SharePoint Usalama misingi ya Kwanza / Kuepuka Pitfalls Kawaida

UPDATE 12/18/07: Angalia makala Paulo Liebrand kwa ajili ya madhara ya baadhi ya kiufundi ya kuondoa au kubadilisha majina kundi default (kuona maoni yake hapa chini pamoja na).

Overview:

SharePoint security is easy to configure and manage. Hata hivyo, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Mimi kukubali kwa kuwa tatizo hili mimi mwenyewe). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Muhimu Kumbuka:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email yangu. I’ll make corrections post haste.

Misingi:

Kwa madhumuni ya muhtasari huu, kuna nne kimsingi masuala ya usalama: watumiaji / vikundi, securable vitu, ruhusa ngazi na urithi.

Watumiaji na Vikundi kuvunja chini kwa:

  • Mtu binafsi watumiaji: Vunjwa kutoka saraka ya kazi au kuundwa moja kwa moja katika SharePoint.
  • Vikundi: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" na kitu maalum securable.

Securable vitu kuvunja kwa angalau:

  • Maeneo ya
  • Kudhibiti maktaba
  • Mtu binafsi vitu katika orodha na maktaba hati
  • Folders
  • Mbalimbali BDC mazingira.

Kuna wengine securable vitu, lakini unaweza kupata picha.

Ruhusa ngazi: mzigo wa punjepunje / low level access rights that include such things as create/read/delete entries in lists.

Urithi: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Watumiaji na vikundi yanahusiana na vitu securable kupitia ngazi ruhusa na urithi.

Muhimu Usalama Rules Kuelewa, Ever 🙂 :

  1. Vikundi ni tu makusanyo ya watumiaji.
  2. Vikundi ni wa kimataifa ndani ya ukusanyaji tovuti (i.e. hakuna kitu kama kundi maalum katika ngazi ya tovuti).
  3. Kundi jina bila kuzingatia, vikundi hawana, katika na wenyewe, have any particular level of security.
  4. Groups have security in the context of a specific securable object.
  5. Unaweza hawawajui ngazi mbalimbali ruhusa kwa kikundi kimoja kwa kila kitu securable.
  6. Mtandao maombi ya sera mbiu ya yote haya (angalia hapa chini).

Usalama watendaji waliopotea katika bahari ya kundi na nyimbo mtumiaji anaweza daima kutegemea imani za hawa kusimamia na kuelewa usalama wao Configuration.

Kawaida Pitfalls:

  • Kundi majina ya uongo kuashiria ruhusa: Nje ya boksi, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" kundi hawawezi kuchangia wakati wote, lakini tu kusoma (kwa mfano). This would not be a good idea, wazi, tangu itakuwa utata sana.
  • Vikundi si hufafanuliwa katika ngazi ya tovuti. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" kiungo. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
  • Vikundi vya jumla haina kutofautiana na tovuti (i.e. ni sawa kila mahali kundi ni kutumika): Consider the group "Owner" na maeneo mawili, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, Mimi ili kupata Watu na viungo Vikundi kupitia tovuti ya Utumishi, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. Kwa kweli, I’m removing her from the global Owners group. Hilarity ensues.
  • Kushindwa kwa jina makundi ya msingi ya jukumu maalum: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Mimi lazima tumemuumba makundi mawili mpya: "HR Owners" and "Logistics Owners" na kuwapa ruhusa ngazi busara kwa kila mmoja na kiasi cha chini zinazohitajika kwa watumiaji hao kufanya kazi zao.

Nyingine muhimu Marejeo:

Kama wameweza kuifanya hii mbali:

Please let me know your thoughts via the comments or email me. If you know other good references, tafadhali kufanya hivyo!

Tags technorati:

8 mawazo juu ya "SharePoint Usalama misingi ya Kwanza / Kuepuka Pitfalls Kawaida

  1. Perry

    Zaidi pitfalls:

    * Kuna baadhi ya ruhusa maalum inapatikana mahali pengine katika SSP na kutoonekana katika Watu na Vikundi sehemu: "Personalization services permissions"and "Business Data Catalog permissions"

    * Nimesoma kwamba pia kuna maalum SharePoint Designer ruhusa inapatikana katika xml baadhi arcane kuzikwa ndani html mahali fulani.

    * Watawala Msingi na Sekondari kwa Ukusanyaji Site ni agizo mahali pengine katika mazingira Site Ukusanyaji, na ni kutoonekana katika Watu na Vikundi sehemu.

    * Akaunti fulani fulani kichawi (maalum) uwezo bila kujali nini unaweza kuona katika Watu na Vikundi eneo: wanachama wa kundi la kujengwa katika Watawala kwenye seva ya mtandao, na Huduma ya Akaunti ya mashamba.

    (PS: Kufuta maoni spam ingekuwa kuboresha legibility hapa.)

    Kujibu
  2. Jean Wright
    Hii ni baada ya nzuri sana. Mimi na kuanguka katika mtego huu mara chache. Usimamizi wa usalama wanaweza kupata tata wakati wewe kuanza mbinu uthibitishaji kuchanganya na mbinu mbalimbali ya usalama kambi. Hii inahitaji kuchukuliwa kama sehemu ya mchakato wa mipango na haipaswi kupuuzwa.
    Kujibu
  3. Mark Miller aliandika:
    (Kumbuka kutoka kwa Paulo: Mark akaniuliza kufanya mabadiliko kidogo kwa maoni yake lakini siwezi hariri nafasi ya kuishi maoni hivyo nimekuwa aliongeza upya hapa na mabadiliko na ilifutwa awali).
    Paulo,
    mbinu muhtasari kwa kuwasilisha hii info alifika mbali vizuri sana. I especially liked the "Pitfalls" sehemu, tangu nimekuwa kuanguka katika wale wachache mwenyewe.
    Jambo jingine wewe alisema hit nyumbani: kujifunza Jumatatu haina si lazima maana utasikia kumbuka ni siku ya Ijumaa. I’m glad someone besides me is using their blog as a "tickler" mfumo kwa ajili ya mambo hayo muhimu ambayo si kufanyika kwa misingi ya mara kwa mara.
    Kazi nzuri.
    Regards,
    Alama
    EndUserSharePoint.com

    Novemba 27 9:04 AM
    (http://www.EndUserSharePoint.com)

    Kujibu
  4. Paulo Galvin
    Nadhani ni pengine wazo nzuri ya kuondoa makundi hayo default, especially Contributor and Owner. They are overbroad and easily confused. I prefer to use "All Authenticated Users" in place of a "Visitor" group as well. If a specific set of users should only read-only access then I’d recommend creating an AD group or SharePoint group with an appropriately descriptive name, e.g. "Logistics Visitors".
    –Paulo G
    Kujibu
  5. Hakuna jina
    Inaonekana kama Jambo la kwanza unapaswa kufanya ni tu dampo Mgeni, Mchangiaji na vikundi Mmiliki na badala yao na makundi yako mwenyewe mantiki. Je, hii inaleta maana kwa kufanya?
    Kujibu

Kuondoka Reply

Anwani yako si kuchapishwa. Mashamba required ni alama *