Securable objects – are levels within SP 2010 that can be locked down, or secured, by setting specific user access. Sites, lists, ibraries and items are all securable objects.
Server farm level acceess:
(1) Local administrator: Also members of server farm administrator; can do all duties of a farm admin, plus other non-Sharepoint tasks, such as installing patches, service packs, IIS, start/stop service, SQL server maintenance etc. By default do not have access to SP sites.
(2) Farm administrator: Can perform any tasks in Central Admin. By default do not have access to SP sites.
To manage server farm administrators, from Central Admin website, Site Actions à Site Settings à People and Groups. It’s not a functions in one of the 8 major central admin categories!!!
Service Application Administrators, two groups:
(1) Service administrators: Delegated by Farm Admin, can manage settings for a specific service application. Central Admin à Manage service Application.
(2) Feature administrators: Delegated by Farm Admin, are associated with a specific feature within a service application.
Site Collection Administrators –
Have full permission/access to all sites under the site collection.
Site Administration –
Site Owners group – users have full control to content on this site. Can be customized on a child site or lower level. When you create a site, a [site name] Owners group is created. Group members will have full access to the new site.
Administration beneath the site level –
doesn’t always require group membership.
à Document library or list – no specific group that manages content at this level, but permissions can be configured. Useful when you only want a portion of your content to have restricted access.
à Individual items – similar to above.
Understanding permissions –
Permission levels –
Tips –
(1) Not a good idea to modify default permission levels. Make a copy and edit it instead.
(2) Not good idea to delete default permission level.
6 default levels -
(1) Full control – will have access to everything on the site and can perform site admin tasks. Not to be confused with site collection administrators.
(2) Design – view/add/update/delete/approve/customize. Can approve contents too. Can do anything on the securable objects except for admin tasks.
(3) Contribute – view/add/update/delete list items and documents. Th standard permission level to grant user access to contents and containers.
(4) Read – Vew pages and list items and download documents. Standard permission for user who need read, but not add.edit item.
(5) Limited Access – Can view specific items, lists, documents, folders. The permission cannot be assigned. Instead, it’s a customized permissions.
(6) View Only – Can view pages, list items, documents. Users can’t download documents with server-side handlers.
Others:
(1) Restricted Read – For publishing sites only. Similar to read, but not to create alerts, browse user info or use client integration.
(2) View Only
(3) Approve – Edit/approve pages, list items, documents. For publishing sites only.
(4) Manage hierarchy – create sites; edit pages/list items/documents. Fir Publishing sites only.
Creating a New Permission Level Based on Existing Permission Level
Sharepoint Security Groups: Created within the browser and can be used with given site collections. By default, SP creates security groups (site groups) when a new site collection is created. The groups created vary according to the templarte that is used.
(1) Site Collection Administrators: has Full Control permission and can do anything to the site collection. Can’t be overridden.
Owners/Members/Visitors – By default these groups are created for all new site collections.
Configuring Permission during site creation –
When you create a new [site], default value is to use the same permission as the parent site collection. If choose to use a unique permission, you will be prompted to configure three new access groups: [new site name] owners/members/visitors.
When you add a new SP security Group (site collection level), it applies to current securable objects and all child securable objects.
Active Directory Groups -
You can also use AD Groups. For security, you must use AD email-enabled security groups. Distribution list cannot be used. The group must have a SID (security ID) in AD.
More Here
Courtesy:http://sharepointstudy.wordpress.com/2010/12/13/chapter-8-%E2%80%93-securing-and-managing-site-content/