UPDATE 12/18/07: Sien Paul Liebrand se artikel vir 'n paar tegniese gevolge van die verwydering of die wysiging van die standaard vormveranderings (sien sy kommentaar hieronder asook).
Oorsig:
SharePoint security is easy to configure and manage. Egter, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Ek erken dat hierdie probleem myself). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.
Belangrike nota:
This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email my. I’ll make corrections post haste.
Grondbeginsels:
Vir die doel van hierdie oorsig, Daar is vier fundamentele aspekte van sekuriteit: gebruikers / groepe, beveilig baar voorwerpe, toestemming vlakke en erfenis.
Gebruikers en Groepe breek te:
- Individuele gebruikers: Getrek uit die aktiewe gids of wat direk in SharePoint.
- Groepe: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" aan 'n spesifieke beveilig baar voorwerp.
Beveilig baar voorwerpe breek aan ten minste:
- Webwerwe
- Dokument biblioteke
- Individuele items in lyste en dokument biblioteke
- Dopgehou
- Verskeie BDC instellings.
Daar beveilig baar ander voorwerpe, maar jy kry die prentjie.
Toestemming vlakke: 'N bondel van korrel / low level access rights that include such things as create/read/delete entries in lists.
Erfenis: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.
Gebruikers en groepe in verband te beveilig baar voorwerpe via toestemming vlakke en erfenis.
Die meeste Belangrike Security Reëls om te verstaan, Ever 🙂 :
- Groepe is net versamelings van gebruikers.
- Groepe is globale binne 'n webwerf versameling (d.w.z. daar is geen sodanige ding as 'n groep gedefinieer op 'n terrein vlak).
- Groep naam nieteenstaande, groepe nie, in en van die self, have any particular level of security.
- Groups have security in the context of a specific securable object.
- Jy kan toewys verskillende toestemming vlakke aan dieselfde groep vir elke beveilig baar voorwerp.
- Web aansoek beleid troef al hierdie (sien hieronder).
Security administrateurs verloor in 'n see van 'n groep en gebruikers lys kan altyd staatmaak op hierdie aksiomas te bestuur en te verstaan hul sekuriteit opset.
Algemene slaggate:
- Group name valslik impliseer toestemming: Uit die boks, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" groep kan glad nie bydra, maar slegs gelees (byvoorbeeld). This would not be a good idea, natuurlik, want dit sou baie verwarrend.
- Groepe word nie gedefinieer op 'n terrein vlak. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" skakel. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
- Groepe lidmaatskap nie afhanklik van die webwerf (d.w.z. dit is oral dieselfde van die groep word gebruik): Consider the group "Owner" en twee terreine, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, Ek kan toegang tot die mense en groepe skakels via die HR webwerf, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. In werklikheid, I’m removing her from the global Owners group. Hilarity ensues.
- Versuim om groepe op grond van spesifieke rol te noem: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Ek moet geskep het twee nuwe groepe: "HR Owners" and "Logistics Owners" en wys sinvolle toestemming vlakke vir elk en die minimum bedrag wat nodig is vir die gebruikers hul werk te doen.
Ander nuttige inligting:
- Web aansoek beleid Gotcha se: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!255.entry
- Verrekeningshuis vir SharePoint sekuriteit: http://www.sharepointsecurity.com/
- Links van Joël Oleson: http://blogs.msdn.com/joelo/archive/2007/08/23/sharepoint-security-and-compliance-resources.aspx
As jy dit so ver:
Please let me know your thoughts via the comments or email me. If you know other good references, asseblief nie dieselfde!