Identities Group User Authentication Method Authentication Provider STS TOKEN User Groups Roles Claims Token Permissions Web App F D C R Permission Level ANONYMOUS ACCESS & POLICY User Role Assignment Site USER POLICY Policies Security Scope Group Identities Group User Authentication Method Authentication Provider STS TOKEN User Groups Roles Claims Token Permissions Web App F D C R Permission Level ANONYMOUS ACCESS & POLICY User Role Assignment Site USER POLICY Policies Security Scope Group.
Download
Report
Transcript Identities Group User Authentication Method Authentication Provider STS TOKEN User Groups Roles Claims Token Permissions Web App F D C R Permission Level ANONYMOUS ACCESS & POLICY User Role Assignment Site USER POLICY Policies Security Scope Group Identities Group User Authentication Method Authentication Provider STS TOKEN User Groups Roles Claims Token Permissions Web App F D C R Permission Level ANONYMOUS ACCESS & POLICY User Role Assignment Site USER POLICY Policies Security Scope Group.
Identities
Group
User
Authentication
Method
Authentication
Provider
STS
TOKEN
User
Groups
Roles
Claims
Token
Permissions
Web App
F
D
C
R
Permission
Level
ANONYMOUS
ACCESS &
POLICY
User
Role
Assignment
Site
USER POLICY
Policies
Security Scope
Group
Identities
Group
User
Authentication
Method
Authentication
Provider
STS
TOKEN
User
Groups
Roles
Claims
Token
Permissions
Web App
F
D
C
R
Permission
Level
ANONYMOUS
ACCESS &
POLICY
User
Role
Assignment
Site
USER POLICY
Policies
Security Scope
Group
SharePoint security model
Security & sharing interfaces and features
Best practices and real-world scenarios
Solutions to common challenges and
answers to common questions
Conversation
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
SharePoint User
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Permission level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Security Scope
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Role Assignment
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Site
Site
Library
Site
List or Library
Folder
W
Document or Item
Security Scope
Site
Site
Role Assignment
Library
You can break inheritance
Role Assignment
W
Roles assignments are
inherited by child objects
Best Practice
Security Scope
Common permission levels
Collections of individual permissions
Also called
F
D
C
R
Permission Level
Site Permissions
People and Groups
Assign permissions
Permissions selected when creating a group are scoped to the site
Add user
Site Permissions Grant Permissions
Can also grant permissions directly to a group (e.g. Active Directory group)
Not recommended to grant permissions directly to users or Active Directory groups
Site
Default: Adds user to the Site Members group
Show Options: Add user to another group
Email to one address when site access requested
A user without access attempts to access site and requests access
A site user without full control shares the site with a user who does not have access
Add user to appropriate group
Site Settings Access Requests and Invitations
http://office.microsoft.com/en-us/sharepointhelp/set-up-and-manage-access-requestsHA103456596.aspx?CTT=5&origin=HA102894713
Subsites inherit permissions from parent sites
Choose Unique Permissions
Site Permissions Stop Inheriting Permissions
Site
Site
Site
List or Library, Folder, Item or Document
Click Permissions
Click Stop Inheriting Permissions
Click Grant/Edit/Remove
Click Check
Click Inherit Permissions
Included in Design permission level
Report
Invite
Manage
Scope
Share
Shared With
Advanced
Site
or
Site Settings
List or Library
Folder
Document
or
Site Permissions
Site, List or Library, Folder, Item or Document
Use the Share interface
When you share, you break inheritance
Use the Share With interface
Use the Advanced interface
Use the Advanced interface: Delete Unique Permissions
Included in Design permission level
Share sites or documents
No additional license required
No user account required in your authentication provider
Add to access group
Choose access level: Edit or View
Require sign-in or use guest link
Anyone with the link can access the content
View or Edit only in Office Web Apps. Cannot download or open locally.
http://office.microsoft.com/en-us/office365sharepoint-online-small-business-help/sharesites-or-documents-with-people-outsideyour-organization-HA102894713.aspx
Enable or disable external sharing
Tenancy (all plans)
Site collection (Enterprise plans E1, E3, E4 only)
Read the documentation!
Revoking permissions to external users
Disabling and deleting guest links
Disabling and re-enabling sharing
2013 E: http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/manageexternal-sharing-for-your-sharepoint-online-environment-HA102849864.aspx
2013 P: http://office.microsoft.com/en-us/office365-sharepoint-online-small-businesshelp/manage-sharing-with-external-users-HA102849862.aspx
2010: http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/share-a-sitewith-external-users-HA102476183.aspx?CTT=5&origin=HA102849864
Site
Site
Library
W
W
W
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Defined in the site collection
What creates a user?
Visibility of users who belong to a site via a group
There is no visibility that the user belongs or has access
User
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Defined in the site collection
Group
Default groups
Can contain users from any authentication provider
AD User
User
AD Security Group
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Advantages
Impact of membership changes on search crawl: Kirk Evans’ blog
http://blogs.msdn.com/b/kaevans/archive/2013/05/06/clarifyingguidance-on-sharepoint-security-groups-versus-active-directorydomain-services-groups.aspx
Disadvantages
“Intranet” sites
“Collaboration” sites
AD groups SP groups to define access
Add users directly to SP groups
Ideal world
Synchronization of membership
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Common permission levels
F
D
C
R
Permission Level
Contribute + Manage Lists
New in 2013. In 2010, Manage Lists was only in Design.
Read without Open Items permission
Access specific asset and shared resources (e.g. a library and its views)
Assigned automatically. Don’t remove it in Site Permissions.
SharePoint 2013: http://technet.microsoft.com/en-us/library/cc721640.aspx
SharePoint 2010: http://technet.microsoft.com/en-us/library/cc721640(v=office.14).aspx
Read vs. View: http://blogs.devhorizon.com/reza/2012/10/26/interesting-difference-betweenview-only-vs-read-permission-levels/
Permission levels are collections of permissions
Defined at the site collection
Managed by site collection administrators
F
D
C
R
Permission Level
Start with the Contribute permission level
Click Copy Permission Level
Modify the new permission level
Allows
A SharePoint permission
Create a permission level ("role")
Create a role assignment
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Site
Initial security scope
Create a security scope
All permissions are explicit (unique)
Inheritance can be reinstated
Use inheritance wherever possible
Security Scope
Explicit or Inherited
No “partial inheritance”
changes to parent permissions no longer affect child objects
SharePoint access is to a URI
No “traverse” permissions are necessary
Check effective permissions
The SharePoint interface and search results are
security-trimmed
Item level permissions on pages in a page library
all Web Part content on ASPX pages is no longer indexed
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Limit who has the “Change Permissions” permission
Create a permission level:
Full Control Except Permissions
Manage the membership of the
Site Collection Administrators group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Permissions
Web App
F
D
C
R
Permission Level
ANONYMOUS
ACCESS & POLICY
User
Role Assignment
Site
USER POLICY
Policies
Security Scope
Group
Central Administration
Permissions
Permissions
ANONYMOUS
ACCESS & POLICY
USER POLICY
Central Administration
Define access to all content in a web application
Permission Policies
Allow and Deny
Define policies for any available permission
Scenarios
Policies
ANONYMOUS
ACCESS & POLICY
USER POLICY
Disabled by default
Authentication of anonymous users
Policies
Authorization of access by anonymous users to site
Maximum permission: Anonymous User Policy
Anonymous access vs. “all users”
Sign In
Intranet “Home”
Enable in-place records management
Declare records management attributes
Effect is document-level security without permissions
Information management policies
Information rights policies
Configured at the site collection level
Configured for content types
Audit log reports
Challenges
Third-party tools
Effective permissions
Reporting permissions
Auditing access
Notification
Solutions
Permissions
Other features augment security management
Columns can not be secured uniquely, out-of-box
Audiences
audiences are not security
http://tiny.cc/danholmepresentations
http://bit.ly/danholmearticles
http://bit.ly/danholmebooks
A HUI HO! (‘til next time!)
[email protected]
@danholme
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn