Managing Cross-Site Groups

Download Report

Transcript Managing Cross-Site Groups

Windows SharePoint Services
Managing users and rights
Agenda
•
•
•
•
•
Authentication and Authorization
Site Administrators
Box Administrators
Managing Users and Site Groups
WSS Object Permissions
Managing Sites and Sub-sites
•
•
•
•
Manage immediate
set of sub-sites for
the current site*
View Full list of subsites for the site
collection**
Managed from HTML
Pages or commandline
Site-creation is a
simple two-step
process
Authentication
•
•
•
Authentication – the verification of identity
of a person or process
– Different from authorization, which determines
which functions you can perform
WSS does not perform it’s own
authentication – this is handled by IIS
IIS’ authentication mechanism requires an
NT account (either local or AD)
Authentication Setup
Two main setups for authentication –
account creation mode or pre existing
domain
• With a pre existing domain, use IIS with
Windows authentication enabled, no new
user accounts needed
• Account creation mode is a feature, selected
at install time, that will generate a new
account in the AD for each user – pre
existing accounts cannot be used. IIS is
setup to use basic or digest authentication
• Don’t use local machine accounts!
– Migrating will be a big pain if you do
• Passport authentication and WSS don’t work
well together
•
Anonymous Access
Anonymous access is limited – the most
anonymous users can do is insert list items
– By default, it is turned off, both at the web site
level and at the IIS level
– WSS UI is sensitive to IIS setting
• Setting anonymous access is done at myriad
different points
– IIS setting for the virtual server
– On/Off switch at the web site level
– Rights mask at the individual list level
•
Demo
Configurazione Accesso Anonimo
Site Collections
•
•
•
A Site Collection is a set of logically related
Web Sites that can be collectively managed
Each Site Collection has a single top level
Web Site
Individual users can be marked as Site
Collection Administrators
– This grants them full access to all content
Box & WSS Administrators
•
•
WSS supports two sets of high level administrators,
box admins and SharePoint Administrative Group
members
– SharePoint Administrative Group is defined in WSS
Central Administration
– WSS checks to see if the current user is a box admin or
in the domain group. If so, full access is granted to all
site collections
Four differences between abilities of box admins and
WSS admins
– Change configuration database
– Change WSS admin domain group
– Manage content paths
– Extend/unextend IIS virtual servers
Security & Site Collections
•
Site collection administrators have three
main responsibilities
– Users and cross-site groups on the site
collection
• Users are rolled up at the site collection
level, and can be managed there
• Cross site groups are scoped to the site
collection level
– Quota issues for the site collection
– Rights mask for the site collection
Demo
Impostazione Gruppo Amministrativo
WSS Authorization
•
•
Whereas WSS relies on IIS for
authentication, WSS performs all it’s own
authorization
Implementation is similar to NT system
– WSS specific ACLs dictate access
• ACL is a collection of ACEs, each of which
maps a security principle (user, group, etc)
to a set of rights
– NT is called for domain group resolution
Managing Users
•
•
•
•
•
•
Users give people access to a site
Every site has it’s own set op users
The site owner can choose to inherit
users from the parent site, or create a
unique set of users
Can enable Anonymous access on
– Entire Site, Lists and Libraries or Nothing
Can enable access for all authenticated
users as
– Readers or Contributors
Can manage all users in a site collection
Site Settings  Go to Site Administration  Manage Users
Web Site Security
•
•
•
•
Site Groups are scoped to an individual Web Site
Site Groups by default
– Guest*
– Reader
– Contributor
– Designer Web
– Administrator
Which Site Groups a user is a member of determine
their default permissions to objects in that site (and
any inherited web sites)
– Membership in multiple Site Groups is possible
A Web Site’s security can be either inherited from it’s
parent web, or unique
Managing Users
and Site Groups
•
•
•
•
Membership to a Site Group
determines the rights a user has
Use built-in groups or create your own
Each Site Group has a set of rights
Copy feature allows you to copy all
rights to another group
Site Settings  Go to Site Administration  Manage site groups
Managing Cross-Site Groups
•
•
•
•
Group users
together in one
entity
Cross-site groups
must be assigned
to a site group in
order to give the
users in the sitegroup rights on
the Site
Can be used on
any site within
the
site-collection
Useful if
equivalent is not
available as an
AD Security
group
Site SettingsGo to Site Administration Manage cross-site groups
Managing Cross-Site Groups
AD
WSS
WSS
Users
Site Users
Site Groups
John Smith
Peter Collins
Judy Lew
Kim Clark
Paul West
Don Hall
Suzan Fine
Groups
Marketing
Sales
Production
Corporate
Directory
John Smith
Web Designer
Judy Lew
Kim Clark
Contributor
Cross-Site Groups
Managers
Regional VPs
HR Assistants
Sales and Marketing
Who has Access to a
Site ?
Reader
Administrator
What Rights do they
have ?
Site SettingsGo to Site Administration Manage cross-site groups
Demo
Creazione Site Groups e Cross-Site
Group
Permissions in WSS
•
•
WSS uses “rights” - a right is a privilege that allows
a user to perform an action on the server.
– Example: View Pages, Insert List Items, Change List
Permissions.
– There are currently about 20 rights.
– Some rights are dependent on others. Example: Insert
List Items has View List Items as a dependent.
At the IIS virtual server level there is a “rights mask”
– This enables/disables rights for use on Web Site
Collections within that virtual server
– Is settable by box administrators and WSS
administrators
User Level Security and Web Parts
•
•
Shared and Personal modes
– Shared mode changed seen by all users
– Personal mode changes seen only by the individual making
them
Rights controlling user modes:
– Shared:
• Add or customize pages – allows shared mode changes for
parts and pages outside document libraries
• Edit list items – allows shared mode changes for parts and
pages inside document libraries
– Personal:
• (Add or Remove Private Web Parts) Personalize Web Part
pages – allows users to add/delete parts in personal mode
for pages in webs and document libraries
• (Updated Personal Web Parts) Personalize Web Parts –
allows users to modify part properties in personal mode for
pages in webs and document libraries
Demo
Attribuzione permessi
I prossimi appuntamenti
Lunedì 10/05/2004 ore 10.30
WSS e i modelli personalizzati: siti,
liste, raccolte
• Martedì 25/05/2004 ore 10.30
Introduzione a XML in Office 2003
(no developer)
•