16
Feb
07

Practical usage of Application Security Settings

By Jaap Steinvoorte
Categories: Microsoft and SharePoint

Each Web Application has a neat little section called Application Security which features a couple of key admin pages each Architect and Administrator should be intimately familiar with. Some common problems that can be addressed are:

  • How can I be an administrator [Site Collection admin] just like in SPS 2003 for the entire Web App? In the age of self-service sites, the creator is the Site Collection administrator. When you try to access.. you get a big denial.
  • How can I control that people do not go crazy with MySites?
  • How do I control personalization on the web application?
  • How do I control where people create sites?

All of these are controlled directly via the Application Security admin pages.

Policy for Web Application

First, let’s look at the Policy for Web Application screen, and the first question in our agenda, automagic access and administration. Granting or denying access to yourself or someone else via policy is the easiest way to get a universal access/denial key to the entire web application.

So, what are the typical uses here:

  1. Grant your admin team Full Control access
  2. Grant your testers/help desk anything you desire, from Full Read to a custom policy
  3. Granting access to data to some application [e.g. friendly BizTalk server or something else]
  4. Deny access to some people, in case you suspect someone else may grant them access individually
  5. Control access through zones.. yes.. you can be an admin in the Internet zone, but you are a nobody through the extranet access zone

In fact, this is how the Search Crawling Account is configured.. access as a “reader” to all site content, but not necessarily to the draft versions of the documents. So what happens, if accidentally you use an admin account to crawl? The index contains draft versions, and.. ahem.. the result highlights will contain unpublished content for everyone to see.  But I digress. Back to the task at hand - How to make sure your team is capable of managing all of the sites?

  • Open Policy For Web Application
  • Click Add Users
  • Select web application and the zone
  • Specify users [and AD group would work nicely]
  • Choose Full Control Permission

Next question.. do I really need “Full Control” to be an admin? No. The new functionality allows the farm admins to be able to “see” the site properties, without actually having the need to control and see all of the content [I believe it is through certain properties and SPSiteUsage]

User Permissions for Web Application

The next important part of the Application Security Settings allows us for fine control over what role has access to which feature of the Web Application. Very Cool. This page, with some careful planning allows us to answer the questions such as: How can I control that people do not go crazy with MySites? and  How do I control personalization on the web application? With these settings, no matter who controls a site, once a feature is disabled it will not be available throughout the Web Application.

Just as the policy was all powerful, the User Permission section simply puts the admin in full overdrive. With a careful design of the Web Application hierarchy [e.g. MySite separate from Corp Portal, separate from CollabPortal] you should be able to disable certain features within each application.

For instance, keep your sites focused, and fast:

  • MySite: disable ability to create subsites
  • CorpPortal: disable all Personal Permissions, some of the collaborative features
  • CollabPortal: disable some Customization, Personalization, Self Service Site Creation [i.e. in case all collaboration sites need to follow a certain template]

The full set of available User Permissions is quite lengthy and divided into 3 sections:

List Permissions:

  • Manage Lists
  • Override Check Out
  • Add Items
  • Edit Items
  • Delete Items
  • View Items
  • Approve Items
  • Open Items
  • View Versions
  • Delete Versions
  • Create Alerts
  • View Application Pages

Site Permissions:

  • Manage Permissions
  • View Usage Data
  • Create Subsites
  • Manage Web Site
  • Add and Customize Pages
  • Apply Themes and Borders
  • Apply Style Sheets
  • Create Groups
  • Browse Directories
  • Use Self-Service Site Creation
  • View Pages
  • Enumerate Permissions
  • Browse User Information
  • Manage Alerts
  • Use Remote Interfaces
  • Use Client Integration Features
  • Open
  • Edit Personal User Information

Personal Permissions:

  • Manage Personal Views
  • Add/Remove Personal Web Parts
  • Update Personal Web Parts

0 Responses to “Practical usage of Application Security Settings”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply

« Microsoft creates Digg-like sites in Norway and Belgium
Misc. things when releasing 2007 SharePoint sites »