 2 of the preceding “Adding a SharePoint Security