Managing Access to the Portal Site

You use almost, but not exactly, the same procedures to manage users in the portal site as in the WSS site. You can allow access to users and security groups in the Active Directory domain or the SharePoint server's local account database. Each user must be granted a permission level (directly or as a member of a SharePoint Group) in order to get access to any part of the portal site. Remember that the home site is the top-level site in the site collection that constitutes the portal site. Any permission settings for that top site will, by default, be inherited by all subsites, such as News, Reports, and Sites, and possibly by their subsites, if any.

Managing Users and Groups

When you create a new top site (and thus a new site collection), you must also define its primary site collection administrator. At that point this person (and you, as a SharePoint server administrator) is the only one with access to this site collection. To add users to the site, you follow the same steps as when adding users to a WSS site, as described in Chapter 3; be sure to read that chapter too, so you are sure how the permission system works for WSS 3.0 sites in SharePoint 2007. To add a user or an Active Directory group, you perform the steps in the following Try It Out. This can be done from any computer, as long as you have administrative rights on the top site.

Try It Out Add Users to the Top Site

1. Log on as the administrator, and open the top site.

2. Click Site Actions Site Settings People and Groups.

3. Select the SharePoint Group that the new user will belong to. You may remember from Chapter 3 that SharePoint creates three local groups that have the name of the top site as a prefix, then a suffix: Visitors (View only), Members (View, Add, Modify), and Owners (Full Access). In this example, select the group that ends with Member, then click New.

   1. In the Users/Group field, enter the user's name, or e-mail address. If you add more than one name, separate them with a semicolon (;).

   2. In the Give Permission section, make sure that the selected SharePoint Group is correct. If it is not the correct SharePoint Group, then use its menu to change the group. Note that you can also grant the user a permission level directly, such as Full Control, Design, or Contribute.

   3. At the end of this web form, check the Send welcome e-mail to the new users option, if you want to send an e-mail to inform the users about their new permission with a link to this web site.

   4. Click OK to save and close the page.

4. Verify that it works; log in as the new user and check that it works. Note that SharePoint's security trimmed feature is active, so if this new user is missing some link, such as Site Actions, or cannot see everything that you know exists on this site, it is because he or she does not have the proper permission to do so.

If there are any subsites that inherit their permissions from this site, the new user will now have the same permissions to those subsites as he or she does to this site. If this is not what you want, you can break the inheritance like this as shown in the following Try It Out.

Try It Out Break the Permission Inheritance

1. Log on as the administrator, and open the subsite where you want to break the permissions inheritance.

2. Click People and Groups in the Quick Launch bar.

3. Click Site Permissions in the Quick Launch bar.

4. Click Actions Edit Permissions, then click OK to accept the warning about breaking the permissions inheritance.

5. Now you can add, modify or delete any existing user account or SharePoint Group.

6. Optional: If you want to restore the inheritance of permissions, click Actions Inherit Permissions. All customized permissions will be replaced with the inherited permissions.

SharePoint Groups

In Chapter 3, you learned that a user must be associated with a Permission Level role before he or she can access anything in SharePoint. In WSS 3.0 the default permission levels were Read, Contribute, Design, and Full Control. MOSS adds some more Permission levels: Manage Hierarchy, Approve, and Restricted Read. As in WSS, the easiest way to grant a user permissions is to use any of the three default SharePoint Groups that automatically are created for each new SharePoint site configured to use its own security settings (that does not inherit its permissions from a parent site). The name for these SharePoint Groups will start with the name of the site they belong to. For example, if the site is named ABC, the SharePoint Groups' name will start with ABC. MOSS will add more default SharePoint Groups besides these three. All of them are listed here, for a site named ABC:

• q ABC Visitors: This SharePoint Group is associated with the permission level Read: Any member of this group can view, copy, and print content in lists and libraries, including previous versions, if any.

• q ABC Members: This SharePoint Group is associated with the permission level Contribute. Members of this group can also add, modify, and delete lists and library content.

• q ABC Owners: This SharePoint Group is associated with the permission level Full Control. Members of this group have full access to this site, and all its content.

• q Approvers: This SharePoint Group can edit and approve pages, lists, items, and documents.

• q Designers: This SharePoint Group can edit lists, libraries, and pages in a site. It can also create Master Pages, and page layouts in the Master Page Gallery, and it can modify the Cascading Style Sheets (CSS) files.

• q Hierarchy Managers: This SharePoint Group can create sites, lists, list items, and libraries.

• q Quick Deploy Users: This SharePoint Group can schedule Quick Deploy jobs.

• q Restricted Readers: This SharePoint Group can view pages, libraries, and lists, but not their version history.

• q Style Resource Readers: This SharePoint Group can read, but not change, the Master Page Gallery. By default, all authenticated users are members of this group.

• q Viewers: This SharePoint Group can view pages, list items, and documents. If the document has server rendering available, members of this group can only view the document using the server rendering.

Removing User Accounts

As described several times, all users must be granted a permission level, either directly or as a member of a SharePoint Group, in order to access any part of SharePoint. This is true both for WSS and for MOSS sites. In most organizations, these domain user accounts are stored in the Active Directory. This section describes what happens when these user accounts are deleted from the AD. You might assume that SharePoint automatically cleans up when someone is removed from the AD. But if you do, you are wrong! Think about it: One of your users has been active in several important projects now she has left the company. Do you really want to remove all references to that user? In many situations, the answer is no. So, SharePoint requires the administrator to manually remove the user account when necessary. The good news is that it is easy; just follow the instructions below. There are two ways to delete a user from SharePoint. One is where you remove the user account from all sites in a given site collection. For example, you might want to have a user's Active Directory account still be valid, but remove all access from SharePoint. The other way is to remove all information about a user from the User Profile database. Let's start with the first method as shown in the following Try It Out.

Try It Out Remove a User Account from a Site Collection

1. Open the top site in the site collection from where the user account should be removed.

2. Click Site Actions Site Settings People And Groups. If the top site is based on a WSS template, you can also click the link "People And Groups" in the Quick Launch bar.

3. Click the All People link in the Quick Launch bar.

4. Select the user(s) to be removed, click the Actions menu, and then click Delete Users from Site Collection.

5. You will now see a warning: "You are about to delete the following users from this site collection. The users will be deleted, and will not have access to any site within the site collection," followed by the name(s) to be deleted. Double-check that this is what you want to do, then click OK to complete the delete operation.

The procedure above will remove the permissions, but not the properties for the user, from the User Profile database. Follow the procedure in the Try It Out below to remove the user from the User Profile database.

Try It Out Remove a User from the User Profile Database

1. Log on as an administrator, and open SharePoint's Central Administration tool.

2. In the Quick Launch bar, click in the shared service provider link, by default, named SharedServices1.

3. In the User Profiles and My Sites section, click User profiles and properties.

4. Click View user profiles.

5. In the toolbar, change the view to Profiles Missing from Import. Now, all deleted user accounts are listed. Check the user profiles to be removed from SharePoint, and click Delete on the toolbar.

A related situation occurs when someone is changing the logon account name in the Active Directory (for example, when changing her last name due to marriage). Doing this will not update the user account information in SharePoint unless you follow the steps in the Try It Out below (in this example, a user has changed his logon name from Filobit\tony to Filobit\Antony):

Try It Out Update User Account Information in SharePoint

1. Log on to the SharePoint server as an administrator.

2. Open a command prompt.

3. Enter the following command (see Chapter 3 about updating the environment variable path to include the path to the file folder storing the STSADM utility):

        STSADM --o migrateuser --oldlogin filobit\tony --newlogin filobit\antony -     ignoresidhistory 

Anonymous Access

Just as in WSS, a MOSS site can be opened for anonymous access. The steps to do this are identical to how this is done in a WSS site, so be sure to read Chapter 3 to see more about these anonymous access settings.