UPDATE 11/03/08: Be sure to read the excellent and detailed comment from Dessie Lunsford to this post.

I’ve been working on a secret tech editing project for an up-coming book and it references this blog entry by Tyler Butler on the MSDN ECM blog. This is the first time I personally read a clear definition of the meaning of Limited Access. Here’s the meat of the definition:

In SharePoint, anonymous users’ rights are determined by the Limited Access permission level. Limited Access is a special permission level that cannot be assigned to a user or group directly. The reason it exists is because if you have a library or subsite that has broken permissions inheritance, and you give a user/group access to only that library/subsite, in order to view its contents, the user/group must have some access to the root web. Otherwise the user/group will be unable to browse the library/subsite, even though they have rights there, because there are things in the root web that are needed to render the site or library. Therefore, when you give a group permissions only to a subsite or library that is breaking permissions inheritance, SharePoint will automatically give Limited Access to that group or user on the root web.

This question comes up now and then on the MSDN forums and I’ve always been curious (but not curious enough to figure it out before today :)).

</finem>

Scribet ad mea blog.

Sequi me in Twitter ad http://www.twitter.com/pagalvin

In signum quod Amicabiliter Computing incipiens tollet cum SharePoint, I see an increased number of My Site type questions. One common question goes something like this:

"I am an administrator and I need to be able to access every My Site. How do I do that?"

The trick here is that each My Site is its own site collection. SharePoint security is normally administered at the site collection level and this trips up many a SharePoint administrator. Normally, she already has access to configure security in the "main" site collectis et non intellexerunt quod ex hoc non sua sponte opus meum Sites.

Collectiones situ amplior collective vivunt intus continentis, which is the web application. Farm admins can can configure security at the web app level and this is how admins can grant themselves access to any site collection in the web application. This blog entry describes one of my personal experiences with web application policies. I defined a web application policy by accident: http://paulgalvin.spaces.live.com/Blog/cns!1CC1EDB3DAA9B8AA!255.entry.

Web application policies can be dangerous and I suggest that they be used sparingly. If I were an admin (Deo gratias et non sum), I would create a separate AD account named something like "SharePoint Web App Administrator" and give that one account the web application security role it needs. I would not configure this kind of thing for the regular farm admin or individual site collection admins. It will tend to hide potential problems because the web app role overrides any lower level security settings.

</finem>

Scribet ad mea blog.

Sequi me in Twitter ad http://www.twitter.com/pagalvin

UPDATE (02/29/08): Hoc novum codeplex videtur promineant providere modus securitate singulis columnis: http://www.codeplex.com/SPListDisplaySetting. If you have any experience working with it, commodo licentia a ineo.

Posters foro frequenter interrogare huiusmodi: "I have a manager view and and a staff view of a list. How do I secure the manager view so that staff can not use it?"

Related quaestio etiam saepe petivi: "I want to secure a specific metadata column so that only managers may edit that column while others may not even see it."

These answers apply to both WSS 3.0 et MUSCUS:

• SharePoint non praebere de-de-in-buxum captandi favorem sententiae.
• SharePoint non praebere de-de-in-buxum praesidium securitatem columnis.

There are several techniques one can follow to meet these kinds of security requirements. Here’s what I can think of:

• Use out-of-the-box item level security. Views always honor item level security configuration. Event receivers and/or workflow can automate security assignment.
• Use personal views for "privileged" views. These are easy enough to set up. Autem, due to their "personal" natura, these need to be configured for each user. Use standard security configuration to prevent anyone else from creating a personal view.
• Telam et implement aliqua pars sententiam uti notitia securitatem AJAXy qr solutionem.
• Volvite tua album propono functionality et incorporamus securitatem qr agmine gradu.
• Modify notitia introitu usus JavaScript formis et in conjunctione cum securitate exemplar ad peragendam column-gradu salutem qr.
• Use an InfoPath form for data entry. Implement column-level security trimming via web service calls to SharePoint and conditionally hide fields as needed.
• Volvite introitu tuo ASP.NET notitia muneris campester quod instrumentum agmen securum qr.

Neminem eorum, qui bene magnam realiter, sed tamen si quid sequatur viam, etiam si suus 'ferreus.

MONUMENTUM: Si quis ex his descendunt semitas, don’t forget about "Actions -> Open with Windows Explorer". You want to be sure that you test with that feature to make sure that it doesn’t work as a "back door" et dissipatum est consilium securitatem.

Si alias ideas aut potiundis experitur cum columnis views, RV email me Licentia a ineo quod puteus 'aut ego hoc update stipes ut conveniens.

</finem>

Scribet ad mea blog.

UPDATE: Ego missae hoc ad quaestionem hic MSDN (http://forums.microsoft.com/Forums/ShowPost.aspx?PostID=2808543&SiteID=1&mode=1) and Michael Washam of Microsoft responded with a concise answer.

Creavi telam ministerium agere Latitudo autem ante faciem BDC-amica to a SharePoint list. When I used this from my development environment, id operato simila. Cumque proficiscerentur de hoc novum server, Ego hunc errorem inciderunt:

Hic est recta 69:

usura (SPSite = new site SPSite("http://localhost/sandbox"))

Ego conatus diversis varietates in URL, servo usura possidet realis nomen est scriptor, suo loco IP, Rhenus oppugnant in URL, etc. I always got that error.

EGO adsuesco Google to research it. Lots of people face this issue, vel illum variationes, sed non videbatur ita solvi.

Ita dumtaxat ut non MUSCUS Tricksy occurrere feugiat aduersus errorem 12 hive logs. Tandem, de 24 horarum collegam meum, commendatur ut faciam, Ego sedatus ex 12 et invenit hoc log alveare:

Exceptionis probatio, dum occurrit loci conparandi firmam:
System.Security.SecurityException: Rogatur pateat quod non liceat registry.
at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource) at
(String nomine, Boolean writable) at
(String nomine) at
() at
() at
(SPFarm& fundum, Boolean& isJoined)
Contio fuit, qui defecerunt in Zonam:  MyComputer

Hoc novum aditus patefactus investigationis, Lorem fuit ad. Qui eduxit me ad hoc forum stipes: http://forums.codecharge.com / posts.php?post_id = (LXVII)CXXXV. That didn’t really help me but it did start making me think there was a database and/or security issue. I soldiered on and Andreas Connell scriptor post finally triggered the thought that I should make sure that the application pool’s identity account had appropriate access to the database. I thought it already did. Autem, collega ingressus dedit app piscinæ propter identitatem plénum aditum ad SQL.

Vt illa mutatio, everything started working.

Quid deinde factum sit, sicut melius dici haiku poem:

Quaestiones manus tollere.
You swing and miss. Try again.
Successu! But how? Cur?

Ut non solum relinquens, minimum praeferentes dare licentiam postulatam (probabiliter et cum oculo ad scribendi a blog ingressu; Delebo eam ferrum, muhahahahaha!).

Successiva illa removentur ab permissiones app piscinæ propter identitatem donee … there was no longer any explicit permission for the app pool identity account at all. The web service continued to work just fine.

We went and rebooted the servers. Everything continued to work fine.

Ita, ut metent: we gave the app pool identity full access and then took it away. The web service started working and never stopped working. Bizarre.

Si quis autem ignorat, quid fecisse, commodo licentia a ineo.

</finem>

I needed to meet a security requirement for an InfoPath form today. In this business situation, a relatively small number of individuals are allowed to create a new InfoPath form and a much wider audience are allowed to edit it. (Hoc est novum conducere in-boarding forma per Humanum ipsum quod movet workflow).

Ad occursum rei, Ego creavit creata duo novum licentia campester ("Creare et update" et "update tantum"), fregit hereditatem forma bibliotheca et assignari permissions ad "creare, update" user et separata "update tantum" User. The mechanics all worked, but it turned out to be a little more involving than I expected. (Si tibi paulo tremulas in SharePoint permissions, reprehendo ex hoc blog post). The required security configuration for the permission level was not the obvious set of granular permissions. To create an update-only permission level for an InfoPath form, Fecit sequenti:

1. Novum licentia gradu.
2. Purgare omnes bene.
3. Lego tantum sequenti a "List permissions":

• Creare Items
• Considerabit Items
• Considerabit Application Pages

Eligendo haec bene permittit user ad update a forma, sed non creare.

The trick was to enable the "View Application Pages". There isn’t any verbage on the permission level that indicates that’s required for update-only InfoPath forms, sed vertit ex est.

Create-and-Update was even stranger. I followed the same steps, 1 per 3 above. I had to specifically add a "Site Permission" bene: "Use client integration features". Iterum, descriptio ibi non videtur sicut debet requiritur ad InfoPath forma, sed ibi est.

</finem>

UPDATE 01/28/08: This codeplex project addresses this issue: http://www.codeplex.com/AccessChecker. I have not used it, but it looks promising if this is an issue you need to address in your environment.

UPDATE 11/13/08: Joel Oleson wrote up a very good post on the larger security management issue here: http://www.sharepointjoel.com/Lists/Posts/Post.aspx?List=0cd1a63d-183c-4fc2-8320-ba5369008acb&ID=113. It links to a number of other useful resources.

Forum users and clients often ask a question along these lines: "How do I generate a list of all users with access to a site" or "How can I automatically alert all users with access to list about changes made to the list?"

There is no out of the box solution for this. If you think about it for a moment, it’s not hard to understand why.

SharePoint security is very flexible. There are at least four major categories of users:

• Anonymous users.
• SharePoint Users and Groups.
• Active Directory users.
• Substructio formae authenticas (FBA) users.

The flexibility means that from a security perspective, any given SharePoint site will be dramatically different from another. In order to generate an access list report, one needs to ascertain how the site is secured, query multiple different user profile repositories and then present it in a useful fashion. That’s a hard problem to solve generically.

How are organizations dealing with this? I’d love to hear from you in comments or email.

</finem>

UPDATE 12/18/07: Videre Paulus Liebrand scriptor articulum technicas consequatur tollendum aut inflexo in default coetus nomina (videre comment infra ut bene).

Overview:

SharePoint security is easy to configure and manage. Autem, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Fateor me ad hoc problema). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Maximus Nota:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email me. I’ll make corrections post haste.

Fundamentalum:

Usibus hoc overview, quattuor sunt rationes fundamentales securitatem: users / coetibus, securable objecta, licentiam gradus et hereditátem.

Users et Groups ut effringerent:

• Singulorum users: Traxit ab agente creato album vel directe in SharePoint.
• Coetibus: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" ad speciem obiecti securable.

Securable objecta saltem ut effringerent:

• Situs
• Documento bibliothecis
• Libelli et singula in scripto bibliothecis
• Folders
• Variis occasus BDC.

Ibi alia obiecta securable, sed vos adepto picture.

Licentiam campester: Fasciculus granular / low level access rights that include such things as create/read/delete entries in lists.

Hereditas: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Users et coetus securable obiecta pertinent ad gradus per licentiam et hereditátem.

Maxime intelligere Obses Regulis, umquam :

1. Coetus simpliciter sunt collectiones users.
2. Coetus intra global collection site (i.e. Nulla eu nibh ut aliquid definire amet).
3. Coetus nomen non obstantibus, non convivia, et in se, have any particular level of security.
4. Groups have security in the context of a specific securable object.
5. Permittente vobis tribuat diversis ordinibus eidem group omne obiectum securable.
6. Textus applicatio ex hoc omnes policies tubć (vide infra).

Securitatem administratione coetus in mari perierunt et user amet semper inniti haec axiomata praeesse intelligit, et securitati suae conformatione.

Commune foveisque:

• Coetus falso nomina important permissu: Ex arca archa, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" coetus potest non conferre ad omnes, sed tantum legere, (enim). This would not be a good idea, Manifestum, cum esset valde turbatio.
• Coetus non definitur ad aliquid site gradum. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" link. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
• Coetus sociari non variantur per site (i.e. coetus ubivis sit amet): Consider the group "Owner" et duo sites, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, Obvius ut populus, et per HR site links Groups, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. In facto, I’m removing her from the global Owners group. Hilarity ensues.
• Defecto nominare coetus fundatur in speciei partes: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Ego creavi duo novum Sodalicium: "HR Owners" and "Logistics Owners" et assignamus pro cuiusque gradus sensibilis licentia requiritur summam minimam et pro users ut faciat opus suum.

Alius utilis References:

• Telam application consilium gotcha scriptor: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!255.entry
• Clearinghouse SharePoint pro securitate: http://www.sharepointsecurity.com/
• Joel de links Oleson: http://blogs.msdn.com/joelo/archive/2007/08/23/sharepoint-security-and-compliance-resources.aspx

Si secundum hoc fecistis:

Please let me know your thoughts via the comments or email me. If you know other good references, idem placeat facere!