windows sharepoint services managing users and rights
DESCRIPTION
Windows SharePoint Services Managing users and rights. Agenda. Authentication and Authorization Site Administrators Box Administrators Managing Users and Site Groups WSS Object Permissions. Managing Sites and Sub-sites. Manage immediate set of sub-sites for the current site* - PowerPoint PPT PresentationTRANSCRIPT
Windows SharePoint ServicesManaging users and rights
Agenda
• Authentication and Authorization• Site Administrators• Box Administrators • Managing Users and Site Groups• WSS Object Permissions
Managing Sites and Sub-sites
• Manage immediate set of sub-sites for the current site*
• View Full list of sub-sites for the site collection**
• Managed from HTML Pages or command-line
• Site-creation is a simple two-step process
Authentication
• Authentication – the verification of identity of a person or process– Different from authorization, which determines
which functions you can perform• WSS does not perform it’s own
authentication – this is handled by IIS• IIS’ authentication mechanism requires an
NT account (either local or AD)
Authentication Setup
• Two main setups for authentication – account creation mode or pre existing domain
• With a pre existing domain, use IIS with Windows authentication enabled, no new user accounts needed
• Account creation mode is a feature, selected at install time, that will generate a new account in the AD for each user – pre existing accounts cannot be used. IIS is setup to use basic or digest authentication
• Don’t use local machine accounts!– Migrating will be a big pain if you do
• Passport authentication and WSS don’t work well together
Anonymous Access
• Anonymous access is limited – the most anonymous users can do is insert list items– By default, it is turned off, both at the web site
level and at the IIS level– WSS UI is sensitive to IIS setting
• Setting anonymous access is done at myriad different points– IIS setting for the virtual server– On/Off switch at the web site level– Rights mask at the individual list level
DemoConfigurazione Accesso Anonimo
Site Collections
• A Site Collection is a set of logically related Web Sites that can be collectively managed
• Each Site Collection has a single top level Web Site
• Individual users can be marked as Site Collection Administrators– This grants them full access to all content
Box & WSS Administrators
• WSS supports two sets of high level administrators, box admins and SharePoint Administrative Group members– SharePoint Administrative Group is defined in WSS
Central Administration– WSS checks to see if the current user is a box admin or
in the domain group. If so, full access is granted to all site collections
• Four differences between abilities of box admins and WSS admins– Change configuration database– Change WSS admin domain group– Manage content paths– Extend/unextend IIS virtual servers
Security & Site Collections
• Site collection administrators have three main responsibilities– Users and cross-site groups on the site
collection• Users are rolled up at the site collection
level, and can be managed there• Cross site groups are scoped to the site
collection level– Quota issues for the site collection– Rights mask for the site collection
DemoImpostazione Gruppo Amministrativo
WSS Authorization
• Whereas WSS relies on IIS for authentication, WSS performs all it’s own authorization
• Implementation is similar to NT system– WSS specific ACLs dictate access
• ACL is a collection of ACEs, each of which maps a security principle (user, group, etc) to a set of rights
– NT is called for domain group resolution
Managing Users
• Users give people access to a site• Every site has it’s own set op users• The site owner can choose to inherit
users from the parent site, or create a unique set of users
• Can enable Anonymous access on– Entire Site, Lists and Libraries or Nothing
• Can enable access for all authenticated users as– Readers or Contributors
• Can manage all users in a site collection
Site Settings Go to Site Administration Manage Users
Web Site Security
• Site Groups are scoped to an individual Web Site• Site Groups by default
– Guest*– Reader– Contributor– Designer Web– Administrator
• Which Site Groups a user is a member of determine their default permissions to objects in that site (and any inherited web sites)– Membership in multiple Site Groups is possible
• A Web Site’s security can be either inherited from it’s parent web, or unique
Managing Usersand Site Groups
• Membership to a Site Group determines the rights a user has
• Use built-in groups or create your own• Each Site Group has a set of rights• Copy feature allows you to copy all
rights to another group
Site Settings Go to Site Administration Manage site groups
Managing Cross-Site Groups
• Group users together in one entity
• Cross-site groups must be assigned to a site group in order to give the users in the site-group rights on the Site
• Can be used on any site within the site-collection
• Useful if equivalent is not available as an AD Security group
Site SettingsGo to Site Administration Manage cross-site groups
Managing Cross-Site Groups
Site SettingsGo to Site Administration Manage cross-site groups
UsersJohn SmithPeter CollinsJudy LewKim ClarkPaul WestDon HallSuzan FineGroupsMarketingSalesProduction
AD
Site UsersJohn Smith
Judy LewKim Clark
Cross-Site GroupsManagersRegional VPsHR AssistantsSales and Marketing
WSS
Site GroupsWeb Designer
Contributor
Reader
Administrator
WSS
Corporate Directory
Who has Access to a Site ?
What Rights do they have ?
DemoCreazione Site Groups e Cross-Site Group
Permissions in WSS
• WSS uses “rights” - a right is a privilege that allows a user to perform an action on the server.– Example: View Pages, Insert List Items, Change List
Permissions.– There are currently about 20 rights.– Some rights are dependent on others. Example: Insert
List Items has View List Items as a dependent.• At the IIS virtual server level there is a “rights
mask”– This enables/disables rights for use on Web Site
Collections within that virtual server– Is settable by box administrators and WSS
administrators
User Level Security and Web Parts
• Shared and Personal modes– Shared mode changed seen by all users– Personal mode changes seen only by the individual making
them• Rights controlling user modes:
– Shared: • Add or customize pages – allows shared mode changes for
parts and pages outside document libraries• Edit list items – allows shared mode changes for parts and
pages inside document libraries– Personal:
• (Add or Remove Private Web Parts) Personalize Web Part pages – allows users to add/delete parts in personal mode for pages in webs and document libraries
• (Updated Personal Web Parts) Personalize Web Parts – allows users to modify part properties in personal mode for pages in webs and document libraries
DemoAttribuzione permessi
I prossimi appuntamenti
• Lunedì 10/05/2004 ore 10.30WSS e i modelli personalizzati: siti, liste, raccolte
• Martedì 25/05/2004 ore 10.30Introduzione a XML in Office 2003(no developer)