SharePoint 2010 : Planning Your Security Model - Maintaining Your Security Model

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
It may be overly ambitious to expect you to keep your security model up to date, but if there is any documentation worth maintaining as you evolve your site design, this is the one to try to maintain. In fact, it may not be a single document but a collection of completed document templates (if you choose to decentralize security management). If you always follow the best practice of assigning users to groups rather than assigning permissions to individuals, maintaining the document won’t be too difficult because you will only need to make an update if you add a new group or a add unique permissions to a securable object. Is it realistic to assume that you can keep the security model document current in a dynamic environment? Probably not. So you will definitely want to take advantage of the ways SharePoint 2010 allows you to “unpack” your security model directly in your site. Here’s what you can do pretty easily:
  • Check the permissions that have been assigned to a group across the entire site collection.

  • On an individual object, display the permission levels and how those permissions were applied (for example, “given directly” or “given through the [Site Name] Members group”).

Here’s what you can’t do with the native interface: check the permissions that have been assigned to an individual across the entire site collection (which should give you the best incentive possible to try to always put users in a group and avoid giving users individual permissions) or audit who has made security changes to various securable objects.

Checking Permissions Assigned to a Group

To examine how permissions have been assigned to a group across a site collection, you must have Full Control privileges. At the root of the site collection, select Site Settings, Users and Permissions, and then “People and groups.” Highlight the group in the quick launch and select Settings/View Group Permissions. You will see a list similar to the image in Figure 1, which enumerates the permissions for the Home Visitors group in a sample site collection. The list shows the URL of each securable object and the permission level that has been assigned to each group. Notice that this group has Read access to the Team Beta blog site, but that they have Contribute permissions to the Comments list. This explicit permission level assignment allows people who only have Read access to the entire site (the default permission for the default SharePoint Visitors Group) to post a comment (Contribute) to the Team Beta blog but not generate a new post.

Figure 1. View Site Collection permissions for a Group

Displaying Permission Levels on an Object

To examine permission levels for an individual object, you have to navigate to the object and look “under the covers” to find out how permissions have been assigned. If you have a very complex security model, you will have to turn over a lot of covers to audit the security across the entire collection.

From the individual object where you want to display permissions, navigate to the settings for that object.

  • For a site, this will be found under Site Settings, Users and Permissions. Click Site permissions to access the Check Permissions button. Note that People and Groups will show individuals and site groups that are available to the entire site collection, not just the current site.

  • For a Document Library, select List Settings and then the Permissions for this list option under Permissions and Management.

When you click the Check Permissions button, you will see the permissions that have been granted for a group or a user of that object. While you cannot check an individual user’s permission across the entire collection, you can check a person’s individual permissions inside a given object. However, you will not be able to identify that user Chris has Contribute permissions for most documents in a document library but only Read for a specific more secure document without examining each document to see where unique permissions have been applied. Save yourself some audit pain—if you are going to secure individual documents or items in a list or library, write down what you did in your security model and keep it current. Better still, put more secure documents in a separate document library with more restricted access. Another best practice tip is to create a test user account and use it for security validation. If you are someone with security application privileges, you automatically have access to the associated content. To verify security changes you make, add the test user as a member of the appropriate security group. Log in as that test user and validate that the content is accessible. Remove the user from the group and test again to ensure content is no longer accessible.

Figure 2 shows the results of the Check Permissions action from the perspective of the Comments list on the Team Beta Blog site shown in Figure 8-6. You can only enter one user or group name at a time when you check permissions. When permissions were “managed” for this list, the Site Owner left the Read permission level checked and then also checked the Contribute permission level, which is why you see that this group has both Contribute and Read permissions. Note that the “highest” set of privileges will always apply. Because the Contribute permission level is the same as the Read permission level with additional permissions to add, edit, and delete items and versions, it would have been OK to uncheck the Read permission level in this example, as shown in Figure 3.

Figure 2. Check permissions for a securable object: one Group at a time

Figure 3. Edit permissions

The concept of “highest” set of privileges will always apply is an important one. This means if a user is a member of two groups, Group A and Group B, where Group A has Read access to a site and Group B has Contribute access, then the user is a contributor. This is sometimes confusing from an administration perspective but can be managed somewhat by limiting the number of security groups applied to a securable object.


This section contains some examples of reported issues and questions with security application in SharePoint and the associated potential resolutions/answers. This list is not exhaustive but is intended to demontrate some additional learning elements associated with Share Point secuity management.

  • “SharePoint is denying me access to a site.” First, it is very important to note that SharePoint handles authorization but not authentication. You can’t get to a SharePoint site without first being authenticated (that is, associated with valid credentials). Once SharePoint knows who you are, it applies security to determine whether you are authorized to see all, some, or none of the content. If a user does not have access rights, a dialog box is presented so alternate credentials may be entered. After three failed attempts, the dialog box is removed, and the user is redirected to an error (or access denied) page. The security model would need to be altered to grant this user the appropriate access.

  • “Certain users can no longer access their team site, and security has not been changed.” There is a scenario worth mentioning here. If a site contributor places an image on the site and the image is located (and secured) in a different location, then that security is applied at the time of page rendering. So in this example, a user may be prompted with the security dialog box because that user does not have access to that image. This is why security must be well-mapped in early stages where, in this case, an openly available image library has the necessary read access.

  • “How do I know if I have site administration rights?” The quickest and simplest indicator is the Site Actions button. If you see it on a site, you have access to the underlying administration pages. If you don’t, then you don’t!

  • “How do I know if I have contribution rights to a library?” Similar to the previous point, if you see the library’s tool bar with the associated contribution actions in the ribbon, then you do.

  •  SharePoint 2010 : Planning Your Security Model - Defining and Documenting SharePoint Security
  •  SharePoint 2010 : Planning Your Security Model - Overview of SharePoint Security Elements
  •  Windows Server 2003 : Securing Network Communication - Securing a Wireless Network
  •  Windows Server 2003 : Securing Network Communication - Deploying IPSec
  •  Windows Server 2003 : Securing Network Communication - Planning an IPSec Implementation
  •  Web Security : Automating with LibWWWPerl - Testing Session Fixation
  •  Web Security : Automating with LibWWWPerl - Checking Session Expiration
  •  Accept Credit Card Payments
  •  Web Security : Automating with LibWWWPerl - Simulating Form Input with POST, Capturing and Storing Cookies
  •  Web Security : Automating with LibWWWPerl - Writing a Basic Perl Script to Fetch a Page, Programmatically Changing Parameters
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us