SolutionBase: Working with permissions in Windows SharePoint Services 2003

Learn how to set permissions on Windows SharePoint Services.

In "Customize a default SharePoint Web site," I showed you how to tailor the default SharePoint Services Web site to fit your organization's needs. If you read that article, you know that the entire site modification process is basically drag-and-drop in nature. And since the process is so simple, you may have wondered what would stop an end user from being able to modify the site in the same way that you did.

Windows SharePoint Services has an elaborate permissions scheme that allows you to assign granular access and control over your SharePoint sites. In this article, I'll show you several instances in which you would want to implement SharePoint Services permissions. I'll then explain how those permissions work.

Controlling Web site access
After you create and modify the default SharePoint Services Web site, you'll want to set up permissions to determine who has access to the site. Remember that the site you create may contain confidential documents, so you don’t want this site to be publicly accessible.

Normally, when you create and modify the default Web site, you'll be logged in as Administrator. Therefore, the account used to create the site will have unrestricted access not only to view the site, but also to manage and modify it. Whenever someone attempts to access the default Web site, Windows will prompt the person to enter a username and password. Initially, access to the site is denied to everyone except the site’s creator.

This means you must determine who should have access to the site and what level of access they should have. To begin, log in to the default Web site as the site’s creator. When you do, the site’s home page will be displayed. Now, click on the Site Settings link followed by the Manage Users link.

You'll now see the Manage Users screen, which shows all of the users who currently have access to the site. As you can see in Figure A, the Administrator who created the site is initially the only user who has access to it.

Figure A
Initially, the Administrator who created the default site is the only user with access to it.

At this point, click the Add Users link to begin setting up user permissions. You'll see the Add Users screen, shown in Figure B. This screen is fairly simple to follow. You must enter the usernames or e-mail addresses of the users you want to assign access to, and then select the level of access.

Figure B
The Add Users screen allows you to assign users access to the site.

One thing to keep in mind as you work with this screen is that all of the users you enter will be assigned the same level of access. Therefore, if you want to assign administrative permissions to some users and Reader (read-only) permissions to other users, you’ll have to enter the names of those users requiring administrative access, assign the access level, and then go back and enter the names of those users requiring Reader access.

Permission levels
Let's take a look at the various permissions that can be assigned. The lowest level of permissions is the Reader permission, which is the SharePoint equivalent to read-only access. The highest level of access is Administrator, which gives full control over the site.

The Contributor permission grants both read and write permissions to the site. For example, if your default Web site has a discussion board on it, a contributor would be allowed to read existing messages and post new messages.

The Web Designer permission allows a user to modify the site. A user can add and remove Web parts, change color schemes, and completely alter the site. Note that permissions are not cumulative in nature. It's therefore possible (and sometimes necessary) to assign multiple permissions. For example, if you assigned the Reader and Web Designer permissions to a user, the user would be able to read site content and modify the site, but would not be able to post new content on the site.

After you’ve entered the users and permissions, click Next and you'll see the Add Users screen shown in Figure C. This screen gives you the chance to confirm the user accounts you'll be granting permissions to. Although this screen allows you to confirm user accounts, it doesn’t let you confirm roles.

Figure C
The Add Users screen allows you to confirm the users being added and generate a notification e-mail message.

This screen also lets you send an e-mail to users you've granted access to. Figure C shows an example of such a message.

You might be wondering what the user actually sees if you assign read-only permissions to a site. Figure D shows my default site with the Administrator logged in. Figure E shows the same site viewed by a user with Reader permission.

Figure D
This is the default Web site with Administrator permission.

Figure E
This is the default Web site with Reader permission.

At first glance, the two screen shots look identical. However, there's one subtle but important difference. If you look in the upper-right corner of Figure D, you'll notice a link for Modify Shared Page. This link doesn’t exist in Figure E. The Create and Site Settings links in the menu bar exist in both sites, but for the time being, those links are disabled for the user with Reader permission.

Individual page elements
Before I continue, I want to take a moment to discuss the individual Web parts that make up the page. If you've ever used SharePoint Portal Server (the big brother to Windows SharePoint Services), you're probably used to being able to control access to individual document libraries.

However, this is one of the ways in which SharePoint Services differs from SharePoint Portal Server. The permissions that you assign to a user are valid throughout the site. You can’t assign a user Reader permission to one library or folder and then assign Creator permission to a different library or folder.

SharePoint Services offers users the ability to create custom versions of existing Web sites. For example, in Figures D and E, you see what my default Web site looks like. In a normal Web environment, what you see is what you get.

However, SharePoint allows users with Contributor or higher permissions to create a custom version of the Web site that is available only to them. This means that users can start with the same Web site as everyone else, and then add and remove Web parts to create their own personal version of the site. They can do this without affecting anyone else’s view of the site and without affecting their own ability to return to the default version of the site.

To switch to a personal view, a user must click the Modify My Page link. You might recall that a Modify Shared Page link existed in Figure D but not in Figure E. However, when you change someone’s permission level to Contributor, the user receives a similar link called Modify My Page.

Modify My Page contains many of the same options as Modify Shared Page. Users are free to modify their view of the Web site by adding, removing, and changing Web parts. If users want to revert to the default version of the page, they can select the Reset Page Content option from the Modify My Page menu.

Things work a little differently for those with Administrator and Web Designer permissions. If Administrators or Web Designers select the Modify Shared Page link, they'll see options at the bottom of the menu for a Shared View or Personal View. When in Personal View, Administrators and Web Designers can customize their own personal version of the Web site. However, when Shared View is selected, all changes apply to everyone’s view of the default site.

Controlling Web site creation
So far, I've shown you how to establish some basic permissions over the site that you’ve created, but this is just the beginning. One of SharePoint Services' best features is that it allows users to create their own Web sites. If the thought of users developing Web sites on your server scares you, you can relax. The only users who can create sites are those whom you've designated. Even then, users can create sites only within the confines of SharePoint, and they're subject to restrictions you've implemented.

So why on earth would you want your users to create Web sites? The basic idea is that individual departments can create Web sites that can be used for project collaboration. For example, suppose you worked for a company that manufactured performance boats. The design team has been asked to come up with a new boat design for 2005, a task that involves a lot of work. One of the first things team members might do is create a Web site they can use to collaborate on the project.

The Web site could contain a discussion board for examining pressing issues, a task list for assigning various tasks to team members, a document library for housing spec sheets, and an image library for storing the latest artist renderings and CAD images of the new design. Obviously, the design team could benefit greatly from having its own collaborative Web site.

Now forget that SharePoint exists for a moment, and imagine that the team leader came to you and asked the IT department to custom-build a site like this for the team. Assuming that the IT staff wasn’t already overburdened with other projects, it would probably take weeks to build the site. However, if you've implemented SharePoint Services, the team can design and maintain the site by themselves, in a matter of minutes; and best of all, they can do it without bothering you!

Not just anybody can do it
By default, no one is allowed to build additional Web sites unless you've granted them permission to do so. To implement permissions that will allow users to create Web sites, log in as Administrator, go to the home page, and click the Site Settings link. When the Site Settings screen appears, click the Configure Site And Workspace Creation link. This will take you to the Modify Site And Workspace Creation screen.

This screen allows both site and workspace creation. For all practical purposes, a site and a workspace are the same thing, so this isn’t really something you need to worry about.

SharePoint Services doesn't allow you to grant site and workspace creation permissions on an individual basis. Instead, you can grant the permissions to users who have been assigned the Contributor and/or Web Designer permissions. To assign the Web site creation permissions, select the appropriate check boxes and click OK.

If your users want to create a Web site of their own, they can go to the default home page (or to the home page of a site they've created site permissions within) and click the Create link. When the Create Page appears, they should scroll to the bottom of the page and click the Sites And Workspaces link. This causes SharePoint Services to display the New SharePoint Site screen, shown in Figure F.

Figure F
The New SharePoint Site screen allows users to create new Web sites.

Users must begin by entering a name and description of the new site. The next step is to go to the Web Site address section and enter the URL for the new site. The new site falls hierarchically below the default Web site. (SharePoint sites are hierarchical in nature.) It's possible to create new sites beneath both the default site and user-created sites.

For example, I could call the new site Development, a generic Web site for the Research and Development department. The department could then create additional sites beneath the Development site and use them to manage individual projects.

In the next section of this page, Permissions, users can assign unique permissions to the new site or have the new site inherit the permissions of the parent site. If inherited permissions are chosen, the user will not be able to control the permissions of the new site separately from the parent site. If, by chance, the user is an Administrator who tries to change the permissions of the new site, even though it's using inherited permissions, the user will alter the permissions for the parent site as well.

Whether a user should use inherited permissions really depends on the scope of the site that is being created. If the site requires minimum management and will be available to the entire company, then it's probably okay to use inherited permissions. However, if the site will be specific to an individual department, it's better to use unique permissions.

When the user clicks Create, the site will be created and the user will be asked to select a template for the new site. The site will then be available for the user to begin customizing, adding content, and modifying permissions if necessary.

Managing new sites
As you can see, it's relatively safe to let users create custom sites. However, you still need to keep tabs on the sites from time to time to make sure they aren't being used inappropriately. For example, a user could easily create a custom site, place an image gallery on the site, and then use the site as a way of sharing a porno collection with friends.

If you want to occasionally spot-check the sites and see what they're being used for, log in as Administrator and click Site Settings, followed by Go To Site Administration and Manage Sites And Workspaces. You'll see a list of all the sites that exist on the server, along with the time each site was created. You can click on a site to see its contents. Furthermore, the Sites And Workspaces screen contains a link for deleting any unwanted sites, as shown in Figure G.

Figure G
The Sites And Workspaces screen will show you all of the sites on the server.

Safe and sound
Although Windows SharePoint Services does not offer as much granular control as SharePoint Portal Server does, you can still maintain a high degree of control over who can do what on your SharePoint Web sites. Using the built-in utilities, you can restrict users from posting content, modifying the SharePoint site, and creating their own sites. Doing so will ensure that your SharePoint sites are both useful and secure.