SharePoint 2013 Groups, Permission Levels, And Policies
It is possible for users of SharePoint sites to be efficiently managed by assigning permission levels to groups instead of to individuals. With a SharePoint group, the set of individual users will be able to also include AD DS groups.
There are groups commonly used to organize users in AD DS. They include Distribution Groups which are used only for e-mail distribution and it isn’t security enabled. These groups can be listed in DACLs that are used to define permissions for resource and objects. Security Groups can be listed in DACLs. They can also be an e-mail entity as well.
In order to use security groups to control permissions for a given site, you need to add security groups to SharePoint. Then grant permissions to the SharePoint groups. You can’t add distribution groups to the SharePoint groups. However, you will be able to expand a distribution group. You will also be able to add individual members to a SharePoint group.
If you use this method, you will need to manually keep the SharePoint group in sync with the distribution group. When you use security groups, you don’t need to manage the individual users in the SharePoint application. This is because you included the security group rather than the individual members of the group. The users will be managed for you by AD DS.
To make it easier to manage security, it isn’t recommended to assign permissions levels directly to AD DS groups or add security groups that contain nesting security groups of contacts or distribution lists.
The process of adding security groups to SharePoint groups offers central management for the groups and for security. The only place where you will manage individual users is the security group. Once you have added the security group to SharePoint, you don’t have to manage it through security groups members that belong to it. When a user is removed from the security group, the user will automatically be removed from the SharePoint group as well.
It is important to point out that security groups in SharePoint sites aren’t going to be able to provide full visibility for what is taking place. When a security group gets added to a SharePoint group for a given site, the sit won’t appear in My Sites for that user. The User information List won’t show the individual users unless have actually made a contribution to that site. Plus, security groups that are deep nested in terms of structure could break SharePoint sites.
For intranet sites that can be broadly accessed by users, security groups should be used rather than individual users. For collaboration sites that get accessed by small groups of users, add users directly to the SharePoint groups. There is a need in this case to know more about a member and for the group members to have e-mail and other contact information for others in that group.
Each of the organizations will be set up with its own security groups in a different manner. To make sure you have easy permission management in place, you want your security groups to be large enough and stable enough that you don’t have to continue adding other security groups to the SharePoint sites but small enough that you can assign the permissions that are appropriate.
A security group that is called All Users likely won’t be small enough to assign permissions unless all of them have the same job functions. However, that is very rarely going to happen within an organization. You need to look for smaller and more specific user sets such as Accounts Receivable.
You can decide to allow all users within a domain to be able to view the content on your site. If you do so, then you should consider allowing access for all authenticated users in the Domain Users Windows security group. This is a special group that allows the members of the domain to access a website at the permission level of your selection. They can do so without you enabling anonymous access for them.
You have the option to enable anonymous access to allow users to view pages without their identity being known. This is the common way that most of the sites on the Internet allow for viewing. There are times when they will ask for authentication though when a use would like to edit the site or buy an item while shopping online. Anonymous access is disabled by the default so you will need to grant this permission at the web application level when the web application is created.
When anonymous access is allowed for a web application, the site administrator can decide to grant anonymous access to a site or any of the content that is found on that site. With anonymous access, there is a reliance on the anonymous user account found on the web server. The account is created and maintained by Internet Information Services instead of by your SharePoint site.
The default for Internet Information Services is the anonymous user account called IUSR. You can enable anonymous access to grant the account access to the SharePoint site. When you allow access to a site, list, or library, then you give that permission in the View Items permission to the anonymous user account.
There are still some restrictions though to the anonymous users. They won’t be able to open sites for editing with Office SharePoint Designer, view sites in My Network Places, or upload or edit documents in document libraries including wiki libraries.
The permission policies that are offered provide a centralized method for configuring and managing a set of permissions. These permissions only are applicable to a sub set of users or groups for a web application. You can manage permission policy for anonymous users when you enable or disable anonymous access for the web application.
If you enable anonymous access for a web application, the site administrators will be able to grant or deny access to the site collection or item level. If anonymous access is disabled for a web application, then no sites that are found in that web application will be accessible by anonymous users.
- None No policy as this is the default option. There is no additional permission restrictions or additions that get applied to the site for anonymous users.
- Deny Write Anonymous users aren’t able to write content even if the site administrator has attempted to grant them that permission with the anonymous user account.
- Deny All Anonymous users won’t have access to anything even if the site administrator has attempted to grant them that permission with the anonymous user account.