Working with SharePoint security permissions
As with NTFS resources, SharePoint resources must be properly secured to ensure that users have the appropriate access. For information on the configuration necessary to ensure you can properly manage access, see, Working with security permissions.
Using Data Governance Edition, you can determine who has access to a SharePoint resource, what permissions make up the permission levels that have been assigned, and then manage that access, including the inheritance setting of a resource. If the right permission level does not exist, you can also use Data Governance Edition to create one.
When you change security settings using Data Governance Edition, you are using the One Identity Manager delegation model. This model bypasses native SharePoint to apply the permission changes but the security changes that result use the SharePoint security for enforcement.
Changing the security inheritance on a resource
SharePoint security can either be inherited or unique. If it is inherited, you cannot modify any security settings, as they are defined by a parent resource. A well-structured site can reduce the number of inheritance breakages required to effectively secure your SharePoint resources. When you need to change the setting at a particular point in the hierarchy, you create new unique permissions at that point. By default, all items below the uniquely-permissioned object inherit the settings of its parent.
When you break inheritance, all current permission levels and security settings are copied, and you can then modify them as needed. Although it is easy to change to unique permissions using Data Governance Edition, care should be taken when doing this, as it requires more administration to manage unique permissions.
To change the inheritance on a SharePoint resource
- In the Navigation view, select Data Governance | Managed hosts.
-
Open the Resource browser using one of the following methods:
The web applications for the selected farm display. From here you can browse the SharePoint hierarchy.
- Double-click through to browse to the required resource.
When a resource is selected, the security settings for the resource display in the Permissions pane (lower pane).
One of the following messages appear across the top of the tab indicating whether permissions are inherited or unique:
- Permissions are unique. Click here to restore inheritance.
- Permissions are inherited. Click here to break inheritance and edit permissions.
- To toggle the inheritance setting, click the message.
- Click Yes on the confirmation dialog.
Related Topics
Modifying the permissions on a SharePoint resource
Working with SharePoint permission levels
Modifying the permissions on a SharePoint resource
You can add and remove accounts from a SharePoint resource, including sites, libraries, lists, documents, and so on. You can assign Active Directory users and groups, and SharePoint groups. You can also modify the permission levels assigned to each account, if the resource has unique permissions. For more information, see Working with SharePoint permission levels.
Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.
To add or remove accounts from a SharePoint resource
- In the Navigation view, select Data Governance | Managed hosts.
-
Open the Resource browser using one of the following methods:
The web applications for the selected farm display. From here, you can browse the SharePoint hierarchy.
- Double-click to browse to the required resource.
When a resource is selected, the security settings for the resource display in the Permissions pane (lower pane).
-
To add an account, click Add Account, then browse to the required account.
Note: To add SharePoint groups, ensure that you set the Location to SharePoint. Only groups from the current site are shown.
-
In the Permissions pane, click in the Permission Levels column that corresponds to the newly added account.
A pop-up appears displaying all the permission levels available. Select the permissions levels to assign to the new account and press Enter.
- To remove an account, select the account in the Permissions pane, click Remove Account and then click Yes.
- Click the Save toolbar button to save your selections.
To modify the permission levels assigned to an account
- In the Navigation view, select Data Governance | Managed hosts.
-
Open the Resource browser using one of the following methods:
The web applications for the selected farm display in the lower pane.
- For the account that you want to manage, click in the corresponding Permission Levels column to display the permission levels list.
- Select the required permission levels.
You can see the permissions included in a permission level by hovering your cursor over the level, and you can hover over an individual permission to see its description.
- Press Enter to save your selections and close the permission levels list.
- Click the Save toolbar button to save your changes.
Working with SharePoint permission levels
SharePoint permissions are a collection of list, site, and personal permissions designed to provide the appropriate level of access for a given group of users. Permission levels are unique for each site collection. Although permission levels are created and managed at the site collection level, Data Governance Edition allows you to manage permissions regardless of your context, and resolves your permission level changes to the appropriate site collection. You can create a permission level at anytime, as long as you have the Manage Permissions permission on the site collection. You can also edit existing permission levels, and delete those you no longer need.
You may want to view the details of existing permission levels before creating new ones. The fewer well-designed permission levels you have, the easier your site permissions are to manage.
Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.
To view the permissions contained in a permission level by viewing a resource
- In the Navigation view, select Data Governance | Managed hosts.
-
Open the Resource browser using one of the following methods:
- Double-click the required SharePoint farm in the Managed hosts view.
- Select the required SharePoint farm in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
- In the Resource browser, double-click through the farm to locate the required resource.
The security for the resource displays in the Permissions pane (lower pane).
A message across the top of the pane indicates whether permissions are inherited or unique.
-
In the Permissions pane, click in the corresponding Permission Levels column for one of the accounts listed.
A pop-up appears displaying all the permission levels available. The permission levels assigned to the selected account are marked with a check mark. To see the permissions included in a permission level, hover your cursor over the permission level. You can also hover your cursor over an individual permission to see its description.
- Press Enter to save your selection and close the permission levels list.
To view the permissions contained in a permission level using the Permission Levels dialog
- In the Resource browser, double-click through to a resource within the site you want to examine.
- In the lower pane, click the Permission Levels toolbar button.
- In the left pane of the Permission Levels dialog, select a permission level.
The permissions included in the level are shown on the right side of the dialog.
- Click OK to close the Permission Levels dialog.
Creating a SharePoint permission level
If you need a new combination of permissions to achieve your security goals, you can create it through the Resource browser. Regardless of the object you have selected, the permission level is associated with the site collection, and is available for use with any object in the site collection.
To create a SharePoint permission level
- In the Resource browser, double-click through the farm to locate the required resource.
The security for the resource displays in the lower pane.
- In the lower pane, click the Permission Levels toolbar button.
- In the Permission Levels dialog, click New.
- Provide a unique name and a description for the permission level.
- Select the required permissions.
Some permissions are actually collections of permissions. For example, when you select Manage Lists, additional permissions required to perform this task, such as View Pages and Open, are also selected.
- Click OK.