Role-Based Security

Previous page
Table of content
Next page

SharePoint Portal Server uses a fixed set of three roles to offer a flexible and secure method for controlling user access to content. You cannot modify the permissions associated with a specific role. You can assign roles both at the individual folder level and on the workspace node, which is the top level of the workspace. In addition, you can completely deny a user (or users) access to a specific document. SharePoint Portal Server uses role-based security to control access to content regardless of whether the user is accessing content by using a Web browser, Web folders, or Microsoft Office.

Security settings in SharePoint Portal Server restrict access only to document contents. Members of the Windows 2000 Everyone group can view all metadata associated with a document, such as keywords or other custom properties. Consequently, it is recommended that you refrain from including potentially sensitive information such as password information or program code within the metadata of a document.

The role-based security model provided with SharePoint Portal Server allows you to customize access to content easily.

Reviewing SharePoint Portal Server Roles

Figure 8.1 illustrates SharePoint Portal Server roles.

Figure 8.1. SharePoint Portal Server roles

SharePoint Portal Server includes the following roles.

Reader

A reader can search for and read documents but cannot add them to the workspace. By default, all folder users have Read permissions. In an enhanced folder, readers can only view folders and published versions of documents. Enhanced folders provide increased document management functions, including approval routing and version control. A reader cannot check out, edit, or delete documents and cannot view draft document versions.

By default, SharePoint Portal Server assigns the Windows 2000 Everyone group to the reader role for all folders in the workspace when it creates the workspace.

Author

An author can add new documents to a folder, edit all documents in the folder, delete any document or subfolder from the folder, and read all documents in the folder. An author can also delete the folder itself. In an enhanced folder, authors can also submit any document for publishing.

An author can create, rename, and delete folders. When you create a new folder, it inherits the security settings, including role and folder policies, from the parent folder. However, the author cannot change the roles or the approval policy on folders that he creates.

Coordinator

A workspace coordinator manages content in the top-level folder and performs a set of administration tasks that pertain to the entire workspace. These tasks include managing content sources, document profiles, categories, discussions and subscriptions, and customizing the dashboard site. The coordinator creates indexes of updated content when necessary or schedules this to occur automatically.

A coordinator on a specific folder assigns user roles on the folder. The coordinator creates subfolders. In addition, the coordinator adds, edits, and deletes documents from the folder. Coordinators can also read and delete a document that is created but is not yet checked in. For enhanced folders, the coordinator selects the appropriate approval process. In addition, the coordinator can undo the check-out of a document or end the publishing process by using the Cancel Publishing or Bypass Approval actions.

SharePoint Portal Server automatically assigns the administrator who creates the workspace to the coordinator role on the top level of the workspace and on each folder.

SharePoint Portal Server provides the Deny Access security option on documents only. This setting supersedes all access permissions except those of the local Administrators group. You can deny access to a document for a specific user or group if you do not want that user or group to view that document. When you deny access to a document, the document is no longer visible to the denied user or group. The user can no longer view the document in lists nor does the document appear in search results. Denying access to a document does not affect the local Administrators group's access to that document.

In addition, the following set of folders and their subfolders support workspace management functions: Management, Portal, System, Shadow, and Categories folders. You must be a coordinator on the top level of the workspace to manage these folders. You cannot directly configure security on these folders. Except for the Management folder, these folders are generally not visible to users of the workspace.

The Windows 2000 local Administrators group has permission to read documents and specify security on any folder or document in a workspace. The ability to configure security provides a way to access every folder and document in the event that, through accident or malicious intent, the folder or document is made unavailable to those who should have access to it. The local Administrators group can restore permissions for individual folders. Denying access to a document does not affect the local Administrators group's access to that document.

If you install SharePoint Portal Server on a domain controller, there is no local Administrators group. Consequently, only users assigned to the coordinator role can specify security on folders. If a coordinator makes an error, there is no local administrator to resolve security issues.

Example

Susan, an employee of an outdoor sports company, manages the server in her branch office. The server not only stores the office's workspace, but also serves as the domain controller for the office.

As the server administrator, Susan makes Paul the coordinator for the Finance folder on the regional workspace. As the coordinator, Paul then specifies other roles for the folder, including removing Susan from the list of coordinators. Several months later, Paul leaves the company. Because Susan is no longer a coordinator, and the domain controller has no local administrators group, Susan no longer has access to the Finance folder and cannot modify the security to add a new coordinator for the folder.

It is recommended that you plan carefully if you choose to install SharePoint Portal Server on a domain controller. Implementing a specific security practice can help to prevent security lockouts such as the one described in the previous example.

Managing Access to Content

SharePoint Portal Server includes a versatile set of features that allow you to define when and how users can access documents. To help you manage documents, SharePoint Portal Server offers the following:

  • Version tracking to record the history of documents.
  • Application of descriptive, searchable information to identify a document.
  • Document publishing control.
  • Automated routing of documents to reviewers.

Version History

SharePoint Portal Server records a document's history to help you track changes and eliminate the possibility of people overwriting another user's modifications. To edit a document, you must first check it out. This prevents others from changing the document until you check it in.

To check out a document, you must be assigned to the role of author or coordinator.

Every time you check in a document, SharePoint Portal Server assigns a new version number to the document and archives the previous version. When you check out a document, you retrieve the most recent version unless you specifically select an earlier version.

Document Profiles

Document profiles offer a way to add searchable information, called metadata, pertaining to a document. This information can help describe or identify the document more clearly. By default, a profile includes basic properties such as Author and Title. As a coordinator, you can easily add custom properties such as Account Number or Project Manager to capture additional information that makes it easier to organize and find documents in your organization.

Security settings in SharePoint Portal Server restrict access only to document contents. Members of the Windows 2000 Everyone group can view all metadata associated with a document, such as keywords, and other custom properties. Consequently, it is recommended that you refrain from including potentially sensitive information, such as password information or program code, within the metadata of a document.

Document Publishing

SharePoint Portal Server supports both private and public versions of a document. Published documents are available for users to search or view on the dashboard site. As an author or coordinator, you can publish a document automatically each time you save it to the server or you can choose to maintain private document drafts and publish the document when it is complete. You can generate as many drafts as you want before publishing a version of a document.

Approval Routes

As a coordinator, creating approval routes is an easy way to ensure that a document is adequately reviewed before publishing. When an author chooses to publish a document, you can choose to route it automatically to one or more persons for review before publishing it. Each of these individuals, called approvers, has the option of approving or rejecting the document. Approvers receive e-mail notification when a document requires review.


Previous page
Table of content
Next page
Microsoft Sharepoint Portal Server 2001 Resource Kit
Microsoft SharePoint(TM) Portal Server 2001 Resource Kit (Examples & Explanations Series)
ISBN: 0735615624
EAN: 2147483647
Year: 2001
Pages: 231
Authors: Microsoft Corporation
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
C & Data Structures (Charles River Media Computer Engineering)
Mapping Hacks: Tips & Tools for Electronic Cartography
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Cultural Imperative: Global Trends in the 21st Century
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy