#SPSSAN June 30, 2012 San Diego Convention Center BEST PRACTICES FOR MANAGING SHAREPOINT PERMISSION LEVELS SharePoint 2010 Tony Rockwell

#SPSSAN Who? Tony Rockwell About me: 20+ years in IT 5 years focused on SharePoint MCTS SharePoint 2010 Configuration SharePoint Administration Installation; Configuration; Upgrades Enable OOTB features Implement 3 rd party tools Founding Board Member of SANSPUG SPSSAN organizer Solution Specialist at EMP Live EPM Live is the global leader in SharePoint-based project, portfolio & work management solutions that help organizations increase productivity by improving visibility, execution and collaboration on all types of work. PortfolioEngine WorkEngine ProjectEngine

#SPSSAN House Keeping Thank our Sponsors! This is an Interactive Session Save questions – you choose Twitter hashtags: #PermissionLevels

#SPSSAN Agenda SharePoint Security Why Create custom permission levels? Inheritance & Scopes Best Practices Permission Level Scenario How-To using the SharePoint interface How-To using PowerShell References

#SPSSAN SharePoint Security Why create custom permission levels? Because security matters to you Ease security administration Enable refined security Terminology Farm Administrator Service Application Administrator Feature Administrator Site Collection Administrator Permission Levels Users Groups Securable Objects Inheritance & Scopes Permission Levels Users Groups Securable Objects Inheritance & Scopes

#SPSSAN Inheritance & Scopes Site Collection Web Object Document Library Object Folder Web Object Item Scope 2

#SPSSAN Best Practices SharePoint Permissions Use fine-grained permissions only when business case requires it Break permission inheritance infrequently as possible Use domain groups to assign permissions to sites when possible Assign permissions at the highest level possible Make use of appropriate SP roles

#SPSSAN Best Practices SharePoint Permission Levels & Scopes Don’t modify or delete a default permission level Copy a default permission level & modify it The maximum # of unique security scopes set for a list should not exceed 1,000 Use group membership rather than individual membership in your scopes

#SPSSAN Scenario The Company Each department owns a site Department site owner to manage site… but delegates permissions to someone else Delegate should not modify site, pages, etc. only add/remove (manage) users Delegate should also have standard “Contribute” access to site The Company Each department owns a site Department site owner to manage site… but delegates permissions to someone else Delegate should not modify site, pages, etc. only add/remove (manage) users Delegate should also have standard “Contribute” access to site

#SPSSAN Required Administrative Credentials

#SPSSAN 1. Navigate to top-level site 2. Site Actions > Site Permissions (or Site Settings for Publishing) 3. Click on Permission Levels in the Ribbon 4. Select the permission level to copy – Contribute 5. Scroll down & select Copy Permission Level How-to: SharePoint interface

#SPSSAN 6. Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”) 7. Select desired permissions Check Enumerate Permissions (Manage will auto-select, Deselect it) 8. Scroll down & click Create The custom permission level is ready to use! Create a SharePoint group for each department; i.e. “Accounting User Managers” Give the group the “User Manager” permission level Make the owner of this SP Group, the Site Owner or SCA Change the owner of the Member & Visitor groups How-to: SharePoint interface

#SPSSAN How-to: PowerShell PS > $spWeb = Get-SPWeb Create a new object PS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinition Add name and description PS > $plevel.Name = "Custom: User Manager" PS > $plevel.Description = “Enumerate Permissions" Set the base permissions PS > $plevel.BasePermissions = “EnumeratePermissions”

#SPSSAN How-to: PowerShell Add the permission level to your site PS > $spWeb.RoleDefinitions.Add($plevel) Clean up PS > $spWeb.Dispose() See base permissions that are available PS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") EmptyMask ViewListItems AddListItems EditListItems DeleteListItems ApproveItems OpenItems ViewVersions DeleteVersions CancelCheckout ManagePersonalViews ManageLists ViewFormPages Open ViewPages AddAndCustomizePages ApplyThemeAndBorder ApplyStyleSheets ViewUsageData CreateSSCSite ManageSubwebs CreateGroups ManagePermissions BrowseDirectories BrowseUserInfo AddDelPrivateWebParts UpdatePersonalWebParts ManageWeb UseClientIntegration UseRemoteAPIs ManageAlerts CreateAlerts EditMyUserInfo EnumeratePermissions FullMask

#SPSSAN Session wrap-up Questions Please complete a Session Survey Help me improve Help the organizers improve future events Win prizes!

#SPSSAN Contact Blog: LinkedIn: San Diego SharePoint Users Group: slideshare: REFERENCE : Technet - User Permissions and Permission Levels Spbasepermissions - definitions us/library/microsoft.sharepoint.spbasepermissions(v=office.12).aspx SP Permission Inheritance Best Practices for Fine-grained Permissions (White Paper) Best Practices Center for SharePoint

#SPSSAN The After-Party : SharePint Karl Strauss Brewing Company 1157 Columbia Street San Diego, CA Phone: Immediately following event closing & prize drawings pm) Directions (.9 miles): 1. Head northeast on 1st Ave 2. Turn left onto W. B St 3. Turn left onto Columbia St Karl Strauss will be on the left

#SPSSAN June 30, 2012 San Diego Convention Center THANK OUR SPONSORS Please be sure to fill out your session evaluation!