Monday, 12 February 2007

SharePoint 2007: Permissions, permissions, permissions.

Update: Joel Olsen has a great post about permissions:

http://blogs.msdn.com/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx

SharePoint 2007 permissions functionality has increased so much (granularity / SharePoint groups / permission inheritance), that it is quite easy to get confused when trying to setup your permissions. As usual, Ton Stegeman has quite a few good articles about Permissions etc.

The basic idea is to create Permission Levels, and assign these permission levels to users or groups. Having the ability to inherit / break permissions as the need arises it ensures that virtually any kind of fancy permission setup can be implemented. It takes quite a lot of experimenting to understand and setup the permissions correctly, but with careful thinking and tweaking you should have quite an elegant end result.

Permission (Levels)
Permission levels are the various different rights which you can assign to different people / groups in a SharePoint site. By default, each site comes with a number of permission levels (Full Control / Design / Contribute / Read etc.) which you can customise to suit your needs. To create additional parent levels, go to the Site where you want to create a new permission level. Click on People and Groups > Site Permissions > Settings > Permission Levels. Here you can create your new custom permission levels. You can create permission levels from scratch, or copy existing permission levels.

After setting up the permission levels that you need, you need to setup the groups.

When you click on People and Groups you will be greeted by the following menu.


By default you are taken to the Groups

Groups -> contains all the groups within the Site Collection. Here you are able to see all the groups that exist in the current site collection.

You can customise this list (to show only the groups which are relevant to the current site), by cicking on Settings > Edit Group Quick Launch. You will then be able to choose which groups should be visible when you click on the Groups link (for the current site). This is especially useful, when you are not inheriting permissions from the parent site. Since you will probably have created custom groups for this site, this will allow you to show only those groups which are relevant to the current site.

In the groups you can also setup which groups will be the Owners / Members / Visitors for the current site. This is done by clicking Settings > Set Up Groups and assignin the rights to the appropriate groups. For most users this should be sufficient.

All People -> used to view (and manage) all people for the current site collection. What you will see is all users in the current site collection. It doesn't matter from which site you click the All People link, you will always see all the people which have some kind of permissions in the current site collection.

Site Permissions -> this is where the interesting stuff happens ;) (the assigning of permission levels to users group).

Once you have created your required permission levels, you need to assign these permission levels to particular users or groups in your site.

Your site must not inherit from its parent, to break the inheritance you need to click on Actions > Edit Permissions (and click Ok). What this does is create an exact copy of the permissions of the parent site. At this point you still basically have the same permissions as the parent. You can now remove any permission levels you don't need, and create new users / groups with the permissions levels you have setup earlier.

Anything which can be done for sites, can also be done for each list in each site, and each item in each list! Now that's what I call fine permission granularity!

Confused? Practice makes perfect ;) I will try to make another post with a few good examples...