Google

My Books recommendations

Wednesday, August 22, 2007

SharePoint Security Roles (Administration) - Analysis

SharePoint Security Roles - An Analysis 2

Admin Level

SharePoint Group

Does role exist by default?

Can do this

Cannot do this

Server or server farm level

Farm Administrators

Yes

Perform administrative tasks in Central Administration.

Administer individual sites or site content unless they take ownership.

Take ownership of any content site.

Administer My Sites.


Access the Shared Services Administration site.


Create or delete SharePoint Web applications.


Update the accounts or passwords for existing Web applications and NT services.


Deploy solutions that require updating the global assembly cache (GAC).


Restore from backup.

Server or server farm level

Administrators

Yes. Windows group that exists by default; not a SharePoint group.

Install products.

Administer individual sites or site content.

Create new Web applications and new Internet Information Services (IIS) Web sites.

Administer My Sites.

Start services.

Administer databases

Deploy Web Parts and new features to the global assembly cache.


Perform all farm-level tasks in Central Administration (provided that the Central Administration site is located on the local computer).


Run the Stsadm command-line tool.




Shared services level

SSO Administrators

No. Need to enable the SSO service for administration to occur, and then the SharePoint group needs to be created.

Configure and manage the SSO service in Office SharePoint Server 2007, including managing the encryption key.

Administer individual sites or site content.

Create, modify, or delete enterprise application definitions within Office SharePoint Server 2007.

Administer My Sites.

Redeem SSO tickets. In scenarios in which credentials pass through an intermediary service (such as Microsoft BizTalk Server) before reaching the enterprise application definition, this group is used to give intermediary services permissions to redeem SSO tickets.

Use the Shared Services Administration Web site.


Use Central Administration.

Shared services level

Enterprise application definition administrators

No. Need to enable the SSO service for administration to occur. Must be global group account or individual user account. This account cannot be a domain local group or a distribution list.

Create, manage, and delete enterprise application definitions.

Administer individual sites or content.

Update enterprise application accounts and credentials.

Administer My Sites.


Access the Shared Services Administration Web site.


Access Central Administration.

Shared services level

Site collection administrator for the Shared Services Administration site

Yes. The account that created the SSP is automatically the site collection administrator for the Shared Services Administration site.

Use the Shared Services Administration Web site with the Full Control permission level.

Administer individual sites or site content.

Configure usage reporting.

Administer My Sites.

Add users to the default Readers group for sites containing My Sites and profiles.


Create personal sites.


Manage sites and user profiles.


Configure permissions for specific services or delegate administration of shared services to other users.


Shared services level

Shared Services administrator

No. The Shared Services site collection administrator must add a user to the Shared Services Administration site and then assign permissions to the appropriate shared services.

View Shared Services Administration site.

Administer individual sites or site content.

Configure usage reporting.

Add users to the default Readers group for sites containing My Sites and profiles.

Create personal sites.

Manage sites and user profiles.

Configure permissions for specific services or delegate shared services administration to other users.

Shared services level

Search Administrators

No. The Shared Services site collection administrator must add a user to the Shared Services Administration site.

Create and manage content sources and crawl schedules.

Access the Central Administration site.

Manage file types.

Create and manage the default content access account.

Create server name mappings.

Activate or deactivate search-based alerts.

Create and manage search scopes.

Specify authoritative Web pages.

Manage metadata properties.

Shared services level

Profile Services administrator

No. The Shared Services site collection administrator adds a user by clicking the Personalization services permissions link.

Configure personalization services permissions (only if given the Manage Permissions permission).

Access the Central Administration site.

Import people properties from directories and the Business Data Catalog.

Manage audiences (unless specifically granted that permission by the Shared Services site collection administrator.)

Customize and configure My Sites settings and permissions.


Configure and manage user profiles.


Configure profile services policies.


Edit and view all the information to the user public profile.


Shared services level

Audiences Services administrator

No. The Shared Services site collection administrator adds a user by clicking the Personalization services permissions link.

Configure the Audiences service.

Access any other shared services except Excel Services and Search.

Manage, create, and compile audiences.

Access the Central Administration page.

View audiences membership.

Manage user profiles (unless specifically granted that permission by the Shared Services site collection administrator).

Shared services level

Business Data Catalog service administrator

No. The Shared Services site collection administrator adds a user on the Manage permissions page for the Business Data Catalog.

Register applications in the Business Data Catalog.

Access any other shared services except Excel Services and Search.

Configure business data search.

Access the Central Administration site.

Customize business data lists, Web Parts, and sites.


Configure business data profiles.


Configure business data connections.


Shared services level

Excel Services administrator

No. The Shared Services site collection administrator must add a user to the Shared Services Administration site.

Add trusted file locations.

Access the Central Administration site.

Add trusted data providers.

Start and manage the SSO service.

Add trusted data connection libraries.

Start or stop Excel Calculation Services or other services.

Add user-defined function assemblies.

Run Stsadm command-line administrative operations.

Modify Excel Services settings.


Access other administration pages (for example, the Business Data Catalog Applications page).


Shared services level

Usage reporting administrator

No. This group is created by the Shared Services administrator.

Configure usage reporting service by using the Shared Services Administration site.

Access any other shared services.

View and edit site usage and summary pages.

Access the Central Administration site.



- Configure search query logging.




Site Level

Site collection administrator

Yes

Perform all administration tasks for sites within the site collection.

Access the Central Administration site.

Site Level

Owners

Yes

Perform administration for the site only, not the entire site collection.

Access the Central Administration site.

Perform administrative tasks for documents, lists, and libraries.

Access the Shared Services Administration site.


Perform site collection administration tasks, such as restoring items from the second-stage Recycle Bin and managing the site hierarchy.





SharePonit Roles - an Analysis

SharePonit Roles - an Analysis
In SharePoint, there are 3 levels of administrative permissions. The groups of users who have administrative permissions at different levels are described in the following list:

Server or server farm level

• Farm Administrators group Members of the Farm Administrators group have permissions to and responsibility for all servers in the server farm. Members can perform all administrative tasks in Central Administration for the server or server farm. Members of this group can also perform command-line operations. This group does not have access to individual sites or their content. However, members can take ownership of a specific site collection if need be (for example, if the administrator of a site leaves the organization and a new administrator must be added).

• Administrators group Members of the Administrators group on the local server can perform all farm administrator actions and more, including installing new products or applications, deploying Web Parts and new features to the global assembly cache, creating new Web applications and new Internet Information Services (IIS) Web sites, and starting services. Like farm administrators, members of this group on the local server have no access to site content, by default.

Shared services level

• SSP administrators Can control which services are included in a Shared Services Provider (SSP) and configure settings for those services.

• Service administrators Can configure settings for a specific service within an SSP. For example, the service administrator for the Search service on Service1 can configure search settings for Service1.

Site level

• Site collection administrators Have the Full Control permission level on all Web sites within a site collection. This means that they have access to content in all sites in that site collection, even if they do not have explicit permissions on that site.

• Site owners By default, members of the Owners group for a site have the Full Control permission level on that site. They can perform administration tasks for the site, and for any list or library within that site.


WSS and MOSS Features

WSS 3.0 VS MOSS 207

During my recent analysis of WSS 3.0 and MOSS 2007 Features, I came across some interesting finds.

1. MOSS 2007 have 106 features and WSS 3.0 has 31 features.

2. MOSS 2007 installation will have total of 137 features as MOSS 2007 requires WSS 3.0.

3. WSS 3.0 can suffice your collaboration need if you dont require Business Intelligence webparts, Excel Services, KPIs, Enterprise Search,

MySite etc.

4. WSS 3.0 will have following features:

Features

Description



AdminLinks

All the Site admin links

AnnouncementsList

Announcements list

BasicWebParts

All web parts Add Web part dialogue box in WSS 3.0

ContactsList

Contacts list

ContentLightup

Ability to highlight search result for specific content type

ContentTypeSettings

All the settings related to Content Type

ctypes

Ability to Add/edit/delete/manage Content Types to list/library

CustomList

Add/edit/delete/manage custom list

DataSourceLibrary

Ability to Add/edit/delete/manage data source library

DiscussionsList

Ability to Add/edit/delete/manage Discussions list

DocumentLibrary

Ability to Add/edit/delete/manage DocumentLibrary list

EventsList

Ability to Add/edit/delete/manage Events list

fields

Ability to Add/edit/delete/manage Fields in lists

GanttTasksList

Ability to Add/edit/delete/manage Gantt chart enabled Tasks list

GridList

Ability to Add/edit/delete/manage grid view of the list

IssuesList

Ability to Add/edit/delete/manage Issues list

IssueTrackingWorkflow

Ability to Add/edit/delete/manage Issue tracking workflow

LinksList

Ability to Add/edit/delete/manage Links list

MobilityRedirect

Ability to redirect a call from Mobile phone to mobile ui pages.

NoCodeWorkflowLibrary

Ability to Add/edit/delete/manage workflows without adding code

PictureLibrary

Ability to Add/edit/delete/manage picture library

SiteSettings

Site Settings page

SPSearchFeature

WSS Simple Search

SurveysList

Ability to Add/edit/delete/manage Survey list

TasksList

Ability to Add/edit/delete/manage Tasks list

TeamCollab

All the Team collaboration features

WebPageLibrary

Ability to Add/edit/delete/manage Web Pages

WikiWelcome

Ability to Add/edit/delete/manage Wiki welcome page

WorkflowHistoryList

Ability to Add/edit/delete/manage Workflow history list

WorkflowProcessList

Ability to Add/edit/delete/manage Workflow process list

XmlFormLibrary

Ability to Add/edit/delete/manage XML Form library list

5. To get the list of features in your SharePoint Installation, there is a free beta tool available called Feature Explorer from InfoTech Canada. You can download the tool from http://www.infotechcanada.com/productivity_solutions/feature-explorer-form.aspx (registration required). What the tool do is vary basic for now (it might improve with subsequent release) that you yourself can get this info very easily from your SharePoint installation, here is how:

Log into your sharepoint installation machine, browse to "%PROGRAMFILES%\common files\microsoft shared
\web server extensions\12\TEMPLATE\FEATURES\"
directory, every folder in this directory represents one feature!

6. The 106 MOSS 2007 only features are available in following post due to the content restriction in this blog!

MOSS 2007 Features:

AddDashboard

Ability to Add/edit/delete/manage Dashboard

Analytics

Ability to Add/edit/delete/manage Analytics components.

AnalyticsLinks

Ability to Add/edit/delete/manage Analytics links components.

BaseSite

Ability to Add/edit/delete/manage Base sites

BaseSiteStapling

Ability to staple Base sites in the top navigation bar

BaseWeb

Ability to Add/edit/delete/manage Base sites

BaseWebApplication

Ability to Add/edit/delete/manage Base sites

BDCAdminUILinks

Ability to Add/edit/delete/manage Businss Data Catalogues (webparts)

BDR

Ability to Add/edit/delete/manage BDR components.

BizAppsCTypes

Ability to Add/edit/delete/manage Business Application's Content Type

BizAppsFields

Ability to Add/edit/delete/manage Business Application's Fields

BizAppsListTemplates

Ability to Add/edit/delete/manage Business Application's List templates

BizAppsSiteTemplates

Ability to Add/edit/delete/manage Business Application's Site template

BulkWorkflow

Ability to Add/edit/delete/manage Bulk workflow

BulkWorkflowTimerJob

Ability to Add/edit/delete/manage Timer job for bulk workflow

DataConnectionLibrary

Ability to staple Data connection library

DataConnectionLibraryStapling

Ability to Add/edit/delete/manage Data connection library

DeploymentLinks

Ability to Add/edit/delete/manage Deployment links

DMContentTypeSettings

Ability to Add/edit/delete/manage Document management content type settings

EawfSite


EawfWeb


EnhancedHtmlEditing

Ability of editing content using enhanced html editing feature using publishing.

ExcelServer

Ability to use Excel Services

ExcelServerSite

Ability to Add/edit/delete/manage Excel Server site

ExcelServerWebApplication

Ability to Add/edit/delete/manage Excel Server web application

ExpirationWorkflow

Ability to Add/edit/delete/manage Exipiration workflow

FeaturePushdown

Ability to manage feature pushdown from the portal/farm level

GlobalWebParts

Ability to Add/edit/delete/manage Global webparts at farm level

GradualUpgrade

Ability to Upgrade SharePoint gradually

Hold


ipfsAdminLinks


ListTargeting

Ability to target lists to audiences.

LocalSiteDirectoryControl

Ability to create/manage Site directory

LocalSiteDirectoryMetaData

Ability to create/manage Site directory Matadata

LocalSiteDirectorySettingsLink

Ability to create/manage Site directory Settings links

MasterSiteDirectoryControl

Ability to create/manage Master Site directory (Portal/Farm level)

MigrationLinks

Ability to Migrate content from previous versions of SharePoint

MySite

Ability to Add/edit/delete MySite for users

MySiteBlog

Ability to Add/edit/delete/manage MySite blog

MySiteCleanup

Ability to cleanup MySite

MySiteHost

Ability to create/manage MySite host

MySiteLayouts

Ability to Add/edit/delete/manage MySite layouts

MySiteNavigation

Ability to Add/edit/delete/manage MySite Navigation

MySiteQuickLaunch

Ability to Add/edit/delete/manage MySite quick launch

Navigation

Ability to Add/edit/delete/manage Navigation

NavigationProperties

Ability to Add/edit/delete/manage Navigation Properties

OffWFCommon


OSearchBasicFeature

Ability to manage Basic Search

OSearchCentralAdminLinks

Ability to manage Search links in Central Administration

OSearchEnhancedFeature

Ability to manage Enhanced features of Search

OSearchPortalAdminLinks

Ability to manage Search related portal admin links

OSearchSRPAdminLinks


OsrvLinks


OsrvTasks


OssNavigation


OSSSearchSearchCenterUrlFeature

Ability to manage Search centre URL Feature

OSSSearchSearchCenterUrlSiteFeature

Ability to manage Search centre URL site Feature

PageConverters

Ability to use page converters

PortalLayouts

Ability manage portal layouts

PublishingLayouts

Ability manage publishing layouts

PublishingPrerequisites

Ability manage publishing prerequisites

PublishingResources

Ability manage publishing resources

PublishingSite

Ability manage publishing site collection

PublishingStapling

Ability manage publishing stapling

PublishingWeb

Ability manage publishing sites

RecordsManagement

Records Management Site templates and features

RedirectPageContentTypeBinding


RelatedLinksScopeSettingsLink

Ability to manage Related links section's Scope Settings link

ReportCenterCreation

Ability to Add/edit/delete/manage Report centre sites

ReportCenterSampleData

Ability to Add/edit/delete/manage Report centre site's sample data

Reporting

Ability to Add/edit/delete/manage Reporting

ReportListTemplate

Ability to manage Report list template

ReviewWorkflows

Ability to review workflows

SearchAndProcess


SearchWebParts

Ability to Add/remove search web parts

SharedServices

Ability to manage Shared Services

SignaturesWorkflow

Ability to manage Signature workflows

SitesList

Ability to manage sites list

SkuUpgradeLinks


SlideLibrary

Ability to Add/edit/delete/manage Slide library

SlideLibraryActivation

Ability to Add/edit/delete/manage Slide library activation

SpellChecking

Ability to Spell Check

SPSDisco

Ability to discover web services

SpsSsoLinks

Ability to manage SSO links

SRPProfileAdmin

Ability to manage profiles

StapledWorkflows

Ability to staple workflows

TranslationWorkflow

Ability to Add/edit/delete/manage translation workflows

TransMgmtFunc

Ability to Add/edit/delete/manage translation management functionalities

TransMgmtLib

Ability to Add/edit/delete/manage

UpgradeOnlyFile


IPFSAdminWeb


IPFSDocumentConversion


IPFSSiteFeatures


IPFSWebFeatures


LegacyDocumentLibrary

Ability to Add/edit/delete/manage Legacy document libraries

PremiumRootSite

Ability to Add/edit/delete/manage Premium root sites.

PremiumRootSiteStapling

Ability to Add/edit/delete/manage Premium root stapling

PremiumSite

Ability to Add/edit/delete/manage Premium site collection

PremiumSiteStapling

Ability to Add/edit/delete/manage Premium site collection stapling

PremiumWeb

Ability to Add/edit/delete/manage Premium sites.

PremiumWebApplication

Ability to Add/edit/delete/manage Premium web applicatoins

ProfileSynch

Ability to synch up profiles in AD

Publishing

Ability to manage publishing features

UserMigrator

Ability to migrate users

ViewFormPagesLockDown


WebPartAdderGroups

Ability to manage groups who can add webparts.