Securing and Managing Site Content Sharepoint

Permission levels – are made up of sets of permissions. SP ships with a list of permissions; can’t be added, edited or deleted.

Securable objects – are levels within SP 2010 that can be locked down, or secured, by setting specific user access. Sites, lists, ibraries and items are all securable objects.

Server farm level acceess:

(1) Local administrator: Also members of server farm administrator; can do all duties of a farm admin, plus other non-Sharepoint tasks, such as installing patches, service packs, IIS, start/stop service, SQL server maintenance etc. By default do not have access to SP sites.

(2) Farm administrator: Can perform any tasks in Central Admin. By default do not have access to SP sites.

To manage server farm administrators, from Central Admin website, Site Actions à Site Settings à People and Groups. It’s not a functions in one of the 8 major central admin categories!!!

Service Application Administrators, two groups:

(1) Service administrators: Delegated by Farm Admin, can manage settings for a specific service application. Central Admin à Manage service Application.

(2) Feature administrators: Delegated by Farm Admin, are associated with a specific feature within a service application.

Site Collection Administrators –

Have full permission/access to all sites under the site collection.

Site Administration –

Site Owners group – users have full control to content on this site. Can be customized on a child site or lower level. When you create a site, a [site name] Owners group is created. Group members will have full access to the new site.

Administration beneath the site level –

doesn’t always require group membership.

à Document library or list – no specific group that manages content at this level, but permissions can be configured. Useful when you only want a portion of your content to have restricted access.
à Individual items – similar to above.

Understanding permissions –

Permission levels –

Tips –

(1) Not a good idea to modify default permission levels. Make a copy and edit it instead.
(2) Not good idea to delete default permission level.

6 default levels -

(1) Full control – will have access to everything on the site and can perform site admin tasks. Not to be confused with site collection administrators.
(2) Design – view/add/update/delete/approve/customize. Can approve contents too. Can do anything on the securable objects except for admin tasks.
(3) Contribute – view/add/update/delete list items and documents. Th standard permission level to grant user access to contents and containers.
(4) Read – Vew pages and list items and download documents. Standard permission for user who need read, but not add.edit item.
(5) Limited Access – Can view specific items, lists, documents, folders. The permission cannot be assigned. Instead, it’s a customized permissions.
(6) View Only – Can view pages, list items, documents. Users can’t download documents with server-side handlers.


(1) Restricted Read – For publishing sites only. Similar to read, but not to create alerts, browse user info or use client integration.
(2) View Only
(3) Approve – Edit/approve pages, list items, documents. For publishing sites only.
(4) Manage hierarchy – create sites; edit pages/list items/documents. Fir Publishing sites only.

Creating a New Permission Level Based on Existing Permission Level

Sharepoint Security Groups: Created within the browser and can be used with given site collections. By default, SP creates security groups (site groups) when a new site collection is created. The groups created vary according to the templarte that is used.

(1) Site Collection Administrators: has Full Control permission and can do anything to the site collection. Can’t be overridden.

Owners/Members/Visitors – By default these groups are created for all new site collections.

Configuring Permission during site creation –

When you create a new [site], default value is to use the same permission as the parent site collection. If choose to use a unique permission, you will be prompted to configure three new access groups: [new site name] owners/members/visitors.

When you add a new SP security Group (site collection level), it applies to current securable objects and all child securable objects.

Active Directory Groups -

You can also use AD Groups. For security, you must use AD email-enabled security groups. Distribution list cannot be used. The group must have a SID (security ID) in AD.

More Here