Consider a hands-on example. In a
SharePoint portal, click the People and
Groups link in the Quick Nav bar, which Figure 3, shows. Click More to
view all your groups. By doing so, you
see that your site has only the default
groups available. You want to add two
new groups to represent your Contoso
IT department users and your Finance
department users. Click New, and select
New Group from the drop-down list. For
the IT department, fill out the form that
you see in Figure 4. Notice the
permission levels at the bottom of the
form. Before you go on to add a group
for the Finance department, create a new
security permissions level for the Finance
users. Back in the list of groups, click Site
Permissions to access the screen that Figure 5 shows. On this screen, you can
see the permission levels and groups to
which the Finance users are assigned,
and you can manage the many-to-many
relationship between groups and permission levels. You can see that the roles of
Read, Contribute, and Full Control (i.e.,
administration) exist, along with the new
SharePoint 2007 levels of Limited Access
(equivalent to SharePoint 2003's Guest
level) and Approver. To add a new permission level for your Finance team members,
click Settings, Permission Levels. A list
of available permissions will appear. Click Add a Permission Level to create a new
Finance user role. On the screen that Figure 6 shows, you can see how many
more permission options are available
in SharePoint 2007 than in SharePoint
2003. Select the permissions you want
(grant lots of list rights) and click Create.
Now, you have a new permission level for
Finance department employees. Go back
to your Permissions home page and add a
new group to contain your actual Finance
employees. When you do so, the added
Finance user permission group will appear
at the bottom of the New Group screen.
Now, you can add users to the Finance
group, and any user of the Finance group
will have the same permissions in any site
in the SharePoint site collection.
Now that you understand how to collect
users into groups and how to assign
the groups various permissions, you can
see how you’ll use these groups to secure
SharePoint 2007. Just as in SharePoint
2003, you can explicitly grant or deny
access to a site or a list, but you now
have the additional ability to secure individual
list items and document library folders.
So, a user might have access to a site
and a document library, but you can have
individual documents or folders to which
the user has no access.
Administrative Security
This has been a discussion of user-level and
site-level security in SharePoint 2003 and
SharePoint 2007. There are additional levels
of security available to SharePoint administrators,
who can also apply security at the
Shared Services level and at the Central
Administration level in SharePoint 2007.
Shared Services isn’t a new concept,
but it’s now much more apparent.
Essentially, Shared Services administration
means that the server-farm administrator
can delegate authorization for certain tasks
to other users. This capability is handy
when users make unwanted changes,
such as item deletions (and subsequent
Recycle Bin clearing). Now, with delegated
user authorization, the user doesn’t have
to go to the farm administrator for help.
The final possible level of security
configuration in a SharePoint 2007 installation
is at the Central Administration
level. There are a lot of new administration
features at this level, including security
policies—a set of permissions that apply
everywhere across the farm. These Grant
and Deny policies override all other permissions,
and you can configure them
per Web application and per Web zone.
Common examples of security policy
use include granting full read access to
auditors and denying all write access
to anyone in the Internet zone (i.e.,
Extranet). You can also set up the AD
service accounts at this level to prevent
unauthorized application behavior on the
network. You configure the application
pool accounts, the SharePoint service
(SPTimer and Admin Service) accounts,
and access to SQL Server at this level.
A Powerful Force
SharePoint 2007 is poised to greatly
improve the SharePoint end-user experience.
Thanks to a slicker interface and
features such as security trimming, the
user will see only the sites, lists, and documents
that they have permission to see.
More important, SharePoint 2007 will simplify
the life of the administrator, thanks to
cleanly organized users and roles defined
at one level, the ability to delegate activities
to others via Shared Services, and the
introduction of system-wide security policies.