6/05/2014

SharePoint User Policy, Super Users and Auditors

 

I ran across a question in the TechNet forums today that revolved around confusion about the purpose of the Site Collection Permissions section in the Permission Policy dialog box in Central Administration. In Central Administration, in the Web Application Management section, there are two ribbon buttons that let you define web application scoped permissions: Permission Policy and User Policy. These are typically used to deny something from everyone or grant something to a few special users. These always win over any permissions changes done by a Site Owner.

image

Creating a Super User

A super user might be an auditor who needs read-only access to everything in a web application, or a super administrator who needs Site Collection Administrator permissions to everything in a web application.

Steps:

  1. Go to Central Administration, click Application Management and Manage Web Applications.
  2. Click in the line (but not on the hyperlink) for the web application to change. This wakes up the ribbon.
  3. Click Permission Policy.
  4. Click Add Permission Policy Level

Here's where it gets a little confusing… there's two ways of creating a policy, check each individual Grant or Deny, or click one of the two shortcuts: "Site Collection Administrator" or "Site Collection Auditor". Is it clear from the descriptions below that these are shortcuts, right?

image

It's even more confusing when you check one of these two options and then click Save:

image

There's a bug! The Save button has some validation JavaScript that is checking to see that at least one checkbox has been selected. The fix? Select a checkbox. I click "Open" in the Grant column because that is the minimum permission needed to open a site. Now you can click Save.

 

If you check Site Collection Auditor…

The "Site Collection Auditor" shortcut checkbox grants these permissions to the user:

View Web Analytics Data
Browse Directories
View Items
View Pages
Enumerate Permissions
Open Items
View Versions
Browse User Information
View Application Pages
Use Remote Interfaces
Open

Actually clicking Save will grant the above permissions when "Site Collection Auditor" has been checked, and include any other Grants or Denys you have clicked. (Deny always wins over Grant!)

 

If you check Site Collection Administrator…

The "Site Collection Administrator" shortcut checkbox grants all 33 permissions to the user, minus any Denys you have checked. (Deny always wins over a Grant!)

Manage Permissions
View Web Analytics Data
Create Subsites
Manage Web Site
Add and Customize Pages
Manage Lists
Apply Themes and Borders
Apply Style Sheets
Override Check Out
Manage Personal Views
Add/Remove Personal Web Parts
Update Personal Web Parts
Add Items
Edit Items
Delete Items
Create Groups
Browse Directories
View Items
Use Self-Service Site Creation
View Pages
Approve Items
Enumerate Permissions
Open Items
View Versions
Delete Versions
Browse User Information
Create Alerts
Manage Alerts
View Application Pages
Use Remote Interfaces
Use Client Integration Features
Open
Edit Personal User Information

All of the above would have been a lot clearer if when you clicked on of the "shortcuts" the page automatically checked all of the related permissions.

 

Testing

  1. Create a user, such as domain\allieauditor (or ask a coworker to help).
  2. Go to a site collection and click Site Actions, Site Permissions.
  3. Click the Check Permissions button in the ribbon and click Allie's permissions. You should see "none".
    image
  4. Go to Central Administration and add a Permission Policy.
    1. Name it "Corp Auditor".
    2. Check "Site Collection Auditor".
    3. also check one other permission such as "Open" to make the Save button happy.
  5. In User Policy:
    1. Click Add Users
    2. Click Next
    3. Add domain\allieauditor and check "Corp Auditor"
    4. Click Finish
  6. Go the test site click Check Permissions and check Allie's permissions.
    The following are displayed (all "read" type permissions) for Allie:
      View Web Analytics Data
      Browse Directories
      View Items
      View Pages
      Enumerate Permissions
      Open Items
      View Versions
      Browse User Information
      View Application Pages
      Use Remote Interfaces
      Open
  7. Go back to User Policy and remove Allie as "Corp Auditor"
  8. In the test site check her permissions: None
  9. Create a new policy
    1. Name it "Super Administrator".
    2. Check "Site Collection Administrator".
    3. Also check one other permission such as "Open" to make the Save button happy.
    4. Click Save.
  10. Return to the test site and check Allie's permissions. She now has all 33 permissions.

 

Tip… Is a user a "normal" user or a "super user"?

When you use Check Permissions and you see a permission level, then you have found a "normal" user who was granted permissions by the Site Owner. As you can see below, Sam has the Contribute permission level.

image

If you see all 33 permissions, then you have either found a Site Collection Administrator or a "super user" created by the server administrator. Stella is a Site Collection administrator, but could also be a "super administrator" created though User Policies.

image

If you see any "Allow" or "Deny" entries, then you have found a user who has been granted or denied permissions using Central Admin's User Policy button. In the example below Sam is a Full Control site owner, except… he has been denied Create Subsites in User Policies. (Deny always beats Grant!)

image

.

No comments:

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.