1. Permission Level and Group

a. Permission Level

A set of permissions that can be define and grant to users or SharePoint groups on a site, library, list, folder, item, or document. Base on that, SharePoint Authorization to perform specific actions such as viewing pages, opening items, edit item, and creating subsites,…

SharePoint allow administrator easy to change, customize, add or delete permission level, even if you want to clone permission level from existed permission level

b. Group

Default of each SharePoint site has 3 Group of user at least, and these groups are managed by Owner group. Site Ownser can change group settings and assign user group permission

SharePoint also allow Domain user and domain group can be added under permission level without via SharePoint Group. But I suggest we use SharePoint Group to manage user permission.

Administrator can define more SharePoint Groups if pre-configured permission of SharePoint Group is not suitable with their bussiness.

If we have many subsites under root site, we just create one unique Group. It’s available and across sites. So that we can not define more than one duplicated name for SharePoint Group.

Under subsites, we can set it as inherit or not from parent site.

2. Site Permission

As you know, when a Sharepoint site created, SharePoint provides three SharePoint User Groups by default: Visitor, Member and Owner.  These permission are three of nine “Permission Levels” that are provided for different group of security level.  In each Permission Level has been set as a specific permission list for working on portal. So that, SharePoint separate permission in two secion: SharePoint Group and Permision Level

As above, a SharePoint group can be defined maps to permission or combined from many permission levels. People belongs to group will have corresponding site permission in current site and cross subsites (if they’re inherited parent site permissions)
Create a group

a. On the home page of the site, click Site Actions, point to Site Settings, and then click People and Groups.
b. On the New menu, click New Group.

c. Type a name for the group, and then type a brief description of the group’s attributes.
d. To change the owner of the group, type a new account name, or click Browse to find an individual’s account name. It should be owner group instead of     individual account
e. In the Group Settings section, click the options to specify who can see the members of this group and who can add or remove members.
f. In the Membership Requests section, click the options to specify whether you will accept requests to be added or removed from this group, and to add     the e-mail address that users can send requests to. If you select Auto-accept requests, users are automatically added or removed when they make a request.
g. In the Give Group Permission to this Site section, select the permission level that you want to allow for this group.
h. Click Create.From People and Group page, you can modify Permission, change Group Settings of current group if you have group owner permission. More than that, you can assign or remove domain user/domain group as well from tool bar menu.

3. List Permission

SharePoint also provides ability to manage individual lists, document libraries or on folders with specific permission as below

Windows SharePoint Services 3.0 allows you can stop impaction site permissions to specific lists, then you can add or remove permission of users or groups of users for viewing, editing, or deleting item…
Add users/groups to a list or library
a. Open the list or library in which you want to add users or SharePoint groups.
b. On the Settings menu, click Document Library Settings or List Settings.
c. On the Customize page, in the Permissions and Management column, click Permissions for this document library or Permissions for this list.

d. In this case, on the Actions menu, click Edit Permissions, and then click OK to confirm that you want to create unique permissions. On the New             menu, click Add Users.
e. In the Add Users section, specify the users and SharePoint groups you want to add to this securable object.
f. In the Give Permission section, either add the users to an existing SharePoint group or give them permission directly to the securable object and select         one or more of the check boxes to give these users the permissions you want on this securable object.

g. Click OK.

4. Personal Permission

Beside site permision and list permission, WSS 3.0 provide personal permission to customize on lists like Create, change, and delete personal views of lists. On webparts, they can add or remove, change display position personal Web Parts on a Web Part Page, more than that, they also update Web Parts to display personalized information as well. Ofcourse, these changes will not impact to another people interfaces.

Below table tell you overview about personal permissions

5. Permission management recommended practices?
a. We need to understand where are strengths and weeknesses between using SharePoint groups and Active Directory user groups.In case of SharePoint group, SharePoint allow administrator can group many people responsible to same business team. More than that, SharePoint API allow decentrialized and isolation mainternance, base on that, it also support third party authentication for internal and external using authorization. Because this way, require administrator manage many people so IT has been become bottleneck for too long.Active Directory Domain group is centralized and standardization tool for IT to manage user domain for their enterprise and other external services, fortunately domain groups are visible to SharePoint so that IT can assign a group of people to SharePoint Group without manternance for both of SharePoint Group and AD Groups when they have some changes, there’re also SharePoint API can query for user permission as well. But it should be consider because AD account is not always suitable for external user authentication.

b. Should be consider to use target audiences for your sites when design Access strategy

c. When you break inheritance of sites, lists, libraries,… it’s mean you lose your customizations and make you difficult to manage unique permissions. So             that try to inherit permission whenever you can.

References:

  1. Permission level and Permissions: http://office.microsoft.com/en-ca/windows-sharepoint-services-help/permission-levels-and-permissions-HA010100149.aspx
  2. Manage Permission Level: http://office.microsoft.com/en-us/windows-sharepoint-services-help/manage-permission-levels-HA010100143.aspx
  3. SharePoint Groups, Permissions, Site Security and Depreciated Site Groups: http://blogs.msdn.com/b/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx
Hoang Nhut Nguyen
Email: nhutcmos@gmail.com
Skype: hoangnhut.nguyen