Configuring Users across Site Collections

This blog posting applies to Microsoft Office SharePoint Server 2007.

SharePoint provides tools for administrators to manage users and groups that should have access to all sites within individual site collections. Managing users and groups that should have common types of access to sites across different site collections is different. Here are two out-of-box features that affect user permissions across multiple site collections.

Controlling permissions globally

SharePoint Central Admin >> Application Management >> User Permissions for Web Applications

This setting allows you to configure what permissions are available in all sites in a particular web application. By default, all permissions are available; with this setting, you can disable certain permissions, which has two effects:

1. The permission will be denied to everyone accessing the site, even if they previously were configured to have the permission.

2. The permission won’t appear in site settings screens that allow administrators to choose rights for users and groups.

Re-enabling a permission on this screen will reverse the two effects; individual permissions will revert to what they were before the global permission was disabled.

Controlling users globally

SharePoint Central Admin >> Application Management >> Policy for Web Applications

This configuration area allows you to specify permissions for users and groups that will be honored by all site collections within a web application. While this sounds like the “silver bullet” for centralized user management, it must be understood in greater detail from an operations perspective in order to plan for proper usage. Some facts that impact this understanding are:

  • Use of this configuration is restricted to farm administrators and server administrators.
  • Settings enforced by policy override local settings configured by site administrators.
  • Several policies may be created for the same users and groups in order to control access via different zones, such as are encountered in scenarios for intranet/extranet access.

Custom, centralized user management

Some have asked how to make a centralized tool to manage users across different site collections.  Additional analysis would be necessary to understand how this tool should behave.  For instance, how should access to the centralized management be governed? If rights for using this tool are restricted to a small set of users, then the process for accommodating a constant stream of requests for managing user access must be defined and perhaps automated. If rights for using the tool are not so restricted, then a process for enforcing proper usage must be defined. Would centralized administration override local site administrators in all cases, or would there be instances in which administration should still be delegated, according to SharePoint’s default model?

My recommendation is to stick with out-of-box user management:

  • Design reader rights for a large group of users, such as All Authenticated Users and/or custom domain groups.
  • Allow site administrators to expand rights by assigning groups and users that require access to their site collections.

If this approach doesn't seem to meet your needs at first, don't assume it will be easier to design a centralized mechanism; turn to that only if you understand that it will be a significant undertaking.

Comments