There are times when it is critical for the
Farm Administrator to designate security policies for a web application.
An administrator can do this from Central Administration and it
overrides security implemented at the site collection and at sub-site
level.
The following are some useful scenarios where this may be implemented:
Enterprise organizations need to designate at
least one person as the Site Administrator. Once assigned, they are now
the administrator of the web application. This is not to be confused
with the Farm Administrator or a Site Collection Administration.
When
bringing sites online, it is advantageous to set up security to deny
access to all users. Allow access to only those users who are your beta
users. After the site is live, you can remove these restrictions.
In this recipe, we will show how to create a new policy and then add users to it.
Getting ready
You must have farm-level administrative permissions to the Central Administration site. There must be a web application set up.
How to do it...
Open up the SharePoint 2010 Central Administration website.
Click Application Management.
Under the first section named Web Applications, click Manage web applications.
Click the web application and see the ribbon light up. The rightmost button is Permission Policy; click on it. Refer to the next screenshot:
A pop-up form appears, click Add Permission Policy Level.
The following screen appears:
The list is comprised of five components:
Name: Create a name for the permission level with a description.
Site Collection Permissions: Selecting the Administrator option automatically grants read and write access to everything. Selecting Auditor for the site collection gives read access to everything.
List Permissions: Granular control to deny or grant rights over objects at a list level.
Site Permissions: Granular control to deny or grant rights over objects at a site level.
Personal Permissions: Gives the users in this policy control over personal views and web parts.
For the purposes of this recipe, do not select site collection administration or auditor. Check Grant All. Click Save.
BetaFinanceTesters now appears in the listing of permissions policy. Click OK.
On the web application page, click User Policy on the ribbon.
A screen is displayed, showing users who have a policy for the web application. Click the Add Users link.
A wizard pop-up is presented. Choose the All zones option from the drop down list. Click Next.
On the ensuing form:
Select a user (or group).
Under Choose Permissions, check BetaFinanceTesters.
Choose System Settings. Do not check the box Account operates as System box.
How it works...
This recipe is broken into two parts:
Setting the permissions policy: In
steps 4 to 8, we defined a custom policy that was consequently saved in
SharePoint. This policy defines the rights of the users that will belong
to it. It is associated with the web application chosen.
In
our recipe, we showed how to add a policy. By clicking on an existing
policy, it can be edited. There is also an option to delete the policy.
Designating users to that policy: In steps 9 to 11, we are selecting users or group accounts and then assigning the custom permission level to them.
Users can also be deleted or their permissions edited via step 9.
