Permissions—the big picture
SharePoint 2010 is a web application that is secured through different layers of permissions. The comprehensive content management, enterprise search and collaboration functionality is provided through a multi-server environment referred to as a farm. For instance, the CU Denver farm is one site collection providing content for both the Anschutz Medical Campus (AMC) and the Downtown Denver Campus (DDC). The illustration below depicts a typical farm or site collection topology.
Site collection administrators: Members of the site collection administrators group have full control permission on all web sites within a site collection. This means that they have access to content in all sites in the site collection, even if they do not have explicit permissions on that site. This group includes ASI&D team members.
Site owners: By default, members of the site owners group have full control permissions on an individual site. Administration tasks can be performed for the site and for any list or library within the site. Members of the University Web Services (UWS) team are members of the UCD_SiteOwners group.
Keep in mind that every site collection is an island of security. What The School of Public Affairs (SPA) does in the SPA site collection will not affect what the School of Engineering does in its site collection. By default, a child site will automatically inherit the permissions of its parent unless the permission inheritance from the parent is stopped and the child site establishes unique permissions.
- Never add individuals to a site
- Always add individuals to groups
User has full control
User can view, add, update delete, approve and customize
User can create sites and edit pages, list items and documents
User can edit and approve pages, list items and documents
User can view, add, update and delete list items and documents
User can view pages and documents, but cannot view historical versions or user permissions
User can view pages and documents but cannot view historical versions or user permissions
User can view specific lists, documents libraries, list items, folders or documents when given permission
The following permission groups are at the parent site (UCDENVER.EDU), and should be inherited with every university site:
- Style Resource Readers--Limited Access
All authenticated users are members of this group for access to all file trees within in the site collection for moving, copying and spell check.
- UCD_SiteOwners--Full Control
- UCD_ContentManagers--Manage Hierarchy, Approve, Contribute
- UCD_Contributors--Approve, Contribute
In addition, individuals can be added to localized permission groups. Keep in mind that membership to each group should be unique. In other words, if Joe is in the site owner group, he would not be a member of either of the other permission groups.
- SITE_or_Department_SiteOwners—i.e. SOM_Pediatrics_SiteOwners