2.5 Security Model 37
Chapter 2
2.4.4 Search
Search is a core service in WSS 3.0 that allows you to search a site collection
or individual site for content. The search itself is completely different from
that in WSS 2.0 and delivers far more value. We cover both WSS 3.0 and
MOSS search in Chapter 6.
2.5 Security Model
Security covers a wide gamut of features, from item-level permissions to secu-
rity-trimmed user interface and pluggable authentication. The new security
model is key in being able to meet the needs of the different solutions areas,
so let’s take a closer look at it.
2.5.1 Authorization
By authorization we are referring to who is authorized to do what. Figuring
out someone’s identity is the purpose of authentication, and it goes hand in
hand with authorization. For now, let’s assume we know who someone is and
examine the ways we can control what that person is and isn’t allowed to do.
A major change from WSS 2.0 security is in the separation of groups
and permissions. In WSS 2.0, permissions were associated with site groups
(such as Administrators, Readers, Web Designer, etc.) and you added security
principles (users and Windows security groups) to the site groups. Doing so
automatically granted the security principle the permissions associated with
the site group. In WSS 3.0, you still have the concept of groups that contain
security principles, but you now have separate permissions that have to be
assigned to a user or group before they can have access to a securable object
such as a site, list, or library or item.
There are five main elements for authorization:
n Individual permissions: Grant the ability to perform specific actions.
For example, the View Items permission grants the user the ability to
view items in a list. The list of individual permissions that are avail-
able are farm-wide, but can be controlled at the Web Application
level by a farm-level administrator.
n Permission level: A way of grouping individual permissions together for
easier management and assignment. There are five default permission
levels: Limited Access, Read, Contribute, Design, and Full Control.
You can add new permission levels or change the default levels. Per-
mission levels are per site and can either be inherited from a parent site
or explicitly set at a sub site, library, or item level.
38 2.5 Security Model
n User: A person with a user account that can be authenticated through
the authentication method used for the server. If we are using the
default authentication method, this would typically be an Active
Directory user object.
n Group: A group of users. Can be a Windows security group that you
add to the site, or a SharePoint Group such as Site Owners, Site Mem-
bers, or Site Visitors. SharePoint Groups are new to WSS 3.0 and
essentially take over from site groups. They provide a way for Share-
Point site collection administrators to group users together without
having to rely on IT to create Windows Security Groups. There are
some default SharePoint Groups, but you can create your own. Any-
one assigned a permission level that includes the Create Groups per-
mission (included in the Full Control permission level by default) can
create custom SharePoint groups.
n Securable object: Users or groups (either Windows Security groups or
SharePoint Groups) are assigned a permission level for a specific
securable object: site, list, library, folder, document, or item. By
default, permissions for a list, library, folder, document, or item are
inherited from the parent site, parent list, or library. However, anyone
assigned a permission level for a particular securable object that
includes the Manage Permissions permission can change the permis-
sions for that securable object. By default, permissions are initially
controlled at the site collection level, with all lists and libraries inher-
iting the site permissions. Use list-level, folder-level, and item-level
permissions to further control which users can view or interact with
the site content. You can return to inheriting permissions from a par-
ent list, the site as a whole, or a parent site, at any time. Note that it is
best practice to always use a group when assigning a permission level
to a securable object for ease of maintenance. Granting individual
user access should only be done on an exception basis.
Tabl e 2 . 1 Personal Permissions
Permission Definition
Manage Personal Views Create, change, and delete personal views of lists
Add/Remove Personal Web Parts Add or remove personal Web Parts on a Web Part
Page
Update Personal Web Parts Update Web Parts to display personalized infor-
mation
Get Microsoft SharePoint 2007 Technologies now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
