Permissions

                 

 
Special Edition Using Microsoft SharePoint Portal Server
By Robert  Ferguson

Table of Contents
Chapter  11.   Planning and Managing Security


SharePoint Portal Server understands and enforces normal Windows NT and Windows 2000 security policies. The server uses both local and domain groups and accounts to set security permissions within the workspace; and, when the server accesses information sources outside the workspace, the normal NT security model still applies.

Users and Groups

The standard entities for assigning security controls are the user and group accounts within Windows NT or Windows 2000. It is recommended that you use domain, rather than local, users and groups when assigning roles within the workspace, to facilitate the use of content sources on another server. When the SharePoint Portal Server crawls other servers, it cannot recognize local user server accounts on the target servers.

Roles

There are three security roles accessible from the Security tab of a folder properties dialog box: Reader, Author, and Coordinator. More than one user can be configured with these roles in any given folder (See Figure 11.2). This is useful in distributing management responsibilities, allowing general access to documents, and enabling collaboration.

Figure 11.2. This folder has two users assigned as Coordinators, two as Authors, and multiple Readers.

graphics/11fig02.jpg

Reader

A Reader can read documents that have been published in the workspace, but cannot change them. This role also allows a user to search the workspace. In standard folders, all documents are automatically published by SharePoint Portal Server and are visible to all Readers. In enhanced folders, Readers can only view published documents and the folders they reside in. Documents pending approval or that have not yet been published are not visible to Readers. When performing a search, only published documents for which the user has sufficient permissions to read will be listed in the search results.

Author

An Author can read all documents, create new documents, edit all documents, and delete any documents in the folder. In enhanced folders, Authors can publish documents. Authors can also create, rename, and delete folders and subfolders . When a subfolder is created, it inherits the roles and folder policies from the parent folder, and cannot be changed by an Author.

Coordinator

A Coordinator can assign roles to users and groups, select and modify document profiles, create and edit documents in the folder, delete documents, and create and configure subfolders. A Coordinator can also read and/or delete documents that have been created but not yet checked in, as well as undo the check-out of a document. For enhanced folders, Coordinators can select approvers and approval routes, cancel publishing, or bypass the approval of a document if needed.

TIP

For those who are already familiar with Windows NT and Windows 2000 security, don't be confused by the use of roles. The role-based security model is merely a simplified representation of the traditional Windows NT security model. By combining multiple access permissions into easy to understand "roles," users who would not ordinarily be capable of administering security may be entrusted with administering access to their own folders within the workspace.


Workspace Security

There are two default role assignments made with the creation of the workspace that deserve special attention. The administrative account that creates the workspace is automatically assigned the Coordinator role for the workspace and each folder within the workspace. This role is called the node Coordinator. In addition, the Windows 2000 Everyone group is assigned the Reader role for all folders in the workspace when it is created by SharePoint Portal Server. This means that all published documents within the workspace are visible unless the default security settings of folders are changed.

Workspace management functions are supported in the Categories, Management, Portal, Shadow, and System folders and are managed by the node Coordinator. These are top-level folders within the workspace; security cannot be directly configured on these folders and they are not generally visible to workspace users.

TIP

If you do not have a specific need to make published documents universally visible, you should remove the Windows 2000 Everyone group from the security list of applicable folders within the workspace. To avoid needing to modify large numbers of folders, consider making this change immediately following installation.


Users and groups can be assigned multiple roles throughout the workspace, but only a single role in any given folder. For example, a user could be assigned the Coordinator role in one folder and the Reader role in another. In instances where more than one role has been assigned to a user, for example through differing role assignments to different groups, the most permissive role assignment possessed by a user is enforced by SharePoint Portal Server. The only instance that supersedes this rule is the use of the Deny Access feature. With this feature, it is possible for a user to have a role within a folder and yet not have access to a specific document within that same folder; the file would not be displayed to that user in the results of a search. Deny Access does not affect the local Administrators group's ability to access the document.

graphics/troubleshoot_icon.gif

To perform a permissions audit on the folder to determine where the problem lies, see "Correcting Inappropriate Folder Permissions" in the "Troubleshooting" section at the end of the chapter.

In addition to the node Coordinator and various folder Coordinator role assignments, members of the Windows 2000 local Administrators group have the ability to read documents and configure security on any folder or document residing in the workspace. This is important in maintaining the security of the workspace because it provides a mechanism to restore proper security settings or make changes in the event that normal access through assigned Coordinator roles is unavailable. The local Administrators group can reset permissions on individual folders or propagate them throughout the workspace. The document-level Deny Access does not affect the local Administrators group's ability to access the document. From the workspace properties dialog box, a local administrator can access user roles, and additional server information, within the SharePoint Portal Server Administration tool (see Figure 11.3) .

Figure 11.3. A number of node Coordinators are assigned to the workspace, along with the Everyone group Reader assignment.

graphics/11fig03.jpg

CAUTION

It is important to note that domain controllers do not have local Administrators groups. If you install SharePoint Portal Server on a domain controller, there is no local administrator to resolve security issues if a Coordinator makes an error or the system is the victim of a malicious attack.


For more information on configuring individual document and folder settings, see Chapter 4, "Overview of Document Management," or Chapter 10, "Managing Folders and Documents."

Managing Roles

across the workspace are managed by users with either node Coordinator assignments or local administrative privileges. The node Coordinator can assign user roles at the workspace node and at any individual folder that inherits its security settings from the node itself. A user must be assigned to the workspace node to administer folders supporting management functions.

CAUTION

It is possible to exclude the node Coordinator from a subfolder within the workspace by disabling inheritance and removing the node Coordinator from the user list for a folder. Once removed, only a local administrator can intervene in the event that a configuration error or malicious attack prevents a folder Coordinator from successfully administering the folder.


If a Coordinator has the client components installed on a computer running Windows 2000, the user can manage security at the folder and document level using the Properties page of documents and folders within the workspace. Users cannot manage SharePoint Portal Server roles if they are using computers running Windows 98, Windows NT 4.0, or Windows Me.


                 
Top


Special Edition Using Microsoft SharePoint Portal Server
Special Edition Using Microsoft SharePoint Portal Server
ISBN: 0789725703
EAN: 2147483647
Year: 2002
Pages: 286

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net