|
4.3. Site Group ManagementSite groups allow you to grant roles to users and groups. You can think of a site group as a set of permissions that restrict what tasks a user can and cannot perform within your SharePoint site. As a site administrator, you can create specific site groups for specific users and functions. Once you have your site group created, you can link it to either a specific user or a specific group. 4.3.1. Default Site GroupsSharePoint installs five default site groups that you can apply in most situations. Each of the default groups allows different permissions that are useful for different types of users. However, if the default groups do not suit your needs, you can also create custom groups. 4.3.1.1 GuestThe guest site group provides the lowest possible permission level to users without denying site access. This group restricts users and user groups to read-only access. You should use this site group for default users and groups that are not assigned to a site group with greater access rights. 4.3.1.2 ReaderThe reader site group has more access than the guest site group. A reader has permission to:
A user assigned to the reader site group cannot make modifications to content on the site. You assign this site group to users and groups who need access to content on the site but do not need to modify the content. 4.3.1.3 ContributorThe contributor site group inherits the reader site group permissions, plus the ability to:
A contributor cannot create a document library; however, he can add content to, delete content from, or modify content on an existing library. You should assign this site group to users and groups who need full control over content in document libraries and lists. 4.3.1.4 Web designerThe web designer site group inherits the contributor site group permissions, plus the ability to:
The web designer site group provides advanced control over a SharePoint site, without granting full administrative control. You should assign this site group to users and groups who are taking ownership of a SharePoint site. Keep in mind that a user in the web designer group does not have full administrative control, although she does have great power over how the site is organized and maintained. 4.3.1.5 AdministratorThe final default site group, administrator, inherits the web designer site group permissions, plus the ability to:
You cannot delete or customize the administrator site group, and one user must always be assigned to this group. You should only grant this permission type to users who are going to control access to sites. Generally, this role is reserved for system administrators and other users who have full trust within an organization. Most users do not need any rights higher than the web designer group. 4.3.2. Automatically Assigning a User to a Site GroupBy default, SharePoint assigns users to site groups. To change the default site group that the user receives, modify the Anonymous Access settings on the Site Settings screen. To modify these settings, follow the following steps:
Figure 4-1 shows the Change Anonymous Access Settings page, which is used to assign users to specific site groups and to determine what access anonymous users are granted. Figure 4-1. Default site group assignmentYou can change a user's site group assignment. Site groups are assigned at three levels:
The Section 4.4 discusses these topics in detail. 4.3.3. Managing Site GroupsThe default site groups do not solve every situation. To provide maximum flexibility, Windows SharePoint Services lets you to create, modify, and delete site groups. By allowing customization of site groups, SharePoint allows you to create a flexible security architecture that adapts to your business requirements. 4.3.3.1 Site group conflictsYou can assign multiple site groups to a user. If two site groups conflict, the site group that applies to the immediate content being viewed is applied. For instance, you could assign a user to the reader site group for the corporate Human Resources SharePoint team site, the web designer site group for the Training SharePoint team site, and the contributor site group everywhere else. In this scenario, when a user accesses the Human Resources site, two site groups conflict: reader and contributor. Because the user is viewing the Human Resources site (the most immediate content), he will have reader access and the contributor site group will not be valid. |
|