Google

My Books recommendations

Wednesday, August 22, 2007

SharePoint Security Roles (Administration) - Analysis

SharePoint Security Roles - An Analysis 2

Admin Level

SharePoint Group

Does role exist by default?

Can do this

Cannot do this

Server or server farm level

Farm Administrators

Yes

Perform administrative tasks in Central Administration.

Administer individual sites or site content unless they take ownership.

Take ownership of any content site.

Administer My Sites.


Access the Shared Services Administration site.


Create or delete SharePoint Web applications.


Update the accounts or passwords for existing Web applications and NT services.


Deploy solutions that require updating the global assembly cache (GAC).


Restore from backup.

Server or server farm level

Administrators

Yes. Windows group that exists by default; not a SharePoint group.

Install products.

Administer individual sites or site content.

Create new Web applications and new Internet Information Services (IIS) Web sites.

Administer My Sites.

Start services.

Administer databases

Deploy Web Parts and new features to the global assembly cache.


Perform all farm-level tasks in Central Administration (provided that the Central Administration site is located on the local computer).


Run the Stsadm command-line tool.




Shared services level

SSO Administrators

No. Need to enable the SSO service for administration to occur, and then the SharePoint group needs to be created.

Configure and manage the SSO service in Office SharePoint Server 2007, including managing the encryption key.

Administer individual sites or site content.

Create, modify, or delete enterprise application definitions within Office SharePoint Server 2007.

Administer My Sites.

Redeem SSO tickets. In scenarios in which credentials pass through an intermediary service (such as Microsoft BizTalk Server) before reaching the enterprise application definition, this group is used to give intermediary services permissions to redeem SSO tickets.

Use the Shared Services Administration Web site.


Use Central Administration.

Shared services level

Enterprise application definition administrators

No. Need to enable the SSO service for administration to occur. Must be global group account or individual user account. This account cannot be a domain local group or a distribution list.

Create, manage, and delete enterprise application definitions.

Administer individual sites or content.

Update enterprise application accounts and credentials.

Administer My Sites.


Access the Shared Services Administration Web site.


Access Central Administration.

Shared services level

Site collection administrator for the Shared Services Administration site

Yes. The account that created the SSP is automatically the site collection administrator for the Shared Services Administration site.

Use the Shared Services Administration Web site with the Full Control permission level.

Administer individual sites or site content.

Configure usage reporting.

Administer My Sites.

Add users to the default Readers group for sites containing My Sites and profiles.


Create personal sites.


Manage sites and user profiles.


Configure permissions for specific services or delegate administration of shared services to other users.


Shared services level

Shared Services administrator

No. The Shared Services site collection administrator must add a user to the Shared Services Administration site and then assign permissions to the appropriate shared services.

View Shared Services Administration site.

Administer individual sites or site content.

Configure usage reporting.

Add users to the default Readers group for sites containing My Sites and profiles.

Create personal sites.

Manage sites and user profiles.

Configure permissions for specific services or delegate shared services administration to other users.

Shared services level

Search Administrators

No. The Shared Services site collection administrator must add a user to the Shared Services Administration site.

Create and manage content sources and crawl schedules.

Access the Central Administration site.

Manage file types.

Create and manage the default content access account.

Create server name mappings.

Activate or deactivate search-based alerts.

Create and manage search scopes.

Specify authoritative Web pages.

Manage metadata properties.

Shared services level

Profile Services administrator

No. The Shared Services site collection administrator adds a user by clicking the Personalization services permissions link.

Configure personalization services permissions (only if given the Manage Permissions permission).

Access the Central Administration site.

Import people properties from directories and the Business Data Catalog.

Manage audiences (unless specifically granted that permission by the Shared Services site collection administrator.)

Customize and configure My Sites settings and permissions.


Configure and manage user profiles.


Configure profile services policies.


Edit and view all the information to the user public profile.


Shared services level

Audiences Services administrator

No. The Shared Services site collection administrator adds a user by clicking the Personalization services permissions link.

Configure the Audiences service.

Access any other shared services except Excel Services and Search.

Manage, create, and compile audiences.

Access the Central Administration page.

View audiences membership.

Manage user profiles (unless specifically granted that permission by the Shared Services site collection administrator).

Shared services level

Business Data Catalog service administrator

No. The Shared Services site collection administrator adds a user on the Manage permissions page for the Business Data Catalog.

Register applications in the Business Data Catalog.

Access any other shared services except Excel Services and Search.

Configure business data search.

Access the Central Administration site.

Customize business data lists, Web Parts, and sites.


Configure business data profiles.


Configure business data connections.


Shared services level

Excel Services administrator

No. The Shared Services site collection administrator must add a user to the Shared Services Administration site.

Add trusted file locations.

Access the Central Administration site.

Add trusted data providers.

Start and manage the SSO service.

Add trusted data connection libraries.

Start or stop Excel Calculation Services or other services.

Add user-defined function assemblies.

Run Stsadm command-line administrative operations.

Modify Excel Services settings.


Access other administration pages (for example, the Business Data Catalog Applications page).


Shared services level

Usage reporting administrator

No. This group is created by the Shared Services administrator.

Configure usage reporting service by using the Shared Services Administration site.

Access any other shared services.

View and edit site usage and summary pages.

Access the Central Administration site.



- Configure search query logging.




Site Level

Site collection administrator

Yes

Perform all administration tasks for sites within the site collection.

Access the Central Administration site.

Site Level

Owners

Yes

Perform administration for the site only, not the entire site collection.

Access the Central Administration site.

Perform administrative tasks for documents, lists, and libraries.

Access the Shared Services Administration site.


Perform site collection administration tasks, such as restoring items from the second-stage Recycle Bin and managing the site hierarchy.





No comments: