SharePoint Slándáil Bunúsaigh Chéad / Seachain Ceapa Tuisle Coiteann

Suas chun dáta 12/18/07: Féach alt Paul Liebrand do roinnt iarmhairtí teicniúla a bhaint de nó a mhodhnú ainm an ghrúpa réamhshocraithe (fheiceáil a comment thíos chomh maith).

Forbhreathnú:

SharePoint security is easy to configure and manage. Mar sin féin, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Mé a admháil go bhfuil an fhadhb seo mé féin). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Nóta Tábhachtach:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or ríomhphost chugam. I’ll make corrections post haste.

Bunúsaigh:

Chun críocha an forbhreathnú seo, tá ceithre ghnéithe bunúsacha le slándáil: úsáideoirí / grúpaí, rudaí securable, leibhéil cead agus oidhreacht.

Úsáideoirí agus Grúpaí bhriseadh síos go dtí:

  • Úsáideoirí aonair: Ceirteacha tarraingthe ó eolaire gníomhach nó a cruthaíodh go díreach i SharePoint.
  • Grúpaí: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" le rud securable leith.

Rudaí Securable bhriseadh síos go dtí ar a laghad,:

  • Láithreáin
  • Leabharlanna Doiciméad
  • Míreanna aonair i liostaí agus leabharlanna doiciméad
  • Fillteáin
  • Suímh éagsúla BDC.

Tá rudaí eile securable, ach gheobhaidh tú an pictiúr.

Leibhéil Cead: A carn de gráinneach / low level access rights that include such things as create/read/delete entries in lists.

Oidhreachta: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Baineann úsáideoirí agus grúpaí chun rudaí securable trí leibhéil cead agus oidhreacht.

Na Rialacha Slándála chuid is mó tábhachtach a thuiscint, Riamh 🙂 :

  1. Tá Grúpaí simplí bailiúcháin na n-úsáideoirí.
  2. Tá Grúpaí domhanda laistigh de bhailiúchán láithreán (i.e. níl aon rud den sórt sin mar ghrúpa atá sainmhínithe ag leibhéal láithreán).
  3. Ainm grúpa d'ainneoin, Ní dhéanann grúpaí, i agus de féin, have any particular level of security.
  4. Groups have security in the context of a specific securable object.
  5. Is féidir leat leibhéil éagsúla cead a shannadh don ghrúpa céanna do gach réad securable.
  6. Polasaithe iarratas Gréasáin trump seo ar fad (Féach thíos).

Is féidir le riarthóirí Slándáil caillte i farraige de ghrúpa agus liostaí úsáideoirí brath i gcónaí ar na axioms a bhainistiú agus a thuiscint a n-chumraíocht slándála.

Ceapa Tuisle Coiteann:

  • Tuiscint ainmneacha Grúpa go bréagach cead: As an bosca, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" Ní féidir le grúpa cur ar chor ar bith, ach amháin a léamh (mar shampla). This would not be a good idea, ar ndóigh, ós rud é go mbeadh sé an-mearbhall.
  • Ní shainmhínítear Grúpaí ag leibhéal láithreán. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" nasc. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
  • Ní tuairiscíodh ballraíocht Grúpaí athrú ag láithreán (i.e. Tá sé mar an gcéanna i ngach áit go bhfuil an grúpa a úsáidtear): Consider the group "Owner" agus dhá shuíomh, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, D'fhéadfadh liom rochtain a fháil ar na Daoine agus naisc Grúpaí tríd an láithreán AD, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. Go deimhin, I’m removing her from the global Owners group. Hilarity ensues.
  • Má theipeann ar ghrúpaí atá bunaithe ar ról sonrach ainm: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Ba chóir dom a chruthaigh dhá ghrúpa nua: "HR Owners" and "Logistics Owners" agus leibhéil cead ciallmhar le haghaidh gach agus an méid íosta is gá do na húsáideoirí sin a gcuid oibre a shannadh.

Tagairtí Úsáideacha Eile:

Má tá tú rinne sé seo i bhfad:

Please let me know your thoughts via the comments or email me. If you know other good references, le do thoil a dhéanamh ar an céanna a!

Clibeanna Technorati:

8 smaointe ar "SharePoint Slándáil Bunúsaigh Chéad / Seachain Ceapa Tuisle Coiteann

  1. Perry

    Níos mó pitfalls:

    * Tá ceadanna speisialta áirithe atá ar fáil in áiteanna eile sa SSP agus nach bhfuil le feiceáil i Daon agus Grúpaí alt: "Personalization services permissions"and "Business Data Catalog permissions"

    * Léigh mé go bhfuil ceadanna Dearthóir SharePoint speisialta ar fáil i roinnt xml arcane faoi thalamh taobh istigh html áit éigin ann freisin.

    * Na Riarthóirí Bunscoileanna agus Meánscoileanna ar feadh Bailiúchán Láithreán a choimeád in áit eile i suímh Bailiúchán Láithreáin, agus nach bhfuil le feiceáil ar an Daoine agus Grúpaí alt.

    * Tá cuntais áirithe draíochta (speisialta) cumas beag beann ar an méid a fheiceann tú i Daon agus limistéar Grúpaí: baill an ghrúpa Riarthóirí-tógtha i ar na freastalaithe gréasáin, agus an Cuntas Seirbhís Feirme.

    (PS: Bheadh ​​Scriosadh na tuairimí spam feabhas a chur ar inléiteacht anseo.)

    Freagra
  2. Jean Wright
    Is post an-mhaith. Mé tar éis titim isteach sa gaiste ar roinnt ócáidí. Is féidir le bainistíocht Slándála a fháil casta nuair a dtosaíonn tú modhanna fíordheimhniú mheascadh agus modhanna grúpáil éagsúla slándála. Ní mór é seo a mheas mar chuid den phróiseas pleanála agus níor chóir a overlooked.
    Freagra
  3. Mark Miller Scríobh:
    (Nóta ón Paul: Mark d'iarr mé a dhéanamh ar athrú beag ar a comment ach ní féidir liom eagar tuairimí spásanna beo mar sin tá mé chuir sé as an nua anseo leis an athrú agus a scriosadh an bunaidh).
    Paul,
    An cur chuige achoimre a thíolacadh eolas seo a tháinig amach go han-mhaith. I especially liked the "Pitfalls" alt, ó tá mé tar éis titim isteach i roinnt de na daoine mé féin.
    Rud eile a dúirt tú bhuail bhaile: Ní foghlaim ar an Luan ní gá go gciallódh go mbainfidh tú cuimhneamh air ar an Aoine. I’m glad someone besides me is using their blog as a "tickler" córas chun na rudaí ríthábhachtach nach bhfuil déanta ar bhonn rialta.
    Dea-obair.
    Maidir is,
    Marcáil
    EndUserSharePoint.com

    Samhain 27 9:04 AM
    (http://www.EndUserSharePoint.com)

    Freagra
  4. Paul Galvin
    Sílim go bhfuil sé dócha go bhfuil smaoineamh maith a bhaint as na grúpaí réamhshocraithe, especially Contributor and Owner. They are overbroad and easily confused. I prefer to use "All Authenticated Users" in place of a "Visitor" group as well. If a specific set of users should only read-only access then I’d recommend creating an AD group or SharePoint group with an appropriately descriptive name, e.g. "Logistics Visitors".
    –Paul G
    Freagra
  5. Níl ainm
    Fuaimeanna sé cosúil leis an chéad rud ba chóir duit a dhéanamh ná a Dumpáil díreach an Cuairteoir, Ranníocóir agus grúpaí Úinéir agus ionad iad le do grúpaí loighiciúla féin. An mbeadh an chiall a dhéanamh chun déanamh?
    Freagra

Leave a Reply

Ní thabharfar do sheoladh r-phoist a fhoilsiú. Réimsí riachtanacha atá marcáilte *