Site groups allow you to grant roles to users and groups. You can think of a site group as a set of permissions that restrict what tasks a user can and cannot perform within your SharePoint site. As a site administrator, you can create specific site groups for specific users and functions. Once you have your site group created, you can link it to either a specific user or a specific group.
SharePoint installs five default site groups that you can apply in most situations. Each of the default groups allows different permissions that are useful for different types of users. However, if the default groups do not suit your needs, you can also create custom groups.
The guest site group provides the lowest possible permission level to users without denying site access. This group restricts users and user groups to read-only access. You should use this site group for default users and groups that are not assigned to a site group with greater access rights.
The reader site group has more access than the guest site group. A reader has permission to:
Read all content in the site.
Create a new site using the "Self-Service Site Creation" option. Self-service site creation allows a user to create a new top-level site. When a user creates a new site, he becomes the administrator of that site but still maintains his existing site groups for other areas in SharePoint.
A user assigned to the reader site group cannot make modifications to content on the site. You assign this site group to users and groups who need access to content on the site but do not need to modify the content.
The contributor site group inherits the reader site group permissions, plus the ability to:
Add, modify, and delete content in existing document libraries and lists
Manage personal views
Add and remove personal Web Parts
Create cross-site groups
A contributor cannot create a document library; however, he can add content to, delete content from, or modify content on an existing library.
You should assign this site group to users and groups who need full control over content in document libraries and lists.
The web designer site group inherits the contributor site group permissions, plus the ability to:
Manage lists and document libraries
Create and modify web pages
Manage themes and borders
Apply style sheets to the site
The web designer site group provides advanced control over a SharePoint site, without granting full administrative control. You should assign this site group to users and groups who are taking ownership of a SharePoint site. Keep in mind that a user in the web designer group does not have full administrative control, although she does have great power over how the site is organized and maintained.
The final default site group, administrator, inherits the web designer site group permissions, plus the ability to:
Manage groups for the site
Create sites
Create workspace sites
Manage list permissions
View usage analysis data
You cannot delete or customize the administrator site group, and one user must always be assigned to this group. You should only grant this permission type to users who are going to control access to sites. Generally, this role is reserved for system administrators and other users who have full trust within an organization. Most users do not need any rights higher than the web designer group.
By default, SharePoint assigns users to site groups. To change the default site group that the user receives, modify the Anonymous Access settings on the Site Settings screen. To modify these settings, follow the following steps:
Click Site Settings at the top of the screen.
Click on the link Go to Site Administration under the heading Administration.
Click on the link Manage Anonymous Access under the heading Users and Permissions.
Under the section All Authenticated Users, you can change the drop-down list to a new default site group.
Figure 4-1 shows the Change Anonymous Access Settings page, which is used to assign users to specific site groups and to determine what access anonymous users are granted.
You can change a user's site group assignment. Site groups are assigned at three levels:
Global
Site
Object
The Section 4.4 discusses these topics in detail.
The default site groups do not solve every situation. To provide maximum flexibility, Windows SharePoint Services lets you to create, modify, and delete site groups. By allowing customization of site groups, SharePoint allows you to create a flexible security architecture that adapts to your business requirements.
You can assign multiple site groups to a user. If two site groups conflict, the site group that applies to the immediate content being viewed is applied. For instance, you could assign a user to the reader site group for the corporate Human Resources SharePoint team site, the web designer site group for the Training SharePoint team site, and the contributor site group everywhere else. In this scenario, when a user accesses the Human Resources site, two site groups conflict: reader and contributor. Because the user is viewing the Human Resources site (the most immediate content), he will have reader access and the contributor site group will not be valid.
Get SharePoint User's Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.