|
4.4. Security ArchitectureIn order to understand how site groups and user assignments work together to provide full security, you must understand the overall security architecture built into Web Parts and Windows SharePoint Services. Windows SharePoint Services handles security in order of priority:
SharePoint assigns global permissions when a user enters SharePoint for the first time. Users receive site-level permissions when they access a site. Generally, a user who doesn't belong to the administrative group receives reader permissions when he accesses a SharePoint site. 4.4.1. Site-Level PermissionsThe amount of site access a user requires depends on the tasks the user needs to perform. For example, if a user needs to add content to the team site, she requires the appropriate access rights to do so. To grant these permissions, you need to assign users to a site group to control site access. 4.4.1.1 Controlling site accessEach site in SharePoint maintains its own permissions for users. You can manage user permissions through the Site Administration page on the team site. From this page, you can:
4.4.1.2 Assigning a user to a site groupTo assign a user to a site group permission set for a site, you need to:
Figure 4-2 shows the Edit Site Group Membership page for a team site. Figure 4-2. Team site permission screenYou can assign more than one site group to a user for a site. This is useful when you have site groups that do not inherit permissions (for example, a read-only site group, an add-only site group, and a delete-only site group). 4.4.2. Object-Level PermissionsSite-level permissions handle many of your security requirements. However, a user may require different access rights to specific content within a site. To increase the flexibility of the security model, Windows SharePoint Services allows you to assign object-level permissions. Object-level permissions exist for all objects. You can configure permissions for:
Object-level permissions permit a more flexible and dynamic layer of security for users and groups. Whereas a user may require the web designer permission for the entire site, that same user may be assigned reader access to a specific document library. The user can do everything allowed by the web designer group; however, once the user accesses the document library in the site, the user is restricted to the rights that apply to the reader role. This sort of scenario is quite common when you have a site developer supporting a sensitive team site (such as a financial information site or human resources site). 4.4.2.1 Controlling object accessTo control access to an object, you need to assign users a site group permission to that object. To assign a user site group permission for an object, you need to:
Figure 4-3 shows the Modify Permissions page for the Shared Documents object. Figure 4-3. Modify Permissions screen4.4.2.2 Denying user access to an objectTo prevent a user access to an object, perform the following steps on the Change Permissions screen:
Removing a user from an object only affects the user's ability to access that particular object. The user's site access permissions are not affected. You might, for example, grant the web developer role for a user who helps administer the Human Resources team site, but you might block his access to the Employee Evaluation document library. |
|