SharePoint User Policy, Super Users and Auditors

 

I ran across a question in the TechNet forums today that revolved around confusion about the purpose of the Site Collection Permissions section in the Permission Policy dialog box in Central Administration. In Central Administration, in the Web Application Management section, there are two ribbon buttons that let you define web application scoped permissions: Permission Policy and User Policy. These are typically used to deny something from everyone or grant something to a few special users. These always win over any permissions changes done by a Site Owner.

Creating a Super User

A super user might be an auditor who needs read-only access to everything in a web application, or a super administrator who needs Site Collection Administrator permissions to everything in a web application.

Steps:

1. Go to Central Administration, click Application Management and Manage Web Applications.
2. Click in the line (but not on the hyperlink) for the web application to change. This wakes up the ribbon.
3. Click Permission Policy.
4. Click Add Permission Policy Level

Here's where it gets a little confusing… there's two ways of creating a policy, check each individual Grant or Deny, or click one of the two shortcuts: "Site Collection Administrator" or "Site Collection Auditor". Is it clear from the descriptions below that these are shortcuts, right?

It's even more confusing when you check one of these two options and then click Save:

There's a bug! The Save button has some validation JavaScript that is checking to see that at least one checkbox has been selected. The fix? Select a checkbox. I click "Open" in the Grant column because that is the minimum permission needed to open a site. Now you can click Save.

 

If you check Site Collection Auditor…

The "Site Collection Auditor" shortcut checkbox grants these permissions to the user:

View Web Analytics Data
Browse Directories
View Items
View Pages
Enumerate Permissions
Open Items
View Versions
Browse User Information
View Application Pages
Use Remote Interfaces
Open

Actually clicking Save will grant the above permissions when "Site Collection Auditor" has been checked, and include any other Grants or Denys you have clicked. (Deny always wins over Grant!)

 

If you check Site Collection Administrator…

The "Site Collection Administrator" shortcut checkbox grants all 33 permissions to the user, minus any Denys you have checked. (Deny always wins over a Grant!)

Manage Permissions View Web Analytics Data Create Subsites Manage Web Site Add and Customize Pages Manage Lists Apply Themes and Borders Apply Style Sheets Override Check Out Manage Personal Views Add/Remove Personal Web Parts Update Personal Web Parts Add Items Edit Items Delete Items Create Groups Browse Directories

View Items Use Self-Service Site Creation View Pages Approve Items Enumerate Permissions Open Items View Versions Delete Versions Browse User Information Create Alerts Manage Alerts View Application Pages Use Remote Interfaces Use Client Integration Features Open Edit Personal User Information

All of the above would have been a lot clearer if when you clicked on of the "shortcuts" the page automatically checked all of the related permissions.

 

Testing

1. Create a user, such as domain\allieauditor (or ask a coworker to help).
2. Go to a site collection and click Site Actions, Site Permissions.
3. Click the Check Permissions button in the ribbon and click Allie's permissions. You should see "none".
   
4. Go to Central Administration and add a Permission Policy.
1. Name it "Corp Auditor".
2. Check "Site Collection Auditor".
3. also check one other permission such as "Open" to make the Save button happy.
5. In User Policy:
1. Click Add Users
2. Click Next
3. Add domain\allieauditor and check "Corp Auditor"
4. Click Finish
6. Go the test site click Check Permissions and check Allie's permissions.
   The following are displayed (all "read" type permissions) for Allie:
     View Web Analytics Data
     Browse Directories
     View Items
     View Pages
     Enumerate Permissions
     Open Items
     View Versions
     Browse User Information
     View Application Pages
     Use Remote Interfaces
     Open
7. Go back to User Policy and remove Allie as "Corp Auditor"
8. In the test site check her permissions: None
9. Create a new policy
1. Name it "Super Administrator".
2. Check "Site Collection Administrator".
3. Also check one other permission such as "Open" to make the Save button happy.
4. Click Save.
10. Return to the test site and check Allie's permissions. She now has all 33 permissions.

 

Tip… Is a user a "normal" user or a "super user"?

When you use Check Permissions and you see a permission level, then you have found a "normal" user who was granted permissions by the Site Owner. As you can see below, Sam has the Contribute permission level.

If you see all 33 permissions, then you have either found a Site Collection Administrator or a "super user" created by the server administrator. Stella is a Site Collection administrator, but could also be a "super administrator" created though User Policies.

If you see any "Allow" or "Deny" entries, then you have found a user who has been granted or denied permissions using Central Admin's User Policy button. In the example below Sam is a Full Control site owner, except… he has been denied Create Subsites in User Policies. (Deny always beats Grant!)

.