Managing List Access

Each document list will, by default, inherit the security settings of the SharePoint site. In other words, if Axel is a member of the SharePoint group Member for the site, and therefore has Contributor permissions, he will also be a contributor for any document library and list in the team site. You can break the inherited permissions, when necessary, so Axel in this example gets other permissions specifically on a library. This is true, regardless of whether the site is a WSS site or a MOSS site, contrary to how it worked in SharePoint 2003, where only WSS sites allowed you to configure different permissions for a list or library.

Not only will SharePoint 2007 allow you to set specific permissions for each list and library in a site, but you can also set specific permissions on folders within a library, and even individual documents and list items. This is also new, compared to SharePoint 2003, and opens up a lot of opportunities to set whatever security definitions needed on the content of a site.

Another possibility for controlling the permissions for individual document items is to use Microsoft's Information Rights Management (IRM) client, which is supported by both Office 2003 and Office 2007 applications. This functionality is also known as the Rights Management Service (RMS) and allows you to define security settings such as:

• q Axel can read the document, but only Anna can modify it.

• q This document cannot be printed by Axel, but can be printed by Anna.

• q This document will cease to exist on Friday at 5P.M. for both Axel and Anna.

And all of these security settings will be valid regardless of how a user gets a copy of the document, whether it is by the file system, as an e-mail attachment, or by a document library in SharePoint. If you want to know more about IRM and RMS, look at this page: http://www.microsoft.com/rms.

Individual Permission Settings

To show how the individual permissions work in SharePoint 2007, here is an example. Remember that SharePoint groups are always connected to a permission level; for example, the group Members is connected to the permission Contribute, and the group Visitors is connected to the permission Read. Still, it is possible to grant an individual user a specific permission level instead of using SharePoint groups. For example, say that you have two users named Anna and Axel, who both have been granted the Contribute permission level on the site IT. By default, this will also give them Contributor permission to all the content in that site, including any list or library. There is a document library on the site named Shared Documents. The owner of the IT site wants to restrict the security settings for Axel to Read permission only. The following Try It Out shows how the owner can do this.

Try It Out Set Individual Permissions for a Library

1. Open the Shared Documents library using an account with administrative rights for the site.

2. Click Settings Document Library Settings.

3. Click Permissions for this document library. This will list all the permissions inherited from the site itself. Note that the list is grayed out, which is a clear indication that you cannot change the current settings. To change these settings, you must break the inheritance, using the following procedure:

   1. Click Actions Edit Permissions.

   2. This will display a dialog box that informs you that this will break the inheritance; click OK.

   3. Now all inherited permissions are editable, including the Contributor permission of Axel and Anna. For example, if you want to remove the SharePoint group Restricted Readers from this list, check its check box, and select the menu Actions Remove User Permissions, and on the following dialog box, select OK to accept to remove that group.

   4. To change Axel's permission level from Contribute to Read, click his name. On the web form that appears you will see the current permission for Axel; uncheck Contribute and check Read, then click OK.

   5. The editable list of users and groups, and their permission settings, is displayed again. Since you do not need to make any more modifications, click the Shared Documents breadcrumb link at the top of the page.

4. Test the new permissions; log on as Axel and make sure that he cannot add, delete, or modify any document in the Shared Documents library.

There is an extra challenge if both Axel and Anna are members of a SharePoint group, such as the site's Members group, since there is no way to deny a permission in SharePoint to a specific group member, as there is in the Windows file system. If this is the case, then you could either create another SharePoint group and move Axel to that group, or if the Members group is small, you could remove that group from the Shared Documents library and then add each individual member with the permissions they should have here.

If for any reason want to revert back to using the inherited permissions for this document library, you can open the Permissions for the document library page again (see steps 2 and 3 above), then open the menu Actions Inherit Permissions, and click OK on the dialog box that pops up, asking you if you really want to revert back to inherited permissions. Note that every change to this permission list is then lost and cannot be restored, so make sure that you really want to revert to inherited permissions!

Another similar task is setting specific permissions on a single document or list item. For example, say that Anna should not have any permissions at all, to the document Proposal.doc. Anna has the Contributor permission level to the site and therefore to the Shared Documents library where Proposal.doc is stored. To meet the new security requirements, the owner of the site now must perform the process described in the following Try It Out.

Try It Out Set Individual Permissions for a Document

1. Open the Shared Documents library using an account with administrative rights for the site.

2. Locate the document to be changed (such as Proposal.doc). Use its quick menu to select Manage Permissions. You will see the list of inherited permissions.

3. The list of permissions is inherited from its parent, that is, the folder it is stored in, if any, or the document library. Note that if the library inherits permissions from the site, then the permissions for the document will be the same! The next step is to break the inheritance. Click Actions Edit Permissions, then click OK in the dialog box that appears to accept the stopping of the inheritance of permissions from its parent (the library).

4. In this case, Anna is listed as a contributor; check her name and click Actions Remove User Permissions. In the dialog box that appears, click OK to confirm that you want to remove the user.

5. Test this: Log on as Anna, and open that Shared Document library. Notice that Anna will not even see that the document Proposal.doc exists, since she has no access at all.

As before, this example was based on the fact that Anna was granted permissions as an individual user. If, instead, she was given permissions as a result of her membership in a SharePoint group, then you would have to solve this problem differently! Either Anna must be removed from that SharePoint group, or the group itself must be removed, and then all other users in that group must be given permissions either individually or by creating a new SharePoint group with the corresponding permissions to the site. All of this is necessary because SharePoint does not support a Deny Permission feature.

A task related to creating item-level security, such as individual document permissions, is to set permissions on a folder in a library. Normally, you should avoid creating folders in libraries and instead use columns, together with views, to sort and organize content. But there is one good reason to create a folder: For example, say that you have a document library where new documents are added every day. You have set the permissions, so they match your security requirements. But now and then a document is added that should have unique permissions. You could solve this problem by using the steps above, but if there are too many documents that need this unique permission, it is better to create a folder in this library, then set these unique permissions on that folder and make sure that those specific documents are stored in that folder. Since the inheritance mechanism works through documents inheriting permissions from their parent, in this case the folder, it will work just fine, and it will be much easier to manage those documents. To create a folder in a library, open the library, then open the menu next to the Add button, and select New Folder.

Allowing Access to a Single List

Sometimes you need to set a security setting in a way other than through inheritance from the site permissions. For example, a user named Beatrice who works in another department may need Read access to certain documents but should not be able to read anything else on the site. This is managed as shown in the following Try It Out.

Try It Out Allow Access to a Single Library Only

1. Open the document library using an account with administrative rights for the site.

2. Open the menu Settings Document Library Settings.

3. Click Permissions for the document library; the inherited permissions are displayed.

4. Click Actions Edit Permissions, and accept the option to create unique permissions (i.e., stop the inheritance of permissions from its parent).

5. Click Add, and enter the following information:

   1. Users/Group: In this field, enter the name to add, in this example Beatrice. You can also click the address book icon and search for the user. If you add more than one name, use a semicolon between the names.

   2. Give user permissions directly: Set the permission for the users entered in step a, above, in this example Read.

   3. To make sure that Beatrice is informed about the new permission, check the Send welcome mail to the new user check box, and enter the mail message to be sent. Note that you do not have to add the type of permission (Read, in this example), or the link to the library, since SharePoint will add this automatically to the e-mail.

   4. click OK to save and close the form. The e-mail message will be sent immediately.

6. The permission list for the document library is again presented; note that Beatrice's name is now listed, along with her permission.

The preceding example was about adding the user Beatrice as a reader to a library, but she should not get access to anything else on the team site. This goal is certainly accomplished using the preceding steps, but how will Beatrice be able to see a list inside a SharePoint site that she has no access to? SharePoint solves this by adding this user to the site's permission list, with Limited Access (see Figure 10-21). This will allow her to read the specific library but nothing else on the site. The exact same technique will work if you need to grant a user or group access permissions to a folder or an individual list or library item.

Figure 10-21