Role-Based Security

                 

 
Special Edition Using Microsoft SharePoint Portal Server
By Robert  Ferguson

Table of Contents
Chapter  4.   Overview of Document Management


As discussed at a high level in Chapter 3, security within SharePoint Portal Server is achieved by leveraging the existing Windows NT security model. The security component provides granular security control and simplified security management. While integrating with existing Windows NT Security is important, additional role-based security allows documents to be accessed only by individuals who are granted access through SharePoint Portal Server security specific roles.

NOTE

SharePoint Portal Server uses existing NT user -IDs and native Windows NT “based Access Control Lists (ACLs). SharePoint Portal Server must be run on a Windows 2000 Server platform. However, both NT and Windows 2000 directory security can be used.


SharePoint Portal Server allows role-based security for managing what users can do within the workspace or subfolders of the workspace. The roles that can be enabled are Coordinator, Author, and Reader. The roles have different authority and the role assigned will determine the level of authority within the workspace.

To learn more role based security and how it is used, see "Permissions," p. 281.

Roles are used to logically group end userswith similar access, but the role-based membership is not stored within Active Directory. Rather, the roles are stored within individual folders, and each folder could potentially contain a different set of users and groups for each role. A workspace Coordinator or Coordinators for specific folders can assign roles. Workspace Coordinators can assign roles at the workspace or for folders within the workspace. Coordinators for specific folders can only assign roles within the assigned folder. When the Coordinator assigns a user to a role, the user is granted specific permissions to perform specific tasks .

NOTE

Permissions are assigned to roles and cannot be changed.


To enable security, a Coordinator assigns a user or a group to a security role. To change security, right-click the folder, click Properties, and click Security. Select an existing user and change the role or add a new user or group (see Figure 4.11).

Figure 4.11. Notice the three roles you can select from when assigning rights to a user or group.

graphics/04fig11.jpg

It is best practice to set up NT groups, assign users to the groups, and associate the security role to the group rather than an individual user. In addition, you should not use a combination of individual and group assignments. When assigning security at multiple levels, the most permissive role applies.

NOTE

If an Author creates new folders, the new folder automatically inherits the folder level policies from the parent folder, which was configured by the Coordinator of the parent folder. The Author role does not have the ability to modify the roles or approval policies on any folders which they create.


NOTE

All users are assigned to the Reader role by default. This means that everyone in your domain can read published documents. This is possible because within Windows NT and Windows 2000, the Everyone group is assigned to the Reader role. This default assignment is performed on all folders within the workspace during the creation of the workspace.


Within a standard folder, Readers have the ability to view all documents within the folder. Within an enhanced folder, Readers can only view folders and public documents. A Reader cannot check out, edit, or delete documents, and cannot view draft versions of documents.

Role-Based Activities

SharePoint Portal Server allows Coordinators to perform the following role-based functions:

  • Assigning users or groups to a role

  • Adding a user or a group to a folder

  • Removing a user or a group from a folder

  • Configuring folder-level inheritance

Step-by step processes and procedures for how to perform these role-based functions are documented in great detail within SharePoint Portal Server's Help.

Additional Security

In addition to the three main security roles, an additional document level setting of Deny Access, as well as a folder level setting of Approver, can be used to provide additional security granularity.

Deny Access is not a core security role. However, this feature allows an additional level of granular document-based security restrictions. Not available within the folder level, Deny Access can be enabled on individual documents within a folder. Access can be denied for individual users as well as for a group of users not allowed to view the document.

It is possible that some end users might have the appropriate security role that would normally allow access to documents within a folder. However, the Author of a document could still block access using the Deny Access feature.

The Approver role is a special role only associated with specific tasks on a per-folder basis for enhanced folders. This role is not a formal role similar to the three main security roles (Coordinator, Author, or Reader). A Coordinator for an enhanced folder can add a user as an Approver within the Approval tab on the Properties page of the folder.

The reason this role is only associated with enhanced folders is because a SharePoint Portal Server approval process cannot be set up on standard folders. Coordinators can assign Approvers only to folders which have approval routing enabled.

Right-click an enhanced folder, click Properties, click the Approval tab, and then click Document must be approved before publishing. Add desired Approvers and select the approval route type. Input to the "Comments for the approval email" section will be passed through in the document approval notification email.

Figure 4.12. All routing and approval configuration is done within the Approval tab of a folder.

graphics/04fig12.jpg

TIP

You can select local users and groups, or users from your existing Windows NT or Windows 2000 domain, and assign them to roles. You can define these users and groups locally on the server, or on the domain of which the server is a member. However, since SharePoint Portal Server does not recognize local user server accounts located on another server, it is best practice to use domain user and group accounts when assigning a role to a user.


Users with Multiple Roles

It is possible that a user can have several roles within different folders in a single workspace. For example, in the Sales folder a user might be assigned to the Coordinator role, while in another folder the same user might only be assigned to the Reader role.

NOTE

Assigning a group to a role within a folder allows all members of the group (such as Sales) to have the same role-based access to the folder. Let's assume that a role is assigned to one specific individual of the Sales group. The most permissive combination of the two roles combined then applies. Only the Deny Access role can limit the access of a particular document. If this role is specified within a document for a specific group or individual user, the group or user cannot access the document. This role takes priority over all other roles, even Coordinator.


Granular Access Control

Specifying access control within SharePoint Portal Server can be done at multiple levels. Access can be specified at the workspace level and allow specific inheritance rules to apply. The Coordinator can provide more granular access control by specifying access at the folder level within the workspace. In addition, extreme granular control can be provided by controlling further access within the folder on a per document basis.

NOTE

Using document-level access will likely increase the amount of required administration. One should carefully evaluate the inclusion of this feature to prevent an unnecessary substantial increase in administration costs.


Security Inheritance

To ease administration, workspace and folders can be configured such that subfolders automatically inherit access control settings from their parent folder.

Right-click your folder and click Properties. Select the Security tab and click Use parent folder's security settings (see Figure 4.13). All subdirectories will inherit this security structure unless manually changed.

Figure 4.13. Click on Use parents folder's security settings to enable the new folder to automatically inherit the security from the parent folder.

graphics/04fig13.jpg

When working with document management, it is important to be able to restrict and control access to specific information. SharePoint Portal Server role based security allows you to control access to a document and make it available only to a selected group of individuals who need to edit it or approve it. Once the document is edited or approved, the document can then automatically be published to the final destination and made available to a larger audience.


                 
Top


Special Edition Using Microsoft SharePoint Portal Server
Special Edition Using Microsoft SharePoint Portal Server
ISBN: 0789725703
EAN: 2147483647
Year: 2002
Pages: 286

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net