Moss2010 Security

March 16, 2018 | Author: barjep | Category: Share Point, Active Directory, Websites, World Wide Web, Technology


Comments



Description

Planning, Administration, Configuration, Setup, Migration, and UpgradeEnvironment Specification All computers in the demonstration environment are virtualized running on Windows Server 2008 R2 Hyper-V. The computers are joined to a single Windows domain, “vmlab.local”, running in Windows Server 2008 Forest and Domain function levels. Client Computer o Windows 7 Professional 64 bit SharePoint Web Front Ends o Windows 2008 R2 Enterprise 64 bit o Services  Web Application Service o Load balanced with Windows NLB SharePoint Application Server o Windows Server 2008 R2 Enterprise 64 bit o Microsoft SharePoint Server 2010 (RTM) o Services  WIF Claims to Windows Token Service  Managed Metadata Service  SharePoint Index  SharePoint Query  Excel Services  Visio Graphics Service  Business Connectivity Services  Performance Point Services SQL Services o Windows Sever 2008 R2 Enterprise 64 bit o Microsoft SQL Server 2008 R2 Enterprise 64 bit o Active/Passive Configuration o SQL Services  SQL Data Engine  SQL Analysis Services  SQL Agent  SQL Browser SQL Reporting Server o Windows Server 2008 R2 Enterprise 64 bit (RTM) o Microsoft SQL 2008 R2 Enterprise 64 bit (RTM) o Microsoft SharePoint Server 2010 (RTM) o Windows NLB Load balanced o Reporting Service SharePoint integrated mode o Reporting Services Scaled out mode Plan authentication methods (SharePoint Foundation 2010) Supported authentication methods SharePoint Foundation 2010 supports authentication methods that were included in previous versions and also introduces token-based authentication that is based on Security Assertion Markup Language (SAML) as an option. The following table lists the supported authentication methods. Method Windows Examples NTLM Kerberos Anonymous Basic Digest Notes Forms-based authentication Lightweight Directory Access Protocol (LDAP) Microsoft SQL Server database or other database Custom or thirdparty membership and role providers SAML token-based authentication Active Directory Federation Services (AD FS) 2.0 Supported only with SAML 1.1 that uses the WS-Federation Passive profile. Client certificate authentication is possible through integration with AD Third-party identity provider Lightweight Directory Access Protocol (LDAP) FS 2.0. For additional information, see Configure Client Certificate Authentication (SharePoint Foundation 2010). Authentication modes — classic or claims-based SharePoint Foundation 2010 introduces claims-based authentication, which is built on Windows Identity Foundation (WIF). You can use any of the supported authentication methods with claims-based authentication; or you can use classic-mode authentication, which supports Windows authentication. Claims-based authentication is built on WIF, which is a set of .NET Framework classes that are used to implement claims-based identity. Claims-based authentication relies on standards such as WS-Federation, WS-Trust, and protocols such as SAML. For more information about claimsbased authentication, see the following resources: Claims-based Identity for Windows: An Introduction to Active Directory Federation Services 2.0, Windows CardSpace 2.0, and Windows Identity Foundation (white paper) (http://go.microsoft.com/fwlink/?LinkId=198942) Windows Identity Foundation home page (http://go.microsoft.com/fwlink/?LinkId=198943) For new implementations of SharePoint Foundation 2010, you should consider claims-based authentication. By using claims-based authentication, all supported authentication types are available for your Web applications. When you create a Web application, you select one of the two authentication modes to use with the Web application, either claims-based or classic-mode. A SharePoint Foundation 2010 farm can include a mix of Web applications that use both modes. In this scenario. Windows accounts are converted into Windows claims. Additionally. The claims token contains the claims pertaining to the user. You do not have to be a claims architect to use claims-based authentication in SharePoint Foundation 2010. user Windows accounts and forms-based accounts can be augmented with additional claims that are used by SharePoint Foundation 2010. For example. depending on which identity they use to log in. Some services do not differentiate between user accounts that are traditional Windows accounts and Windows claims accounts. For example. If you select claims-based authentication. SharePoint developers and administrators can augment user tokens with additional claims. This is because services and service applications use claims identities for inter-farm communication regardless of the mode that is selected for Web applications and users. SharePoint Foundation 2010 automatically changes all user accounts to claims identities. as described later in this article. resulting in a claims token for each user. Implementing Windows authentication The process of implementing Windows authentication methods is similar for both authentication modes (classic or claims-based).If you select classic-mode. Forms-based membership users are transformed into forms-based authentication claims. regardless of the authentication mode that is configured for Web applications. Claims that are included in SAML-based tokens can be used by SharePoint Foundation 2010. implementing SAML token-based authentication requires coordination with administrators of your claims-based environment. you can implement Windows authentication and the user accounts are treated by SharePoint Foundation 2010 as Active Directory Domain Services (AD DS) accounts. the user is not interpreted as multiple user accounts. Choosing claims-based authentication for a Web . a user who belongs to sites that are configured to use a mix of authentication modes may receive search results that include results from all the sites that the user has access to. However. users who belong to more than one user repository that is recognized by SharePoint Foundation Web applications are treated as separate user accounts. However. 4. Configure Kerberos authentication for SQL Server communications by creating SPNs in AD DS for the SQL Server service account. the client and server computers must have a trusted connection to the domain Key Distribution Center (KDC). Services or applications that access SharePoint Server in Integrated Windows authentication mode will attempt to authenticate by using the credentials of the running thread. Kerberos protocol is a secure protocol that supports ticketing authentication. for claims-authentication Web applications. 5. these credentials are the credentials that the user used to log on to the computer. Use of the Kerberos protocol requires additional configuration of the environment. By default. Configuring the Kerberos protocol involves setting up service principal names (SPNs) in AD DS before you install SharePoint Foundation 2010. Install the SharePoint Foundation 2010 farm. This section summarizes the process for each method. . The following steps summarize the process of configuring Kerberos authentication: 1. To enable Kerberos authentication. Constrained delegation is required to convert claims to Windows tokens. which is the identity of the process by default. 3. Simply select this option when you are creating a Web application. the Claims to Windows Token Service must be configured for constrained delegation. which let clients seamlessly authenticate without being prompted for credentials. Configure specific services within the farm to use specific accounts. Users who access SharePoint sites from Windows Explorer will authenticate by using the credentials the Internet Explorer process is running under. Integrated Windows authentication — Kerberos and NTLM Both Kerberos protocol and NTLM are Integrated Windows authentication methods. Note: The Claims to Windows Token Service does not support crossing domain boundaries between forests. For more information.application does not increase the complexity of implementing Windows authentication methods. Create SPNs for Web applications that will use Kerberos authentication. Additionally. Create the Web applications that will use Kerberos authentication. 2. NTLM is the simplest form of Windows authentication to implement. see Configure Kerberos authentication (SharePoint Foundation 2010). microsoft. see Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products and Technologies (white paper) (http://go. see Configure Kerberos authentication for the claims to Windows token service (SharePoint Foundation 2010). the system issues a cookie that contains a key for reestablishing the identity for subsequent requests. Kerberos authentication allows delegation of client credentials to access back-end data systems. Forms-based authentication can be used against credentials stored in AD DS. If the request can be authenticated. Scenario Delegating a client's identity to a back-end server.com/fwlink/?LinkID=197178). Novell Directory Services (NDS).For more information about how to configure this service. Forms-based authentication enables user authentication based on validation of credential input from a logon form. Identity delegation for Excel Services in SharePoint For more information about how to configure Kerberos authentication. Configure constrained delegation for the Excel Services service account. or Sun ONE. including configuration steps for common scenarios. Identity delegation for Microsoft SQL Server Reporting Services (SSRS) Additional configuration Configure Kerberos constrained delegation for computers and service accounts. forms-based authentication is available only when you use claims-based authentication. The following table provides examples. Unauthenticated requests are redirected to a logon page. in a database such as a SQL Server database. . Implementing forms-based authentication Forms-based authentication is an identity management system that is based on ASP. Digest authentication and Basic authentication Implementing Digest and Basic authentication requires configuring these authentication methods directly in Internet Information Services (IIS). Displaying RSS feeds to authenticated content. where the user must provide valid credentials and submit the form. or in an LDAP data store such as Novell eDirectory.NET membership and role provider authentication. which requires additional configuration depending on the scenario. Configure delegation for SQL Server Reporting Services. Configure SPNs for SQL Server Reporting Services accounts. Configure constrained delegation for servers that run Excel Services. In SharePoint Foundation 2010. In the previous version. You register role managers in the Web. SharePoint Foundation 2010 takes advantage of claims that are included in tokens provided by an IP-STS to authorize users. an application that accepts SAML tokens is known as a relying party STS (RP-STS). For more information about how to configure forms-based authentication. you must register the membership provider and the role manager in the Web.com/fwlink/?LinkId=198944) MSDN article: Forms Authentication in SharePoint Products and Technologies (Part 2): Membership and Role Provider Samples (http://go. each Web application that is configured to use a SAML provider is added to the IP-STS server as a separate RP-STS entry. Each ASP. . In SharePoint Foundation 2010. Registering the role manager is a new requirement for SharePoint Foundation 2010. whether it is your own internal environment or a partner environment. you must register the membership provider and role manager in the Web.config file for the Central Administration Web site. AD FS 2. Tokens can include any number of claims about a user. SharePoint Foundation 2010 uses the standard ASP. this was optional. MSDN blog article: Claims-based authentication "Cheat Sheet" Part 1 (http://go.To use forms-based authentication to authenticate users against an identity management system that is not based on Windows or that is external.microsoft.NET role is treated as a domain group by the authorization process in SharePoint Foundation 2010. If you want to manage membership users or roles from the SharePoint Central Administration Web site.config file for the Web application that hosts the content. In claims environments.NET role manager interface to gather group information about the current user. You must also register the membership provider and the role manager in the Web.config file. A claims-based environment includes an identity provider security token service (IP-STS).com/fwlink/?LinkId=198945) Implementing SAML token-based authentication SAML token-based authentication requires coordination with administrators of a claims-based environment.0 is an example of a claims-based environment. see the following resources: TechNet article: Configure forms-based authentication for a claims-based Web application (SharePoint Foundation 2010). A relying party application receives the SAML token and uses the claims inside to decide whether to grant the client access to the requested resource. A SharePoint farm can include multiple RP-STS entries. such as a user name and groups the user belongs to. The IPSTS issues SAML tokens on behalf of users who are included in the associated user directory.config file the same way that you register membership providers for authentication.microsoft. Create a new authentication provider by using Windows PowerShell to import the token-signing certificate. You must also create and specify a realm that is associated with the first SharePoint Web applications that you are configuring for SAML token-based authentication. 6. Define the claim that will be used as the unique identifier of the user.Implementing SAML token-based authentication with SharePoint Foundation 2010 involves the following processes that require advance planning: 1. For each realm that is added to the SPTrustedIdentityTokenIssuer. Copy the certificate to a server in the SharePoint Foundation 2010 farm. Define additional claims mappings. Export the token-signing certificate from the IP-STS. Claims mappings are created by using Windows PowerShell. User roles are an example of a claim that can be used to assign permissions to resources in the SharePoint Foundation 2010 farm. The authentication provider will appear as an option in Central Administration when claims mode is selected for the Web application. Coordinate with the administrator of the IP-STS to determine the correct identifier because only the owner of the IP-STS knows the value in the token that will always be unique per user. . Define the additional claims from the incoming token that will be used by the SharePoint Foundation 2010 farm. 2. Identifying the unique identifier for the user is part of the claims-mapping process. Regardless. 4. All claims from an incoming token that do not have a mapping will be discarded. 5. This is known as the identity claim. This certificate is known as the ImportTrustCertificate. you specify the identity claim and additional claims that you have mapped. After the SPTrustedIdentityTokenIssuer is created. 3. This is how you configure multiple Web applications to use the same SPTrustedIdentityTokenIssuer. During this process. you must plan the URL before you create the Web applications. This process creates the SPTrustedIdentityTokenIssuer. Create a new SharePoint Web application and configure it to use the newly created authentication provider. Many examples of this process use the user e-mail name as the user identifier. you must create an RP-STS entry on the IP-STS. you can create and add more realms for additional SharePoint Web applications. This can be done before the SharePoint Web application is created. consider setting network load balancing to single affinity. you should plan to create a custom claims provider that implements custom search and name resolution. Claims from different trusted STS environments will not conflict. MSDN blog article: Claims-based authentication "Cheat Sheet" Part 2 (http://go. or claim. we recommend that you work with the administrator of your internal claims environment to establish a trust relationship from your internal IP-STS to the partner STS. group. there might be an effect on the performance and functionality of client Web-page views. When AD FS provides the authentication token to the client. All providers that are configured will appear as options in Central Administration. see Custom claims providers for People Picker (SharePoint Foundation 2010). which might result in rejection of the token. For more information about how to configure SAML token-based authentication. If the load-balanced solution is not using affinity. regardless of whether it is a valid user.You can configure multiple SAML token-based authentication providers. For more information. Any text entered in the People Picker control will automatically be displayed as if it had been resolved.microsoft. you can only use a token-signing certificate once in a farm. Note: If you use SAML token-based authentication with AD FS on a SharePoint Foundation 2010 farm that has multiple Web servers in a load-balanced configuration. This approach does not require adding an additional authentication provider to your SharePoint Foundation 2010 farm. After this occurs. SharePoint Foundation 2010 redirects the client to authenticate again back to the AD FS server. to protect against a denial of service attack. each secured element is authenticated to more than one SharePoint Foundation 2010 server. It also allows your claims administrators to manage the whole claims environment. see the following resources: TechNet article: Configure authentication using a SAML security token (SharePoint Foundation 2010). If performance is adversely affected or pages do not load completely. This behavior is by design. This isolates the requests for SAML tokens to a single Web server. After the token is rejected. If you are implementing SAML token-based authentication with a partner company and your own environment includes an IP-STS. Note: When a Web application is configured to use SAML token-based authentication. that token is submitted to SharePoint Foundation 2010 for each permission-restricted page element. However. If your SharePoint Foundation solution will use SAML token-based authentication. the SPTrustedClaimProvider class does not provide search functionality to the People Picker control.com/fwlink/?LinkId=198946) . an AD FS server might reject multiple requests that are made in a short time period. TechNet blog article: Planning Considerations for Claims Based Authentication in SharePoint 2010 (http://go.com/fwlink/?LinkId=198948) TechNet blog article: How to Create Multiple Claims Auth Web Apps in a Single SharePoint 2010 Farm (http://go. However. Each Web application can include as many as five zones. the default zone is created.microsoft. in the current version.com/fwlink/?LinkId=198949) Choosing authentication for LDAP environments LDAP environments can be implemented by using either forms-based authentication or SAML token-based authentication. Multiple zones can be used also. only Windows authentication can be implemented when classic mode is selected. However. Consequently.1. Planning zones for Web applications Zones represent different logical paths for gaining access to the same sites in a Web application. claims authentication allows multiple types of authentication to be implemented on the same zone. In previous versions. Additional zones are created by extending the Web application and selecting one of the remaining zone names: intranet. or to implement the same type of Windows authentication against different Active Directory stores. Your plan for zones will depend on which of the following modes is selected for a Web application: Classic mode — Similar to previous versions. Profile synchronization is not supported with LDAP providers that are not associated with ADFS 2. Internet.1 and SAML Token 1. When a Web application is created. multiple zones can be used only to implement multiple types of Windows authentication. or custom.0. We recommend that you use forms-based authentication because it is less complex. extranet. zones are used to implement different types of authentication for users coming from different networks or authentication providers. only one type of authentication can be implemented per zone. Claims authentication — Multiple authentication providers can be implemented on a single zone. Implementing more than one type of authentication on a single zone . In the current version.com/fwlink/?LinkId=198947) TechNet blog article: Creating both an Identity and Role Claim for a SharePoint 2010 Claims Auth Application (http://go. if the environment supports WS-Federation 1.microsoft.microsoft. then SAML is recommended. the following restrictions apply: Only one instance of forms-based authentication can be implemented on a zone. Otherwise. more than one type of Windows authentication cannot be implemented on a zone. . When you are implementing multiple types of authentication on the same zone. If multiple SAML token-based authentication providers are configured for a farm. we recommend that you implement multiple types of authentication on the default zone. The following diagram illustrates multiple types of authentication implemented on the default zone for a partner collaboration site. Multiple SAML providers can be configured on the same zone.If you are using claims authentication and implementing more than one type of authentication. Central Administration allows you to use both an Integrated Windows method and Basic at the same time. This results in the same URL for all users. these will all appear as options when you create a Web application or a new zone. the crawl component can use a different zone that is configured to use NTLM authentication. A dashed box surrounding partner companies shows the relationship between the user directory and the authentication type that is configured in the default zone.In the diagram. If NTLM authentication is not configured on the default zone. users from different directory stores access the partner Web site by using the same URL. Planning for crawling content The crawl component requires access to content using NTLM. For more information about this design example. Implementing more than one zone If you plan to implement more than one zone for Web applications. At least one zone must be configured to use NTLM authentication. use the following guidelines: . see Design sample: Corporate deployment (SharePoint Server 2010). Only add new access points when these are required. Consequently. Ensure that at least one zone is configured to use NTLM authentication for the crawl component. Typically.Use the default zone to implement your most secure authentication settings. Each zone is associated with a new IIS site and domain for accessing the Web application. If a request cannot be associated with a specific zone. . the most secure authentication settings are designed for end-user access. Use the minimum number of zones that are required to provide access to users. The default zone is the zone that is created when you initially create a Web application. the authentication settings and other security policies of the default zone are applied. Do not create a dedicated zone for the index component unless it is necessary. end users are likely to access the default zone. The following diagram illustrates multiple zones that are implemented to accommodate different authentication types for a partner collaboration site. The service is used for inter-farm communication because all inter-farm communication uses claims authentication.In the diagram. Architecture for SAML token-based providers The architecture for implementing SAML token-based providers includes the following components: SharePoint security token service This service creates the SAML tokens that are used by the farm. Employees use a different zone depending on whether they are working in the office or are working remotely. You must configure the security token service during the deployment process. see Design sample: Corporate deployment (SharePoint Server 2010). . and SAML token-based authentication. Each zone has a different URL associated with it. For more information about this design example. the default zone is used for remote employees. The service is automatically created and started on all servers in a server farm. including Windows authentication. This service is also used for authentication methods that are implemented for Web applications that use claims authentication. forms-based authentication. The identity claim is created as a regular claims mapping during the process of mapping all desired claims. A SharePoint Foundation farm can include multiple RP-STS entries. The first realm is specified when you create the SPTrustedIdentityTokenIssuer. After you add the realm to the SPTrustedIdentityTokenIssuer. Other claims These claims consist of additional claims from a SAML ticket that describe users. or other kinds of claims such as age. Realms are specified by using syntax similar to the following: $realm = "urn:sharepoint:mysites". The certificate is copied to one server in the farm. you can add more realms for additional Web applications. you specify the realms. or Web application URLs. the URI or URL that is associated with a SharePoint Web application that is configured to use a SAML token-based provider represents a realm.For more information. one at a time. the claim that represents the identity claim. each Web application that is configured to use a SAML provider is added to the IP-STS server as an RP-STS entry. All claims mappings are created as objects that are replicated across the servers in a SharePoint Foundation farm. After a realm is added to the SPTrustedIdentityTokenIssuer. However. Identity claim The identity claim is the claim from a SAML token that is the unique identifier of the user. after you create the SPTrustedIdentityTokenIssuer. This process involves specifying the URL for the Web application. you specify which token-signing certificate to use. and any additional claims. Token-signing certificate (ImportTrustCertificate) : This is the certificate that is exported from an IP-STS. The claim that serves as the identity claim is declared when the SPTrustedIdentityTokenIssuer is created. you must disassociate it from any Web applications that may be using it. Before you delete an existing one. When you create a SAML-based authentication provider on the farm. If you want to use the certificate to create a different SPTrustedIdentityTokenIssuer. you cannot use it again to create another one. These can include user roles. that you want the IP-STS to recognize. user groups. you must create an RP-STS trust with the realm on the IP-STS server. it must also be added to the IP-STS as a relying party. Identity provider security token service (IP-STS) This is the secure token service in the claims environment that issues SAML tokens on behalf of users who are included in the associated user directory. Relying party security token service (RP-STS) In SharePoint Foundation 2010. When you create the SPTrustedIdentityTokenIssuer. you must delete the existing one first. The SPTrustedIdentityTokenIssuer object is replicated across servers in the SharePoint Foundation farm. You can only associate a token-signing certificate from an STS with one SPTrustedIdentityTokenIssuer. see Configure the security token service (SharePoint Foundation 2010). Realm In the SharePoint claims architecture. the first realm. Additional realms can be added after the SPTrustedIdentityTokenIssuer is created. . Once you use this certificate to create an SPTrustedIdentityTokenIssuer. Only the owner of the IP-STS knows which value in the token will always be unique for each user. SPTrustedIdentityTokenIssuer This is the object that is created on the SharePoint farm that includes the values necessary to communicate with and receive tokens from the IP-STS. The following diagram illustrates the key parameters. The SPTrustedIdentityTokenIssuer object is created by using several parameters.The following diagram illustrates the SharePoint 2010 Products claims architecture. . Overview of the SharePoint 2010 Security Model . Only use the Wreply parameter if it is required by the IP-STS. The SignInURL parameter specifies the URL to redirect a user request to in order to authenticate to the IP-STS.As the diagram illustrates. and one Wreply parameter. one SignInURL parameter. However. Some IP-STS servers require the Wreply parameter. an SPTrustedIdentityTokenIssuer can include only one identity claim. which is set to either true or false and is false by default. it can include multiple realms and multiple claims mappings. net provider model. Now that we’ve covered how users and user groups are represented in the SharePoint security object model. This is done via the abstract SPPrincipal object and it’s descendants. allowing permissions to be defined regardless of the authentication mechanism. the next thing to consider is access control. security has been implemented based upon user. The benefit of this abstraction is that SPUser object can represent Active Directory users or groups or custom users authenticated via forms authentication and by extension the SPGroup object which represents a collection of SPUser object can contain a heterogeneous collection of SPUser objects. SPUser and SPGroup in SharePoint. in fact there’s a further level of grouping that’s represented by the SPRoleDefinition object. Both Active Directly Users and Active Directory groups are represented by SPUser objects in the SharePoint object model. While actual permissions are hardcoded into the SharePoint platform. since the actual implementation of the authentication and authorization mechanism is abstracted.In SharePoint 2010. groups and their ACL. Many of the objects in a SharePoint application can have access control lists (ACLs) attached to them. An ACL is a binary data structure that contains details of the SPPrincipal objects that have permissions defined for the object together with information on the permissions. Each principal/permission mapping is represented by an SPRoleAssignment object. The individual flags are listed in the SPBasePermissions enumeration. that a SPRoleAssignment doesn’t actually map permissions to principals directly. You’ll notice from the name. The reason for this goes back to the asp. it’s necessary to have an abstract notion of the user that should be granted permissions on a resource. An SPRoleDefintion object is a collection of bits that represent the status of a number of pre-defined permission flags. SPRoleDefinitions are user-defined and . The three main objects that can be secured in SharePoint implement the ISecurableObject interface. · SPList. SPRoleDefintions are stored at the SPWeb level and are accessible through the Roles property of the SPWeb object. · SPListItem. Sub-web’s also inherit permissions defined here unless inheritance has been turned off. Permissions defined at this level automatically apply to all items contained within the list or library unless inheritance has been explicitly turned off. so much so that many of the other objects that are . which represents the lowest level of access control available in SharePoint. which represents all lists and document libraries within a web site. which represents an entire web site. These objects are: · SPWeb.the system-defined permissions are fine-grained enough to allow users to create roles that encompass practically any security requirement. You’ll no doubt be aware that these are some of the most fundamental objects used when building applications with SharePoint. Permissions defined at this level apply to a single document or data item. Permissions defined at this level are inherited by all lists contained within the web unless inheritance has been explicitly turned off. This class allows permissions to be set based on group membership or on a per-user basis (subject to the caveat that an SPUser isn’t necessarily only a single user) · SPUser – represents a discrete security entity in SharePoint. · SPGroup – represents a group of SPUser objects · SPRoleAssignment – represents an entry in the ACL for a particular role · SPRoleDefintion – represents the combination of permissions that should be applied for a particular user on a particular resource · SPBasePermission – an enumeration that lists the system level permissions that can be used when creating SPRoleDefinitions · ISecurableObject – represents a resource that can be secured via an access control list . So to recap. For example the SPFolder object has a ParentListId property that can be used to get a reference to the containing list.commonly used either inherit from these types or have methods that can return an associated instance of these types. particularly those described above. it is vital that we can manage ACL’s on all objects that implement the ISecurableObject interface. the key objects and interfaces that will be required for our configuration utility are: · SPPrincipal – an abstract class that provides the base for SPUser and SPGroup. Since it is our aim to create a utility that will allow declarative configuration of security in SharePoint. or the SPFile object has an Item property that returns an SPListItem object that represents the file. This can be a user. a local user group or an Active Directory group. you will able to see all the SharePoint Groups. Go to “Site Settings -> Site Permissions”.SharePoint security UI walkthrough Let’s have a look at the SharePoint 2010 UI. This list also provides the permission level of the groups and users which will one or move i.e. approve and Read. Domain Groups and SharePoint users. . add or remove columns in a list. Delete Items .Discard or check in a document which is checked out to another user. List Permissions Manage Lists . It automatically cascade the permission to the users. edit documents in document libraries. You will two ways to grant the access:o Add users to SharePoint Group (recommended) to add your users/ domain groups to SharePoint Groups.· Grant Permission to provide the access to user and groups.Add items to lists and add documents to document libraries. Override Check Out . Add Items . and customize Web Part Pages in document libraries.Delete items from a list and documents from a document library. .Create and delete lists.Edit items in lists. Edit Items . and add or remove public views of a list. o Grant Permission Directly gives you granular level permission which specifies the built-in permissions available in SharePoint Foundation. and application pages. views. Create Alerts .View Items . Delete Versions .View the source of documents with server-side file handlers.Delete past versions of a list item or document. Approve Items .Approve a minor version of a list item or document. View Application Pages . .Create alerts. View Versions .View forms.View past versions of a list item or document. Enumerate lists. Open Items .View items in lists and documents in document libraries. Apply Themes and Borders .Create and change permission levels on the Web site and assign permissions to users and groups.Apply a theme or borders to the entire Web site. Add and Customize Pages . Manage Web Site . change. .View reports on Web site usage. View Web Analytics Data .Site Permissions Manage Permissions . or delete HTML pages or Web Part Pages.Add. Meeting Workspace sites. and edit the Web site using a Microsoft SharePoint Foundation-compatible editor.Grants the ability to perform all administration tasks for the Web site as well as manage content. Create Subsites . and Document Workspace sites.Create subsites such as team sites. or list item. Enumerate Permissions .Apply Style Sheets .Create a Web site using Self-Service Site Creation. Browse User Information .Create a group of users that can be used anywhere within the site collection. Create Groups . document. list.Apply a style sheet (.View pages in a Web site.CSS file) to the Web site.View information about users of the Web site.Enumerate permissions on the Web site. folder.Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces. View Pages . . Use Self-Service Site Creation . Browse Directories . Manage Alerts . Use Remote Interfaces . change.Use SOAP.Manage alerts for all users of the Web site. the Client Object Model or SharePoint Designer interfaces to access the Web site. Personal Permissions Manage Personal Views . list. such as adding a picture. Edit Personal User Information . Web DAV.Create. Use Client Integration Features .Allows a user to change his or her own user information. Open . or folder in order to access items inside that container.Allows users to open a Web site. users will have to work on documents locally and upload their changes.Use features which launch client applications. and delete personal views of . Without this permission. Add or remove personal Web Parts on a Web Part Page. site and personal permissions. · Create Group is to create more SharePoint Group. · Edit User Permissions option is to change the permission of users and group in SharePoint. SharePoint Group and users) from SharePoint site. · Remove User Permissions to remove all the permission from SPUser (Domain group.Update Web Parts to display personalized information.lists. . Update Personal Web Parts . · Check Permissions to check user/group list. · Permission level to role to describe to access of the user all over the site. Add/Remove Personal Web Parts . Each numbered gold hexagon represents a permissions scope. If you have a sub-site and you go to Site Actions -> Site Permissions.· Site Collection Administrators provides you the list of administrator of the site.e. All child objects within a container inherit from that parent scope unless they have their own unique permissions scope. “Site content on this site has unique permissions which are not controlled from this page. And A link to the uniquely secured content”. in which all objects but one inherits their scope from their parents. SPList and SPListItem. you will be able to see the parent users and groups with the notification “This Web site inherits permissions from its parent. . (Parent Website Name). then there will be a notification message i. If you have implemented the Break Role Inheritance or unique permission on SPWeb. The following diagram shows an object hierarchy for a document library. there are two properties representing groups. Finally. unless of course such inheritance has been broken.Implementation through SharePoint Object Model Obviously. This is a collection of type SPRole. there is also a property called Roles. As before. Similarly. which are Groups and SiteGroups. You can probably guess what these are: the groups are also inherited from parent to SPWeb. it is the SiteCollection which is the eventual security boundary. To replace these. All SPWeb inherit the users from SiteCollection. as mentioned earlier. namely SPRoleDefinition and SPRoleAssignment. that SPRole has been deprecated since SharePoint 2007. both Groups and SiteGroups represent collections of the SPGroup object. which can be seen in the class diagram in Figure . However. two new objects have been introduced. Replace(site.Empty))) { foreach (SPGroup group in web.· Get the SharePoint Groups from the SharePoint site string url = http://URL:3500.Url. using (SPSite site = new SPSite(url)){ using (SPWeb web = site.Groups) { Console. using (SPSite site = new SPSite(url)) { using (SPWeb web = site.Url.Empty))) .OpenWeb(url.“+ group.” +group.OpenWeb(url.Owner ). string.Replace(site. string.WriteLine(“Group Name :.Name + ” Group Owner :. } } } · Get the SharePoint Users from the SharePoint site string url = “http://url:3500″. ” + user.AllUsers) { Console.“+ user.OpenWeb(url.” + user.LoginName ).{ foreach (SPUser user in web.WriteLine(“User Name :.LoginName ).Replace(site.“+ user.Users) { Console.WriteLine(“User Name :.Name + ” User Login :. using (SPSite site = new SPSite(url)) { using (SPWeb web = site. } } } · Get the All SharePoint Users from the SharePoint site it provides all the SPUsers(excluding SharePoint Group) and Domain Groups string url = “http://url:3500″. } } } · Get the all the RoleAssignment in the SharePoint .Empty))) { foreach (SPUser user in web.Name + ” User Login :. string.Url. Replace(site.Empty))) { SPRoleDefinitionCollection roleDefinitions = web.Empty))) { SPRoleAssignmentCollection roleassigments = web.Parent). string.Member + ” RoleAssignment Parent :. } } } · Get the all the RoleDefinition and its Base Permission in the SharePoint site string url = “http://url:3500″.OpenWeb(url.” + roleAssign.WriteLine(“RoleAssignment Name :.RoleAssignments.” + roleAssign.Url. .RoleDefinitions. using (SPSite site = new SPSite(url)) { using (SPWeb web = site.Replace(site.string url = “http://url:3500″. using (SPSite site = new SPSite(url)) { using (SPWeb web = site. string.Url. foreach (SPRoleAssignment roleAssign in roleassigments) { Console.OpenWeb(url. OpenItems | SPBasePermissions.ViewVersions | SPBasePermissions.” + roleDef. list items. customPermissionLevel. customPermissionLevel. using (SPSite site = new SPSite(url)) { using (SPWeb web = site.foreach (SPRoleDefinition roleDef in roleDefinitions) { Console.BasePermissions).”.BasePermissions |= SPBasePermissions. string. . and documents.Url.Description = “Can view only view pages.Empty))) { SPRoleDefinition customPermissionLevel = new SPRoleDefinition().Replace(site.OpenWeb(url. } } } · How to create a new RoleDefinition in the SharePoint site string url = “http://url:3500″. customPermissionLevel.ViewListItems | SPBasePermissions.” + roleDef.WriteLine(“RoleDefinition Name :.ViewFormPages.Name + “Base Permission :.Name = “Manager”. using (SPSite site = new SPSite(url)) { using (SPWeb web = site.web. .Replace(site.Update(). SPRoleAssignment assignment = web.GetAssignmentByPrincipal(user).Add(customPermissionLevel).OpenWeb(url. string. SPUser user = web.RoleAssignments. } } · How to add a new RoleAssignment to user or group in the SharePoint site string url = “http://url:3500″.Url. web.Users["ASIAPACIFIC\madanna"].RoleDefinitions.AllowUnsafeUpdates = true.RoleDefinitions["Managers"]. web.Empty))) { SPRoleDefinition customRoleDefinition = web. To give a user access to an object. or you can create a role assignment object. single signon is much easier to achieve. or . Stronger real-time authentication. The claims-based identity model for Microsoft SharePoint Foundation 2010 and Microsoft SharePoint Server 2010 is built upon Windows Identity Foundation (WIF). Multiple authentication types. optionally bind the role assignment to the appropriate role definition with base permissions. Under this model. folder. for both new and veteran programmers. Authorization. you can add the user to a group that already has permissions on the object. Users. folders. list. lists. and Groups In Microsoft SharePoint Foundation.AllowUnsafeUpdates = true. assignment. web. along with cryptographic assurance that the identity data that your application receives comes from a trusted source.RoleDefinitionBindings. another might be an e-mail address.Update().Add(customRoleDefinition). and then add the assignment to the collection of role assignments for the list item. access to Web sites. Delegation of user identity between applications. set the user for the role assignment.Update(). The idea is that an external identity system is configured to give your application all the information that it needs about the user with each request. } } This section provides helpful conceptual and practical information related to general security and claims-based identity model for Microsoft SharePoint Foundation 2010 and Microsoft SharePoint Server 2010.assignment. the user presents an identity to your application as a set of claims. Features of claimsbased identity include: Authentication across users of Windows-based systems and systems that are not Windows-based. One claim could be the user’s name. A wider set of principal types. web. and list items is controlled through a role-based membership system by which users are assigned to roles that authorize their access to SharePoint Foundation objects. When you build claims-aware applications. aspx file. or to view pages anonymously. or they can use unique permissions. Users become members of a SharePoint object indirectly through a group that has a role assignment. to individual SharePoint Foundation users. Following are ways that SharePoint Foundation provides to control access to its objects: Objects can use the same permissions as the parent Web site. subsites. SharePoint Foundation includes the following three groups by default: owners (administrator) members (contributor) visitors (reader) When you create a Web site with unique permissions through the user interface. enabling fine management of user access to objects. because a poorly conceived role definition and inappropriately assigned rights can lead to an unpleasant user experience. lists. and to domain groups using Windows . plan carefully when using the object model to customize role definitions and permissions. or folder (inheriting both the roles and users available on the parent object). For more information about SharePoint Foundation rights. You can use the object model to create or modify role assignments and definitions differently than you can through the functionality of the addrole. the user has no permission. Sites. Users also can be members of a Microsoft Windows NT Domain Group that is added to a group or to a role. or collection of rights.SharePoint. Groups consist of users and may or may not be assigned to roles. you are directed to a page where you can assign users to these groups as part of provisioning the site. Each user or group has a unique member ID. Anonymous access allows users to contribute anonymously to lists and surveys. A role definition associates a user or group with a single right or set of rights corresponding to values of the Microsoft. the object model does not enforce rights dependency.aspx file and the editrole.Web site. see SPBasePermissions. you can assign a role. Unlike these pages presented in the user interface. Through policy. and items each provide role assignment collections. or workspaces. Security Policy A security policy provides a means to enforce uniform security throughout all site collections within a Web application (virtual server). folders. so you can create a role definition with an arbitrary combination of rights. However. If you do not bind the role assignment to a role definition when assigning a user to a role. list. or directly through a role assignment. Site creation rights (CreateSSCSite and ManageSubwebs) control whether users can create top-level Web sites. You can also grant access to "all authenticated users" to allow all members of your domain to access a Web site without having to enable anonymous access.SPBasePermissions enumeration. A claim is given one or more values and then packaged in security tokens that are issued by a security token service (STS). A claim is a piece of information about a subject that a claims provider asserts about that subject. age.The more claims that an application receives. the user delivers claims to your application. or membership in the sales role. list. Applying a policy role is similar to managing permissions for a Web site. the users and groups are identified by both their security identifier (SID) and their login or user name. .com. An example of claims-based authentication is someone claiming to be over 18 years old or someone claiming to be in a company's marketing group. or document: You add users or groups and assign them to one or more role definitions. a computer. Each Web application has its own policy roles. When an identity is transmitted on the network. Each policy entry specifies rights for a user or group in the Web application. because of the delivery method. folder. without entering credentials multiple times. A user can have. Claims-based authentication enables systems and applications to authenticate a user without requiring the user to disclose more personal information (such as social security number and date of birth) than necessary. a name) that is made by a subject about itself or another subject. You can think of a claim as a bit of identity information. It is a statement about a subject (for example. the more you know about your user. regardless of local permissions on the object.extranet. Rights can be granted or denied through policy. different policies on http://Server and http://Server. Another difference between policy roles and managing permissions is that central administrators can deny a right to a user throughout a Web application. your application does not look up user attributes in a directory. but not to SharePoint groups. In this model. Granting a right gives that right to the user or group on all secured objects within the Web application. such as applications and network resources. even if the user has explicit permissions on specific content: policy overrides site-level permissions.microsoft. In policy roles. actively blocking that right for the user or group on all secured objects within the Web application. it is represented by some kind of token (also known as a security token). for example. This subject is most often a person. Claims The clearest way to think about claims is as a set of information about some subject.authentication or pluggable authentication systems. Denying a right is given a higher priority than granting the right. name. Denying all for a user prevents that user from accessing any content. but it might also be an application. computer. The word claim is used. such as e-mail address. or something else. Policy is set at the logical Web application level or at the zone level. application. An external system (relying party) needs only to trust the authentication authority that can validate those claims to allow the user to be authenticated for specific functions. or other entity. It is a unique identifier that represents a specific user. instead of the word attributes that is more commonly used in the enterprise directory world. It also enables resources to validate requests from an entity. It enables that entity to gain access to multiple resources. Instead. even if the two Web applications have the same content. Site Members. The claims API has an issuer property that enables you to find out who issued the claim. The claims are also used to authorize access. The key concept is that a claim is not just a unique identifier that identifies the resource. permissions can be assigned by using the default SharePoint classifications like Farm Administrators. a received token is usually validated in some way before an application uses any claims that it contains. as the word claims suggests.. apart from using the SharePoint defaults. and you trust the claim only as much as you trust the issuer. a subject's name. The permissions can be defined for users and groups using the default permission levels available out-of-the-box or you can define custom permission levels. which have pre-defined permissions configured in them. And. application. and do not even need to include. For example. Site Owners. you trust a claim made by your company's domain controller more than a claim made by the user. etc. as continued from SharePoint 2007. Site Collection Administrators. It provides more granular control on permissions starting from the entire farm to item level security. an application that receives a token does not automatically accept the information that it contains. They can also contain many sorts of other information—claims are not limited to. SharePoint administrators can also manage SharePoint security by creating custom permission levels. values) that is used to describe the resource. Create a Web application that uses Windows-claims authentication (SharePoint Server 2010) . SharePoint 2010 offers permissions to manage its resources using different permission levels. Tokens A token is a set of bytes that expresses information about an identity. or user. each of which contains some information about the subject to which this token applies. It is a set of claims (that is. The claims in a token commonly contain information such as the name of the user who presents it. With the Permissions Management in SharePoint 2010 more flexible. Proper documentation of the existing permissions setting and any change to permissions facilitates effective permission management and is necessary for post-migration of SharePoint contents. or user. The permissions for users and groups can be assigned from Active Directory repository or external stores like SQL or other custom authentication providers. SharePoint administrators / owners / users can modify permissions of SharePoint objects at ease. Instead. Depending on the object level in the SharePoint hierarchy. This information consists of one or more claims.Each claim is made by an issuer. Site Visitors. application. . You have your logical architecture design in place.Create a Web application that uses Windows-claims authentication (SharePoint Server 2010) Configure anonymous access for a claims-based Web application (SharePoint Server 2010) Configure forms-based authentication for a claims-based Web application (SharePoint Server 2010) Configure Kerberos authentication for the claims to Windows token service (SharePoint Server 2010) Configure authentication using a SAML security token (SharePoint Server 2010) Configure claims-based authentication using Windows Live ID (SharePoint Server 2010) Configure Digest authentication for a claims-based Web application (SharePoint Server 2010) Configure Basic authentication for a claims-based Web application (SharePoint Server 2010) Configure Client Certificate Authentication (SharePoint Server 2010) Before you perform this procedure. Configure Kerberos authentication (SharePoint Server 2010) and Choose security groups (SharePoint Server 2010). see Plan authentication methods (SharePoint Server 2010). For more information. see Logical architecture components (SharePoint Server 2010). You have planned authentication for your Web application. For more information. confirm that: Your system is running Microsoft SharePoint Server 2010. 0 (http://go. You typically use Central Administration to create a Web application. 5. Verify that you have the following administrative credentials: To create a Web application. For more information about setting up SSL. click Manage web applications. If you have User Account Control (UAC) turned on in Windows. you must be a member of the Farm Administrators SharePoint group and a member of the local Administrators group on the computer running Central Administration. In the IIS Web Site section. If you want to automate the task of creating a Web application. 2. you must right-click the SharePoint 2010 Management Shell and select Run as administrator. you must associate the SSL certificate with the Web application's IIS Web site after the IIS Web site has been created. click New. you can create one or several site collections on the Web application that you have created. On the Central Administration Home page.You have selected the service applications that you want to use for your Web application. in the Authentication section. After the procedure is complete. To create a Web application with Windows-claims authentication by using Central Administration 1. see Service application and service management (SharePoint Server 2010). You can create a Web application by using the SharePoint Central Administration Web site or Windows PowerShell. You have read about alternate access mappings.microsoft. and then select the Web site on which to install your new Web application. in the Application Management section. 4. On the ribbon. . click Claims Based Authentication. On the Create New Web Application page. If you use Secure Sockets Layer (SSL). you can configure the settings for your new Web application by selecting one of the following two options: Click Use an existing web site.0 to create a Web application. see How to Setup SSL on IIS 7. use Windows PowerShell.com/fwlink/?LinkId=187887). and you use Windows PowerShell 2. 3. For more information. which is common in enterprises. and DNS has been configured to route requests to the same server. they should use the appropriate default port number. If you choose to allow anonymous access. 8.Click Create a new IIS web site. Note: The default port number for HTTP access is 80. If you are using an existing Web site. If you do not enable anonymous access at the Web application level. you . you must enable anonymous access for the entire Web application zone before you enable anonymous access at the SharePoint site level. 6. this field is not set unless you want to configure two or more IIS Web sites that share the same port number on the same server. in the Port box. this field is populated with a suggested path. and the default port number for HTTPS access is 443. If you are creating a new Web site. www. In the Security Configuration section. Note: If you want users to be able to access any site content anonymously. 7. this field is populated with a random port number. If you are using an existing Web site. 9. click Yes or No. In the IIS Web Site section. type the host name (for example. Note: In general. and then type the name of the Web site in the Name box. In the IIS Web Site section. type the path to the IIS Web site home directory on the server. in the Host Header box. site owners can configure how anonymous access is used within their sites. this field is populated with the current path of that Web site.com) you want to use to access the Web application. type the port number you want to use to access the Web application. this enables anonymous access to the Web site by using the computer-specific anonymous access account (that is. IIS_IUSRS). Under Allow Anonymous. If you are creating a new Web site. Optional: In the IIS Web Site section. later. If you want users to access the Web application without typing in a port number. choose whether or not to use allow anonymous access and whether or not to use Secure Sockets Layer (SSL). in the Path box. a. this field is populated with the current port number.contoso. and then enter the membership provider name and the role manager name in the boxes. select Enable Windows Authentication and. or both. For more information.microsoft. For more information. in the drop-down menu. Under Use Secure Sockets Layer (SSL). The client Web browser then determines which type of authentication to use. see Choose security groups (SharePoint Server 2010). If you do not want to use Integrated Windows authentication. In the Claims Authentication Types section. For more information about setting up SSL. If you want users' credentials to be sent over a network in a nonencrypted form. see Configure Kerberos authentication (SharePoint Server 2010). If you choose to enable SSL for the Web site. Note: You can select basic authentication or integrated Windows authentication. you must configure SSL by requesting and installing an SSL certificate. select Basic authentication (password is sent in clear text).0 (http://go. b. select Enable Forms Based Authentication (FBA). For more information. a. If you want to enable forms-based authentication. . SharePoint Server 2010 will offer both authentication types to the client Web browser. If you select both. If you want to enable Windows authentication. clear Integrated Windows authentication. select Negotiate (Kerberos) or NTLM. 10. at the site level. the credentials can be intercepted by a malicious user. If you only select basic authentication. select the authentication that you want to use for the Web application. see How to Setup SSL on IIS 7. click Yes or No.com/fwlink/?LinkId=187887).cannot enable anonymous access later. . see Configure forms-based authentication for a claims-based Web application (SharePoint Server 2010). otherwise. ensure that SSL is enabled. In the Public URL section. host header. Select Custom Sign In page URL and then type the sign-in URL if you want users to be redirected to a customized sign-in Web site for claims-based authentication.Note: If you select this option. type the URL for the domain name for all sites that users will access in this Web application. The default URL is the current server name and port. The Zone value is automatically set to Default for a new Web application. then this URL may need to be different than the SSL. Note: You can change the zone when you extend a Web application. In the Sign In Page URL section. . b. For more information. ensure that SSL is enabled. see Plan authentication methods (SharePoint Server 2010). and is automatically updated to reflect the current SSL. 12. choose one of the following options to sign into SharePoint Server 2010: Select Default Sign In Page URL if you want users to be redirected to a default sign-in Web site for claims-based authentication. see Configure authentication using a SAML security token (SharePoint Server 2010). otherwise. see Extend a Web application (SharePoint Server 2010). the Trusted Identity provider check box is selected. 11. host header. For more information. You can use one or more claims authentication types. and port number settings on the page. If you have set up Trusted Identity Provider authentication in Windows PowerShell. the credentials can be intercepted by a malicious user. and port settings on this page. For more information. This URL will be used as the base URL in links shown on pages within the Web application. If you are deploying SharePoint Server 2010 behind a load balancer or proxy server. 15. Under Select a security account for this application pool. Click Configurable to specify a new security account to be used for an existing application pool. see Logical architecture components (SharePoint Server 2010). 14. Click Create a new application pool. and then select the security account from the drop-down menu. We recommend this option because Windows authentication automatically encrypts the password when it Database Name Database Authentication . or use the default entry. Type the name of the database. For more information. In the Application Pool section. and then type the name of the new application pool or keep the default name. Note: You can create a new account by clicking the Register new managed account link. choose the database server. Select the database authentication to use by doing one of the following: If you want to use Windows authentication. database name. In the Database Name and Authentication section. and authentication method for your new Web application as described in the following table. leave this option selected. Item Database Server Action Type the name of the database server and Microsoft SQL Server instance you want to use in the format <SERVERNAME\instance>. You can also use the default entry. do one of the following: Click Predefined to use a predefined security account.13. and then select the application pool you want to use from the drop-down menu. do one of the following: Click Use existing application pool. In the Customer Experience Improvement Program section. In the Service Application Connections section. type the name of a specific failover database server that you want to associate with a content database. If you use database mirroring. You use the custom option to choose the services application connections that you want to use for the Web application. If you want to use SQL authentication. Click SharePoint 2010 Management Shell. click All Programs. In the Account box. Click OK to create the new Web application. select the service application connections that will be available to the Web application. 3. 2. Note: SQL authentication sends the SQL authentication password to the SQL Server unencrypted. in the Failover Server section. . click Yes or No. 17.connects to SQL Server. 18. click SQL authentication. Verify that you meet the following minimum requirements: See Add-SPShellAdmin. Click Microsoft SharePoint 2010 Products. On the Start menu. 19. type the name of the account you want the Web application to use to authenticate to the SQL Server database. and then type the password in the Password box. To create a Web application that uses Windows-claims authentication by using Windows PowerShell 1. in the Failover Database Server box. We recommend that you only use SQL authentication if you force protocol encryption to the SQL Server of encrypt your network traffic by using IPsec. In addition. You also need to be a member of the local Administrators group on the computer running Windows PowerShell. 4. click default or custom. In the drop-down menu. 16. some procedures require membership in the SQL Server fixed server roles dbcreator and securityadmin. at the Windows PowerShell command prompt. To create a Windows-claims authentication provider. Example $ap = New-SPAuthenticationProvider $wa = New-SPWebApplication -Name "Contoso Internet Site" -ApplicationPool "ContosoAppPool" -ApplicationPoolAccount (Get-SPManagedAccount "DOMAIN\jdoe") -URL "http://www. type the following command: $ap = New-SPAuthenticationProvider To create a Web application that uses Windows-claims authentication. whereas the home page of an Internet Web site is accessible by anonymous clients. <URL> is the public URL for the Web application. <ApplicationPool> is the name of the application pool.5. proprietary technical information should be accessible only on a need-toknow basis. type the following command: $wa = New-SPWebApplication -Name <ClaimsWindowsWebApplication> ApplicationPool <ClaimsApplicationPool> -ApplicationPoolAccount <ClaimsApplicationPoolAccount> -URL <URL> -Port <Port> -AuthenticationProvider $ap Note: We recommend that the application pool account is a managed account on the server farm. <ApplicationPoolAccount> is the user account that this application pool will run as. An intranet portal for employee benefits should be available only to full-time employees.contoso. at the Windows PowerShell command prompt. .com" -Port 80 -AuthenticationProvider $ap Security planning for sites and content (SharePoint Foundation 2010) Some of the sites in your enterprise probably contain content that should not be available to all users. For example. Where: <Name> is the name of the new Web application that uses Windows claims authentication. <Port> is the port on which the Web application will be created in IIS. You can manage permissions by using Microsoft SharePoint Foundation 2010 groups. by default. Permissions can be granted to individual users at site or site . When you assign permission levels to SharePoint groups at the site collection level. This section describes permissions for sites and site content and provides considerations for choosing permissions. For more information about using groups to help manage permissions. which help to secure content at the item and document level. or item. or you might need more restrictive security settings for a specific list. and fine-grained permissions. the View Items permission allows a user to view items in a list or folder. which control membership.Permissions control access to your sites and site content. you should consider the following questions: To what granularity do you want to control permissions for the site or site content? For example. How do you want to categorize and manage your users by using SharePoint groups? Groups do not have any permission until they are assigned a permission level for a specific site or for specific site content. but not to add or remove items. About site permissions You should understand the following concepts before designing your permissions plan. see Choose security groups (SharePoint Foundation 2010)). Plan site permissions (SharePoint Foundation 2010) Introduction You can control access to site and site content by assigning permissions to users or groups for a specific site or site content at the following levels within a site collection: Site Library or list Folder Document or item Before developing your plan for site and content access. all sites and site content inherit those permission levels. For example. Permissions Permissions grant a user the ability to perform specific actions. you might want to control access at the site level. folder. Design. although you can directly grant individual users permissions to . Anyone with Full Control permission can create custom groups. folder. all of which are needed to view pages. documents. We recommend that you assign permissions to groups rather than users. For more information about customizing permission levels. For information about default permission levels and the permissions included in each level. and items in a SharePoint site. and Full Control. and View Versions permissions (among others). Permissions can be included in more than one permission level. Read. The default permission levels are Limited Access. with Full Control. For example. the Read permission level includes the View Items. Read. Fine-grained permissions allow for greater granularity and customization of user permissions in a site collection. Contribute. For information about available permissions. Open Items. or item or document. SharePoint group A SharePoint group is a group of users that are defined at site collection level for easy management of permissions. Visitors. For example. Each SharePoint group is assigned a default permission level. see User permissions and permission levels (SharePoint Foundation 2010). View Pages. see Configure custom permissions (SharePoint Foundation 2010). Fine-grained permissions Fine-grained permissions are unique permissions on securable objects that are at a lower level in a site hierarchy. Permission level Permission levels are collections of permissions that allow users to perform a set of related tasks.content levels. and Contribute as their default permission levels respectively. and Members. User A user can be a person with a user account from any authentication provider supported by the Web application. the default SharePoint groups are Owners. see User permissions and permission levels (SharePoint Foundation 2010). Permission levels are defined at the site collection level and can be customized by any user or group whose permission level includes the Manage Permissions permission. such as permissions on a list or library. Securable object A securable object is a site. all lists and libraries within a site inherit permissions from the site. and securable objects. folder. list. Because it is inefficient to maintain individual user accounts.a site or specific content. By default. The following diagram illustrates the relationships among permissions. Individual users or groups can have different permissions for different securable objects. . You can assign a user or group permissions for a specific securable object. document. You must first break the permission inheritance before you change or assign permissions for that securable object. folderlevel. You can resume inheriting permissions from the parent list or site at any time. you should assign permissions on a per-user basis only as an exception. library. or item for which permissions levels can be assigned to users or groups. You can use list-level. and item-level permissions to further control which users can view or interact with site content. users and groups. and Owners) and control permissions at the site level. Because people move in and out of teams and change responsibilities frequently. site settings. and permission levels from the parent again. and you will lose any users. For ease of management. the child object will inherit its users. Follow the principle of least privilege: Users should have only the permission levels or individual permissions they need to perform their assigned tasks. or permission levels that were unique to the child object. Use standard groups (such as Members. use permission inheritance wherever possible. Use the following guidelines to plan site permissions: 1. By default. or appearance of the site. and users may experience slower performance when they try to access site content. users in the Members group can contribute to the site by adding or removing items or documents. you will spend more time managing the permissions. 2.About permission inheritance Permissions on securable objects within a site are inherited from the parent object by default. Visitors. If you restore inherited permissions. groups. you should use groups to avoid having to track individual users. and permission levels from the parent object to the child object. You can break inheritance and use fine-grained permissions — unique permissions on the list or library. users. For more information about the best practices for using fine-grained permissions. see Best practices for using fine-grained permissions Stopping inheriting permissions copies the groups. you must balance the ease of administration and performance against the need to control access to individual items. Plan for site permissions When you create permissions. tracking those changes and updating the permissions for uniquely secured objects would be time-consuming and error-prone. folder. The Visitors group has read-only access to the site. which means that they . Tip: If you choose to break inheritance and use fine-grained permissions. Make most users members of the Members or Visitors groups. When permission inheritance is broken. If you use fine-grained permissions extensively. but cannot change the structure. groups. or item or document level — to gain more control of the actions users can take on your site. all permissions are explicit and any changes to parent object do not affect the child object. and then breaks the inheritance. and open items and documents. Use permission levels rather than assign individual permissions. or documents.can see pages and items. Securable object SiteA Description Group home page Unique or inherited permissions Unique . Limit the number of people in the Owners group. but cannot add or remove pages. it's much easier to manage a site that has permission inheritance as described in the following table. Note: 1. For example. or appearance of the site should be in the Owners group. settings. You can now find both the user's directly assigned permissions and the permissions assigned to any groups of which the user is a member by checking permissions for a specific site or site content. if you do not want the Read permission level on a specific subsite to include the Create Alerts permission. 3. For example. Only those users you trust to change the structure. Plan for permission inheritance It is much easier to manage permissions when there is a clear hierarchy of permissions and inherited permissions. Microsoft SharePoint Foundation 2010 and SharePoint Server 2010 use Check Permissions to determine a user or group’s permissions on all resources within a site collection. and when some sites have subsites with unique permissions and others with inherited permissions. break the inheritance and customize the Read permission level for that subsite. You can create additional SharePoint groups and permission levels if you need more control over the actions that your users can take. items. 2. It becomes more difficult when some lists within a site have fine-grained permissions applied. or create different groups and permission levels.SiteA/SubsiteA SiteA/SubsiteA/ListA SiteA/SubsiteA/LibraryA SiteA/SubsiteB SiteA/SubsiteB/ListB SiteA/SubsiteB/LibraryB Sensitive group Sensitive data Sensitive documents Group shared project information Non-sensitive data Non-sensitive documents Unique Unique Unique Inherited Inherited Inherited However. with unique permissions at the document level Inherited Inherited. but with one or two sensitive items Non-sensitive documents. SharePoint groups and permission levels are defined at the site collection level and are inherited from the parent object by default. with unique permissions at the item level Inherited. with unique permissions at the folder and document level SiteA/SubsiteB SiteA/SubsiteB/ListB SiteA/SubsiteB/LibraryB Determine permission levels and groups (SharePoint Foundation 2010) A SharePoint group is a set of users that can be managed together. but with a special folder containing sensitive documents Unique or inherited permissions Unique Unique Unique. . but same permissions as SiteA Inherited. A permission level is a set of permissions that can be assigned to a specific group for a specific securable object. but with one or two sensitive documents Group shared project information Non-sensitive data. This article describes default groups and permission levels and helps you decide whether to use them as they are. it is not as easy to manage a site that has permission inheritance as shown in the following table. The most important decision about your site and content security in Microsoft SharePoint Foundation 2010 is how to group your users and which permission levels to assign. Securable object SiteA SiteA/SubsiteA SiteA/SubsiteA/ListA SiteA/SubsiteA/LibraryA Description Group home page Sensitive group Non-sensitive data Non-sensitive documents. customize them. site settings. They are Windows administrators. By default. Besides the above SharePoint groups. Use this group to grant people Contribute permissions to the SharePoint site. or they can include the contents of any corporate identity system. see Determine whether you need custom permission levels or groups. your users . depending on the size and complexity of your organization or Web site. items. including Active Directory Domain Services (AD DS). Each default group is assigned a default permission level. Without the appropriate permission levels. there are also administrator groups for higher-level administration tasks. Make most users members of the Visitors or Members groups. you can create custom groups. SharePoint groups cannot be nested. such as Windows Live ID. The following table displays default groups that are created by using team site templates in SharePoint Foundation 2010. Group name Visitors Members Owners Default permission level Read Contribute Full Control Description Use this group to grant people Read permissions to the SharePoint site. and site collection administrators. application-specific databases and new user-centric identity models. but cannot change the structure. or appearance of the site. or documents. change. they are a way to designate a set of users.Review available default groups SharePoint groups enable you to manage sets of users instead of individual users. You can organize your users into any number of groups. SharePoint farm administrators. SharePoint groups do not confer specific rights to the site. For more information. users in the Members group can contribute to the site by adding or removing items or documents. If the default groups do not map to the exact user groups in your organization. and open items and documents. see Choose administrators and owners for the administration hierarchy (SharePoint Foundation 2010). This permission level controls all permissions for the site and the child objects that inherit the site’s permissions. which means that they can see pages and items. For more information about how to determine whether you need additional groups. Use this group to grant people Full Control permissions to the SharePoint site. but cannot add or remove pages. These groups can contain many individual users. The Visitors group has read-only access to the site. or manage a site is determined by the permission level that you assign to a user or group. LDAPv3-based directories. Review available permission levels The ability to view. You cannot edit this permission level directly. even if they have the correct permissions for an item within the site. change the permissions included in specific permission levels. they might not map exactly to how your users are organized or to the many different tasks that your users perform on your sites. group members might be unable to navigate the site to access items. Determine whether you need custom permission levels or groups The default groups and permission levels provide a general framework for permissions. you have a set of people who . you can create custom groups. By default. document libraries. see User permissions and permission levels (SharePoint Foundation 2010). However. For example. if in addition to Designers. If the default groups and permission levels do not suit your organization. Do you need custom groups? The decision to create custom groups is fairly straightforward and has little effect on your site's security. without giving users access to all the elements of a site. list items. Note: If this permission level is removed. or create custom permission levels. or documents. covering many different organization types and roles within those organizations. You should create custom groups instead of using the default groups if either of the following situations applies: You have more (or fewer) user roles within your organization than are apparent in the default groups.might be unable to perform their tasks. or they might be able to perform tasks that you did not want them to perform. Contribute Includes permissions that enable users to add or change items on the site pages or in lists and document libraries. Read Includes permissions that enable users to view items on the site pages. Design Includes permissions that enable users to change the layout of site pages by using the browser or Microsoft SharePoint Designer 2010. For more information about permissions that are included in the default permission levels. Full Control Includes all permissions. the following permission levels are available: Limited Access Includes permissions that enable users to view specific lists. folders. . and you want to add that permission. you might want to create a Customers group that replaces Visitors or Viewers. and can potentially invite malicious users to their subsites or post unapproved content. For example. You prefer other group names. If you want to make that permission unavailable for all users assigned to the permission level or levels that include that permission. If you change the Read permission level to include the Create Alerts permission that is typically part of the Contribute permission level. Contributors can create and own subsites. you must keep track of that change. For example. You want to preserve a one-to-one relationship between Windows security groups and the SharePoint groups. If you customize the permissions assigned to a permission level. For example. and ensure that the change does not negatively affect your security or your server capacity or performance. Do you need custom permission levels? The decision to customize permission levels is less straightforward than the decision to customize SharePoint groups. which might cause performance issues. you might want to use that name as a group name for easy identification when managing the site. verify that it works for all groups and sites affected by the change. You should customize the default permission levels if either of the following situations applies: A default permission level includes all permissions except one that your users need to do their jobs. if you are creating a public site to sell your organization's products.are tasked with publishing content to the site. turn off the permission for all Web applications in your server farm. There are well-known names for unique roles within your organization that perform very different tasks in the sites. all members of the Visitors group can create alerts. if you customize the Contribute permission level to include the Create Subsites permission that is typically part of the Full Control permission level. you might want to create a Publishers group. if your organization has a security group called Web Site Managers. Note: Do not customize the default permission levels if your organization has security or other concerns about a specific permission that is part of the permission level. A default permission level includes a permission that your users do not need. Note: Some permissions depend on other permissions. To manage permissions for a Web application. see Manage permissions for a Web application (SharePoint Foundation 2010). In Active Directory Domain Services (ADDS). If you use security groups. SharePoint group is a set of individual users and can also include Active Directory groups. A security group can also be used as an e-mail entity. create a custom permission level that includes all of the permissions you need.rather than change all of the permission levels. which are used to define permissions on resources and objects. Security group A group that can be listed in DACLs. If you need to make several changes to a permission level. You can use security groups to control permissions for your site by adding security groups to SharePoint groups and granting permissions to the SharePoint groups. you must manually keep the SharePoint group synchronized with the distribution group. you can create a permission level and then select the permissions that you want to include. Choose security groups (SharePoint Foundation 2010) Introduction Managing users of SharePoint sites is easier if you assign permission levels to groups rather than to individual users. You cannot add distribution groups to SharePoint groups. but you can expand a distribution group and add the individual members to a SharePoint group. You might want to create additional permission levels if either of the following conditions applies: You want to exclude several permissions from a specific permission level. You want to define a unique set of permissions for a new permission level. you do . Distribution groups cannot be listed in discretionary access control lists (DACLs). see Configure custom permissions (SharePoint Foundation 2010). the following groups are commonly used to organize users: Distribution group A group that is used only for e-mail distribution and that is not security-enabled. the other permission is also cleared. For more information about how to configure custom permissions. If you clear a permission that another permission depends on. To create a permission level. If you use this method. In this case. For easier permission management.not need to manage the individual users in the SharePoint application. or distribution lists. use security groups because you do not care about the individual users who accessed the intranet site home page. security groups with deep nested structure might break SharePoint sites. Determine which security groups to use for granting access to sites Each organization sets up its security groups differently. the user will be automatically removed from the SharePoint group. Because you included the security group instead of the individual members of the group. Considering the previous advantages and disadvantages. here are the recommendations: For intranet sites that are broadly accessed by your users. Adding security groups that contain nested security groups. using security groups in SharePoint sites does not provide full visibility of what is happening. Decide whether to add security groups Adding security groups to SharePoint groups provides centralized management of groups and security. contacts. In addition. the site will not appear in the users’ My Sites. add users directly to SharePoint groups. The User Information List will not show individual users until they have contributed to the site. ADDS manages the users for you. For example. Note: For ease of security management. The security group is the only place where you manage individual users. For collaboration sites that are accessed by a small group of users. Once you add the security group to a SharePoint group. security groups should be: Large and stable enough that you are not continually adding additional security groups to your SharePoint sites. Assign permission levels directly to Active Directory groups. . you do not have to manage security group members in that SharePoint group. there is more of a need to know who is a member so the group members know each other’s e-mail addresses and how to contact each other. when a security group is added to a SharePoint group for a specific site. However. the following items are not recommended in managing Active Directory groups. If a user is removed from the security group. the anonymous user account is IUSR. lists. grants the View Items permission to the anonymous user account. Allowing access to a site. Enabling anonymous access allows users to contribute to lists. Upload or edit documents in document libraries.Small enough that you can assign appropriate permissions. or to lists and libraries. Anonymous access relies on the anonymous user account on the Web server. This account is created and maintained by Microsoft Internet Information Services (IIS). you are in effect granting that account access to the SharePoint site. consider granting access to all authenticated users (the Domain Users Windows security group). such as accounts receivable clerks. such as “Accounts Receivable”. without your having to enable anonymous access. For example. Anonymous access also allows anonymous users to discover site information. unless all users in building 2 have the same job function. or libraries. more specific set of users. but might ask for authentication when someone wants to edit the site or buy an item on a shopping site. discussions. and surveys. Decide whether to allow access for anonymous users You can enable anonymous access to allow users to view pages anonymously. there are restrictions to what anonymous users can do. View sites in My Network Places. When you enable anonymous access. including wiki libraries. . This is rarely the case. Even with the View Items permission. including user e-mail addresses and any content posted to lists. not by your SharePoint site. however. and libraries. Anonymous users cannot: Open sites for editing in Microsoft Office SharePoint Designer. If anonymous access is allowed for the Web application. Anonymous access is disabled by default and must be granted at the Web application level at the time that the Web application is created. This special group allows all members of your domain to access a Web site (at the permission level you choose). so you should look for a smaller. Decide whether to allow access for all authenticated users If you want all users within your domain to be able to view content on your site. Most Internet Web sites allow anonymous viewing of a site. site administrators can decide whether to grant anonymous access to a site or any of the content on that site. which will possibly use up server disk space and other resources. By default in IIS. a security group called "all users in building 2" is probably not small enough to assign permissions. do not enable anonymous access. Important: To improve security for sites. and discussions. no sites within that Web application can be accessed by anonymous users. or item level. This is the default option. Administration of Microsoft SharePoint Foundation occurs at the following levels: Windows server or SharePoint server farm Shared services Web application Sites Document library or list Individual items In this article: Levels of administration Worksheet Levels of administration . even if the site administrator specifically attempts to grant the anonymous user account that permission. Many people can be involved in managing SharePoint Foundation 2010. site. site administrators can then grant or deny anonymous access at the site collection. None No policy. If anonymous access is disabled for a Web application. You can manage permission policy for anonymous users by enabling or disabling anonymous access for a Web application. No additional permission restrictions or additions are applied to site anonymous users. even if site administrators specifically attempt to grant the anonymous user account access to their sites.Permission policies provide a centralized way to configure and manage a set of permissions that applies to only a subset of users or groups in a Web application. Choose administrators and owners for the administration hierarchy (SharePoint Foundation 2010) This article describes the administrator roles that correspond to the Microsoft SharePoint Foundation 2010 server and site hierarchy. Deny Write Anonymous users cannot write content. If you enable anonymous access for a Web application. Deny All Anonymous users cannot have any access. which are instances of shared services. Shared services level Service application administrators These administrators are designated by the farm administrator. They can assign administrators to manage service applications. they can grant themselves access if need be. To take ownership. Note: Farm administrators and members of the local Administrators group can take ownership of specific site collections if necessary. creating new Web applications and new Internet Information Services (IIS) Web sites. including topology changes. Like farm administrators. the service application . For example. and starting services. However. Administrators on the local server can perform additional tasks. For example.Most levels of the server and site hierarchy have a corresponding administration group. They can configure settings for a specific service application within a farm. Windows Administrators group Members of the Windows Administrators group on the local server can perform all farm administrator actions. However. the farm administrator or a member of the local Administrators group can take ownership of the site collection to make the change. Members can perform all administrative tasks in Central Administration for the server or server farm. or perform any farm-level operations. This group does not have access to individual sites or their content by default. members of this group on the local server have no access to site content by default. access any other service applications in the farm. deploying Web Parts and new features to the global assembly cache. such as installing new products or applications. if a site administrator leaves the organization and a new administrator must be added. The administration groups who have administrative permissions at different levels are described in the following list: Windows server or server farm level Farm Administrators group Members of the Farm Administrators group have permissions to and responsibility for all servers in the server farm. these administrators cannot create service applications. they can add themselves as the site collection administrator on the Application Management page. These administrators can manage a subset of service application settings. Site level Site collection administrators These administrators have the Full Control permission level on all Web sites within a site collection.administrator for a Search service application in a farm can configure settings for that Search service application only. Web application level The Web application level does not have a unique administrator group. For more information about policy. Site owners By default. Members of the Farm Administrators group and members of the Administrators group on the local server can define a policy to grant individual users permissions at the Web application level. but farm administrators have control over the Web applications within their scope. Best practices for using fine-grained permissions . A primary and a secondary site collection administrator can be specified during the creation of a site collection. members of the Owners group for a site have the Full Control permission level on that site. see "Policy for Web applications" in the Logical architecture components (SharePoint Server 2010) article. Feature administrators A feature administrator is associated with a specific feature or features of a service application. but not the entire service application. They can perform administrative tasks on the site. For example. such as the pending automatic deletion of inactive sites and requests for site access. and on any list or library within that site. even if they do not have explicit permissions on that site. They receive e-mail notifications for events. They have Full Control access to all site content in that site collection. a Feature administrator might manage the Audiences feature of the User Profile service application. They can audit all site content and receive any administrative alert. ...................... 68 Solution 1: Remove FGP and use security enforcement only at Web level .............................................................................................................. 74 Fine-grained permission issues .............................................................. 63 SharePoint permission system overview .................................... 78 ............................................................................................................................................................................ 75 Resolution of FGP issues ............................................ Error! Bookmark not defined......................................................................................................... 67 Too many members within a scope .................................................................................................................................... Overview of using fine-grained permissions ................. 67 Best practices for avoiding common FGP limit issues ................................................................................................................................................................................................................... 71 Solution 3: Use fine-grained permissions by scope structure changes (2010 only) ........................................................................................................................................................................................................................Contents ....................... 72 Dynamic security changing code redesign ........ 64 SharePoint groups....... 67 Too many scopes within a list ........ 70 Solution 2: Use fine-grained permissions by hierarchical structure changes ............................................................................................................................................................. 69 Environmental security cleanup ................................................................................................................. 72 Environment architecture example.......... 73 Environment overview ..................................................... 64 Permission levels........................................................................... 65 Inheritance ........................................................................................................................................... 69 Environmental security architecture redesign ................................................................................................................................................................................................................................................................................................................................................................................................................................................................. 68 Recommended solutions for common FGP performance issues ......................................................................................................................... 73 Workflow design ........................................... 65 Limited access .............................................. 64 Securable object ........................... 64 Scope ................................................................. 65 Binary ACL ...................................................................................................................................................................................................................................................................................................................................... 76 Summary......................................................................................................................................................... 68 Very deep scope hierarchy ...................................................................... 71 Environment hierarchy redesign .......................................................................................................................... You can have an event handler that registers an event using the SPEventReceiverType. Use groups based on directory membership to assign permissions. FGP can be expensive in terms of both operational oversight and performance. because the time necessary to process items in the views increases. consider the following techniques: o Segregate documents that require fine-grained permissions into document libraries that are defined to support each group of permissions. see Resolution of FGP issues. For additional information about scope changes. we recommend Domain groups to be used. performance issues related to FGP. because when a SharePoint group is used to assign permissions. see Solution 2: Use fine-grained permissions by hierarchical structure changes. Note: In this document. This is extremely powerful. When a list is created. Before a document is published. You can avoid the use of FGP by doing the following: Break permission inheritance as infrequently as possible. without affecting the view rendering performance. The key element in this principle is to redesign the architecture so that scope membership does not cause ACL recalculation at the parent document library and Web. the advanced permissions and versioning settings can be set for users who can only approve items in the document library. the terms Web and site equate to the SPWeb object. Use event handlers to control edit permission. Note: We do not recommend that you use SharePoint groups to assign permissions to sites. For additional information about event handlers. and site collections equate to the SPSite object. consider the following recommended practices: Ensure that you do not have too many items at the same level of hierarchy in the document libraries.ItemUpdating and SPEventReceiverType. Use AddToCurrentScopeOnly method to assign Limited Access membership within a SharePoint group. Instead. because you can make security decision based on any metadata of a list or item. Solution 3: Use fine-grained permissions by scope structure changes (2010 only). a full crawl of the index occurs.Overview of using fine-grained permissions This article describes the use of fine-grained permissions (FGP) for SharePoint® 2010 Products (Microsoft® SharePoint® Server 2010 and Microsoft® SharePoint® Foundation 2010) and SharePoint® Products and Technologies (Office SharePoint® Server 2007 and Windows SharePoint® Services version 3. use the ReadSecurity and WriteSecurity permission levels. Note: We recommend that you use FGP for only those business cases for which it is required. As part of this strategy. and then use code to control whether the update should be allowed. o Use different document publish levels to control access. .ItemUpdated methods. the owners can set the Item-level permissions to either Read access or Create and Edit access. o For non-document libraries (lists).0). If you must use fine-grained permissions. and best practices for configuring solutions that include FGP. Assign permissions at the highest possible level. For additional information about hierarchical changes. and keep the document libraries in a segregated site collection or site. forms-based accounts). however this value even at default can be large enough to significantly detract from performance.com/enus/library/cc262778(office. including Windows user accounts. after 1. in SharePoint Products and Technologies.sproleassignmentcollection.AddToCurrentScopeOnly (http://msdn. for example. For additional inforamation about role assignments. For more information about planning site security.microsoft.sharepoint. a code path that requires additional Microsoft® SQL Server roundtrips to analyze the scopes before rendering a view is used. Permission levels can be predefined or created by the user. there is a new method called SPRoleAssignmentCollection. When there 1.addtocurrentscopeonly.aspx (http://technet.aspx) Plan site permissions (SharePoint Foundation 2010) (http://technet. Active Directory groups. SharePoint groups A SharePoint group is a site collection-wide object that can hold other security principals.aspx) Plan site security (Windows SharePoint Services) http://technet.12). In SharePoint 2010 Products. see SPRoleAssignmentCollection.SharePoint permission system overview This section describes the SharePoint permissions scope system.12). In SharePoint 2010 Products.000 scopes have been created.microsoft. Scope A scope is the security boundary for a securable object and any of its children that do not have a separate security boundary defined.12).microsoft.aspx). View Items or Create Alerts. see: Plan site permissions (SharePoint Server 2010) (http://technet. non-Windows users (such as forms-based accounts in SharePoint Products and Technologies or claims-based accounts in SharePoint 2010 Products). or SharePoint groups.AddToCurrentScopeOnly.000 or fewer scopes.com/enus/library/cc287752.microsoft.microsoft. with a default value of 5.000.aspx) Plan site security (Office SharePoint Server) (http://technet. There is no maximum number of scopes that can be created within a parent scope. by which role assignment can occur. The set of permissions can be modified even within the predefined permission levels.com/enus/library/cc287752(office. The scope contains an Access Control List (ACL).microsoft. only one roundtrip is required.com/enus/library/cc262778.com/enus/library/cc287752(office. and Active Directory groups. non-Windows users (for example. a scope can include SharePoint-specific security principals. . the limit of number of scopes returned before switching to a different algorithm is based on a query throttle limit.aspx) Permission levels A permission level contains a set of individual permissions. The members of an ACL for a scope can include Windows users. However. but unlike NTFS ACLs.com/enus/library/microsoft. The following diagram shows an object hierarchy for a document library. Inheritance If a securable object does not have a unique scope.aspx). Instead. see ISecurableObject interface (http://msdn.aspx or SPSecurableObject class (http://msdn. Each numbered gold hexagon represents a permissions scope. no scope is created for the object. its inheritance is broken. the object inherits the scope of its parent. in which all objects but one inherit their scope from their parents. which means that a new scope is created for that item and. In the simplest environment.com/enus/library/microsoft. this scope is at the root Web of the site collection that contains the item. All child objects within a container inherit from that parent scope unless they have their own unique permissions scope. Site Collection Object Web Object Web Object Document Library Object Folder Object Item 1 Object 1 1 1 1 1 Scope 1 User 1 (Contributor) User 2 (Reader) User 3 (Limited Access) User 4 (Full Control) User 4 (Limited Access) User 5 (Reader) User 6 (Contributor) AD Group X (Limited Access) Item 2 Object 1 Scope 2 AD Group X (Reader) User 3 (Contributor) User 4 (Full Control) Item 2 Object 5 Limited access When a security principal is added to the scope of an item with unique permissions. and in SharePoint 2010 Products. In SharePoint Products and Technologies.isecurableobject. When an object inherits from its parent. by default. the security principal is immediately added with the Limited Access permission level to each unique . for any of its children that inherit its permission scopes. the SPSecurableObject class should be used.sharepoint.com/en-us/library/microsoft.microsoft.microsoft. whenever a security check is made.sharepoint. it verifies only against the parent object.Securable object A securable object is an object that can have an ACL assigned to it. For additional information about securable objects.spsecurableobject. When an item or container is changed to have unique membership. the ISecurableObject interface can be used. each differently numbered gold hexagon represents a unique permission scope. up to and including the uniquely permissioned Web. The larger the number of unique scopes above the item. No additional programming is required to add unique scopes whenever a security principal is added to an object scope with unique permissions that is below a Web with unique permissions. Without the Limited Access permissions at the parent scopes. the larger the number of additions that must occur. and all child objects within that container inherit from that scope unless they have their own unique permissions scope. As in the previous diagram. and navigation can render when the user attempts to navigate to the item. the user would not be able to successfully navigate to or open the item that has unique permissions.permission scope in the hierarchy above the item until a parent Web with unique permissions is located. The diagram shows a simplified representation of a physical structure that has unique scopes defined at every level from the Web down to individual items. The reason for adding the user to the scopes with Limited Access is to allow enough access to the object hierarchically above the uniquely permissioned item so that the Object Model (OM). represented by separate boxes within the scope. master pages. The chain of Limited Access promotion is shown using red arrows. Scope 1 User 2 (Reader) User 3 (Full Control) User 6 (Contributor) + AD Group X (Limited Access) + User 3 (Limited Access) + User 4 (Limited Access) + User 5 (Limited Access) + User 1 (Limited Access) + User 2 (Limited Access) Scope 2 User 5 (Reader) + User 2 (Limited Access) Item 2 Object + User 1 (Limited Access) Scope 3 User 1 (Contributor) Item 3 Object Web Object Document Library Object Folder Object Item 1 Object 1 1 2 3 4 5 Scope 4 User 2 (Contributor) Scope 5 AD Group X (Reader) User 3 (Contributor) User 4 (Full Control) The diagram also includes the set of unique scopes along with the Limited Access membership additions that must occur on each parent scope. . The following diagram shows how the hierarchical depth of scopes can affect the amount of work required to add Limited Access users to parent scopes. At the Windows PowerShell command prompt.com/en-us/library/ff607596. Click Microsoft SharePoint 2010 Products. 5. A security principal that already has access to the parent scope is added again with Limited Access permissions. Best practices for avoiding common FGP limit issues When working fine-grained permissions. some services cannot accept an ACL that is larger than 64KB.When a security principal with the Limited Access permission level is added to a parent scope. After 50. but should be limited due to performance and interoperability considerations.000 scopes 1. type the following syntax: $webapp = Get-SPWebApplication http://serverName $webapp. To modify the built-in scope limit to less than 50.aspx). Too many scopes within a list There is a built-in limit of 50. When a security principal is removed from the Limited Access permission level at a parent scope. 4. regardless of its existing permissions on the parent scope.microsoft. On the Start menu. 3. the built-in scope limit can be modified by using a Windows PowerShell script. 2. the number of security principals in the binary ACL may be able to grow very large. Verify that you meet the following minimum requirements: See Add-SPShellAdmin (http://technet. it is easy to unintentionally encounter limits that prevent permissions from resolving. including when a new limited access member is added.microsoft.000 scopes per list or document library. click All Programs. see ntext. Although there is no explicit size limitation on a binary ACL other than the maximum size of an image column in SQL Server.MaxUniquePermScopesPerList . a binary ACL is calculated. text. Whenever the membership of a scope changes.000 scopes are reached addition of new scopes within a given list or document library is prohibited. and access to the objects will be blocked until the ACL can be recalculated. The binary ACL takes more time to calculate as the membership gets larger. and image (Transact-SQL) (http://msdn. In this case. each instance of that security principal within every child scope is removed from the Limited Access permission level. Click SharePoint 2010 Management Shell. Binary ACL A binary ACL performs rapid comparisons of a user token to determine whether the user should have access to the object covered by the scope. no check is made to see whether the security principal is already in the parent scope.aspx).com/en-us/library/ms187993. regardless of whether the security principal has Limited Access or a wider set of permissions at the child scopes. For information about limitations in image column sizes in SQL Server. In SharePoint 2010 Products. if a single group can be used in place of 1. For example. When this occurs. Do not create a system with many uniquely permissioned objects below an object that has many scopes. including when a new limited access member is added. Additionally this will increase the number of binary ACLs that need to be recalculated. a scope membership change can take a very long time to occur. Too many members within a scope As described earlier. at the expense of more processing time even if it ultimately results in the same ACL. the scope will be 999 membership entries smaller for the scope and any of its parent scopes which will be updated with Limited Access rights for that single group instead of all 1. This limitation can cause the effective number of scopes allowed in a particular query to be reduced to 1. even if this ultimately results in no change to the parent scope membership. If a scope hierarchy is very deep. Very deep scope hierarchy As indicated earlier. as each membership change in the deepest scope item will have to iteratively update parent scopes with a membership addition for the explicitly added user or group with Limited Access rights. If your business requires that you more than 50. then you must move some items to adifferent list or document library. the amount of time it takes to recalculate the binary ACL increases. the binary ACL for the parent scope(s) must also be recalculated. thereby reducing the numer of scopes that need to be updated with Limited Access members whenever any child objects scope changes. Best practices: Only set unique scopes on parent objects such as folders. the effective limit is much smaller than 50.000 uniquely permissioned items in a list or document library. the larger the number of additions that must occur. a binary ACL is calculated whenever the membership of that scope changes.MaxUniquePermScopesPerList = <Number of scope limit> Often. The larger the number of unique scopes above an item.000 individual users with Limited Access rights. This is because display checks for items below that hierarchical level must be checked against all scopes above them. Best practice: Rely on group membership instead of indivudal user membership in the scopes. however.$webapp.000 users. This additionally helps increase the speed of Limited Access rights push and ACL recalculation at the parent scope objects.000. Important: Using a SharePoint group will cause a full crawl of the index. hierarchical depth of scopes can affect the amount of work required to add Limited Access users to parent scopes. However.000 to 2. use a domain group.000 if many scopes exist at the same hierarchical level. with an according performance impact. Best practice: Reduce the numbers of uniquely permissioned parent objects. the problem can be made worse as the additions of users at a child objects unique scope will cause its parent scopes to be updated with the new Limited Access members. As the scope membership number increases. up to and including the uniquely permissioned Web. Recommended solutions for common FGP performance issues . If possible. and if it is then set to inherit its permissions from its parent Web. first remove each of the individual item-level unique scopes so that the item is set to inherit permissions from its parent object. and all the Limited Access memberships will be overwritten at once using in a single SQL Server roundtrip. Instead. object hierarchy or custom code that is contributing tho the FGP related performace issue. . Each solution will start with the following example environment where a single Web contains multiple document libraries each with a great many number of uniquely permissioned child objects. because it has to act on only a single scope for the item. the internal OM must remove the user from every scope below the Web level. an environment cleanup process can be implemented. However.000+ Items (10. all the unique scopes under it will be removed. removing individual users in order to clean up existing permissions is a time-consuming process. Environmental security cleanup When a user is removed from the Web-level scope.000 max per level) 6 Solution 1: Remove FGP and use security enforcement only at Web level To re-architect the environment so it no longer requires fine-grained permissions. Important: If the current Web is not at the root of the site collection.The following solutions can help mitigate performance issues that are specifically related to the extensive use of fine-grained permissions. The following recommendations describe the environment cleanup and architectural security changes required to accomplish this solution. This will take comparatively less time than attempting to remove users first. Web Object Document Library 1 Object Folder Object Item 1 Object Item 2 Object Item 3 Object 1 2 3 4 5 … x10. and then the number of scoped items can be adjusted to improve the scalability of the environment over the longer term. Each of the following covers changes to the environment security. Web Scope 14. The following diagram shows how this could be structured so that only the Web-level scope remains. the long-term architecture plan should be to maintain a unique scope only at the Web level.000 items. because the time necessary to process items in the views increases. the maximum count of items or folders at any level in the hierarchy should be roughly 2.000+ unique entries (Limited Access) Web Scope Access Group (Contributor) Environmental security architecture redesign After the existing fine-grained permissions and scopes are removed. individual scope memberships at the Web-level scope can be replaced with one or more group memberships to allow access. As a best practice.Web Object Document Library Object Folder Object Item 1 Object 1 1 1 1 Scope 1 + FullControlGP (Full Control) + ContributorGP (Contributor) + ReaderGP (Reader) SPGroup Object ContributeGP Scope 2 + User 1 + User 2 SPGroup Object ReaderGP + User 5 Scope 3 User 1 (Contributor) Scope 4 User 2 (Contributor) Scope 5 AD Group X (Reader) User 3 (Contributor) User 4 (Full Control) + AD Group X SPGroup Object FullGP + User 3 + User 4 Item 2 Object 1 User 5 (Reader) + User 2 (Limited Access) + User 1 (Limited Access) Item 3 Object 1 After all item-level scopes have been removed. The core requirement in the architecture is to not have too many items at the same level of hierarchy in the document libraries. . The number of document libraries could also be changed to more closely support business needs and scaling recommendations that are based on the taxonomy or audience of the stored content. when item-level FGP must be preserved. although this is not a fixed limit. consider moving document libraries to different Webs or site collections. the physical architecture has been modified so that each document library is in a uniquely permissioned Web. Environment hierarchy redesign In the following diagram. as a best practice the cumulative number of security principals who will be granted access should be limited to approximately 2.000. the effective membership of each Web. consider moving differently secured document libraries to different Webs. As such.000 users in order to keep each Web-level scope from growing too large. including all Limited Access members users. Additionally.000 max per level) 1 If additional changes are needed to the architecture. should be no more than approximately 2.000+ Items (2.Web Object Document Library 1 Object Folder Object Item 1 Object Item 2 Object Item 3 Object 1 1 1 1 1 … x10. . Solution 2: Use fine-grained permissions by hierarchical structure changes To re-architect the environment so it still uses requires fine-grained permissions. but without causing excessive updates to or or sizing of a single Web scope. Solution 3: Use fine-grained permissions by scope structure changes (2010 only) To re-architect the environment so it still uses requires fine-grained permissions.AddToCurrentScopeOnly method. but without causing excessive updates to or or sizing of a single Web scope. In this case.000 items. and can scale to large numbers.000 max per level) 12 The number of uniquely scoped children is not a significant issue. consider using a different process of securing items. the scope will not grow too large.000 max per level) 6 … x5. using the new SharePoint 2010 Products SPRoleAssignmentCollection. . should be no more than approximately 2. Dynamic security changing code redesign In the following diagram. the effective membership of the Web.000 in order to keep the Web-level scope from growing too large.000+ Items (2. The recommendation in this case is to make a code change to whatever process was creating the unique security scopes. by additional code. by implementing a new SharePoint group to hold all members who should have Limited Access rights. to the new group that has already been established as having Limited Access rights at the Web and document library level. Lastly. the scope architecture has been modified so that scope membership does not cause ACL recalculation at the parent document library and Web. This limit can help ensure good performance of views requested by users.Web 1 Object Document Library 1 Object Folder Object Item 1 Object Item 2 Object Item 3 Object 1 2 3 4 5 Web 2 Object Document Library 2 Object Item 8 Object Item 9 Object Item 10 Object Item 11 Object 7 8 9 10 11 … x5. When users are added to individual scopes under the Web level. including all Limited Access members. but the number of principles that will be added as limited access up the chain of scopes to the first uniquely permissioned Web will be a limiting factor. the folder structure should ensure that no single hierarchical level of the document library ever exceeds roughly 2. however. althoiugh not specifically an FGP issue.000+ Items (2. they can also then be added. As mentioned earlier. This is mainly applicable if the cause of the excessive number of unique scopes was through an automated process such as an event handler or workflow that dynamically modified object permissions. the number of uniquely scoped children is not a significant issue. Documents could be assigned to one of multiple content types that convey the intended purpose of the document (such as project plans or troubleshooting guides). Contoso-Draft was where initial drafts were published and where workflows interacted with the documents. the additions of users at a child item unique scope will cause parent scopes to be updated with the new Limited Access members. the amount of time it takes to recalculate the binary ACL increases. and covers the combination of solutions used to fix the issue. Contoso-Draft and Contoso-Production. the binary ACL for the parent scope(s) must also be recalculated. Additionally the . Contoso-Production was the final destination of each approved document. When this occurs. and was the repository for all approved content. although this is not a fixed limit.Scope 1 User 2 (Reader) User 3 (Full Control) User 6 (Contributor) + AccessGP1 (Limited Access) Web Object Document Library Object Folder Object Item 1 Object 1 1 2 3 Scope 2 User 5 (Reader) + User 1 (Limited Access) + User 2 (Limited Access) SPGroup Object AccessGP1 Scope 3 User 1 (Contributor) + User 5 + User 1 Scope 4 User 2 (Contributor) Scope 5 AD Group X (Reader) User 3 (Contributor) User 4 (Full Control) + User 2 + AD Group X + User 3 + User 4 Item 2 Object 4 Item 3 Object 5 As mentioned earlier. when item-level FGP must be preserved. even if this ultimately results in no change to the parent scope membership. as a best practice the cumulative number of security principals who will be granted access should be limited to approximately 2. As such. Environment overview A knowledge management system based on SharePoint Server 2007 contained two site collections each with a single Web. Environment architecture example This section describes an example environment that was experiencing significant issues related to a confluence of fine-grained permissions related issues. the binary ACL must be recalculated.000. If the membership of a scope is changed. and can scale to large numbers. but the number of principles that will be added as limited access up the chain of scopes to the first uniquely permissioned Web will be a limiting factor. when this number increases. However. As in the previous solution. The draft publishing site collection contained one document library per discipline.12).com/enus/library/cc262735(office.12).000 max per level) 6 … 11 x10. the author of a document was blocked from accessing it so others could review it without the author making changes at the same time.com/en-us/library/cc262735. The following diagram shows a simplified representation of the original physical structure of the Web.microsoft.microsoft. and for various disciplines (such as project management or operations).000+ Items (10.aspx) Content types planning (SharePoint Foundation 2010) (http://technet. and all child objects within that container inherit from that same scope unless they have their own unique permissions scope.documents were classified within technology domains (of which there couild be a hundred or more of increasing specificity). The document library was expected to hold a large number of items while they were undergoing workflow operations which dynamically changed the assigned reviewer and security of the item.com/enus/library/cc287765(office. see: Content type and workflow planning (SharePoint Server 2010) (http://technet. and available to all company employees.microsoft.com/en-us/library/ff607870. For each .aspx) Plan content types (Office SharePoint Server) (http://technet. and users were expected to first select into a discipline library and specific technology domain folder when creating a new document. it was then copied to a matching Contoso-Production based location where it remained unmodified as a published version. each with a hierarchy of increasingly specifc folders for each technology domain.aspx) Workflow design When the workflow process began.000+ Items (5.000 max per level) Each combination of content type.aspx) Plan content types (Windows SharePoint Services) (http://technet. Once the document was final reviewed. and discipline could have a nonoverlapping reviewer assigned who was an expert in the technology domain or discipline. technology domain.microsoft. where each uniquely numbered gold hexagon represents a unique permissions scope. Web Object Document Library 1 Object Folder Object Item 1 Object Item 2 Object Item 3 Object 1 2 3 4 5 Document Library 2 Object Item 8 Object Item 9 Object Item 10 Object Item 11 Object 7 8 9 10 … x20 … x10. For information about content type and workflow planning. This permission change meant that only a single user or small subset of users—that is. but is now experiencing signficant issues in performance. The workflow process used both a coded workflow and a custom event handler. with permissions inheriting from the parent Web. with users experiencing delays from one to dozens of minutes before tasks can be accomplished. the more scopes that the security principal was added to with Limited Access.000+ unique entries (Limited Access) Item Scope User 1 (Contributor) Item Scope User 2 (Contributor) Item Scope AD Group X (Reader) … x30. once the document was fully approved. usage quickly grew to greater than 15. The performance issues reported prevented a large portion of the company from being able to use the new knowledge management system which was expected to support upwards of 60.000 users. had access to the item at a time. each unique security principal was added with Limited Access to the various unique permission scopes in the hierarchy above the item until a uniquely permissioned Web was located. but that the effective number of unique security principals within that Web-level scope has grown to over 15.000 documents. but once the design was made available and and then announced as a mandatory knowledge capture tool for the entire company. so that each item was given a unique permissions scope. was to copy it to the equivalent Contoso-Production location as a new published version of the document. which caused a binary ACL recalculation for each addition.000+ Unique Users A key thing to be aware of here is that the problem is not due to the sheer number of unique scopes that have been created within the site collections root Web. it was initially acted upon by the custom event handler which would change permissions and start a new workflow instance.succeeding step of the workflow. Following the requirements of the Limited Access permission level as described previously. When the permission changes happened through the workflow. the reviewers for that step. The testing used only hundreds of test accounts.000 unique users. Due to the large size of the Web-level scope combined with the frequency of binary ACL recalculation can cause blocking in several SQL Server stored procedures. a permission scope was created for each individual item. Each user added to any unique permissions scope below the Web was also added to the Web’s own scope. Therefore. Web Scope 15. Each time an item . Both the workflow and the event handler changed the permissions for the specific file being updated. the more unique scopes that were above the uniquely permissioned item but below the uniquely permissioned Web. Fine-grained permission issues The environment and workflow design tested well during development. The final step in the workflow.000+ Scopes x15.000 users cumulatively working on over 30. the users who previously had access to the document were denied access and the reviewer(s) for the next stage of the workflow were given access. which worked together. When an item was changed in a document library. but it could be used to prevent modifications to documents or workflows. and all child objects within that container inherit from that same scope unless they have their own unique permissions scope. such as for example. it took a long time to recalculate. including for Limited Access. no access was available to that object. Additionally. initially by attempting to remove each user from the Web scope or item level scopes. a removal process for each item scope was enacted by having the item inherit permissions from its parent. and the updated workflow and event handler were installed users were able to use the environment. each each time the membership of the Web scope was updated with existing or new members. Once individual item security scopes had been removed. Web Object Document Library 1 Object Folder Object Item 1 Object Item 2 Object Item 3 Object 1 1 1 1 1 Document Library 2 Object Item 8 Object Item 9 Object Item 10 Object Item 11 Object 1 1 1 1 … x20 … x10. Additionally. The event handler was modified to enforce a form or read access for those not currently assigned as reviewer by preventing modifications to documents or workflows. with both a short term and long term plan enacted. minus the individual item level security enforcement with no further performance issues. Due to the Web-level scope containing over 15. but as the performance was unsatisfactory. Resolution of FGP issues The previously mentioned soltions were considered as part of the process of mitigating the experienced FGP related performance issues.000+ Items (2.000 max per level) 1 .000 max per level) 1 … x10. The short term decision was to refactor the workflow to no longer set per item FGP. because there is no way other than the use of scopes to securely restrict viewing.000 security principals. While it was recalculating. The following diagram shows a simplified representation of the physical structure of the Web after security scope removal.with broken inheritance has its membership scope changed. mistakenly allowing the author to modify the document while it was in a review cycle. This approach did not limit who could view items. where each uniquely numbered gold hexagon represents a unique permissions scope. it causes each member of the scope to be added as a having Limited Access user membership at the Web-level scope. The individual FGP scopes were then removed. and end users experienced intermittent login difficulties. and the environment structure was left hierarchically the same. some content rebalancing was used to prevent too many items from displaying at a specific level of hierarchy. it caused a recalculation of the Web-level scope binary ACL.000+ Items (2. and then granting a SharePoint group. The following diagram shows a simplified representation of the physical structure of the content after separating to different Webs. and all child objects within that container inherit from that same scope unless they have their own unique permissions scope. the key issue of excessive numbers of security principals in a scope is solved.000+ Items (2.000+ Scopes x2. so that FGP could continue to be used. . Note that although a large number of uniquely permissioned items still would remain. specifically the ability to dynamically assign FGP by using the SPRoleAssignmentCollection. but with overall impact limited to a much smaller set of changes.000 entries (Limited Access) Item Scope User 1 (Contributor) Item Scope User 2 (Contributor) Item Scope Group X (Reader) … x10.000 Unique Users Lastly some consideration was made for when an eventual switch to SharePoint 2010 Products would bring new capabilities to the workflow design. Web 1 Object Document Library 1 Object Folder Object Item 1 Object Item 2 Object Item 3 Object 1 2 3 4 5 Web 2 Object Document Library 2 Object Item 8 Object Item 9 Object Item 10 Object Item 11 Object 7 8 9 10 11 … x20 … x10.000+ Items (2.000 max per level) 6 … x10. where each uniquely numbered gold hexagon represents a unique permissions scope.A planned longer-term solution in SharePoint Products and Technologies would be to separate content into different Webs. Web Scope Maximum 2.AddToCurrentScopeOnly method to assign membership only to each items individual scope.000 max per level) 12 The following diagram shows the logical scope design and highlights the limits of how many unique security principals could be added to each Web's scope if FGP was reena bled after moving to different Webs. it covers an example environment that was experiencing issues from improper fine-grained permissions use. such as a name.com/fwlink/?LinkID=187911). It does not explain how to create or configure custom claims providers.com/fwlink/?LinkID=196647) and A Guide to Claims-based Identity and Access Control (http://go. see Claims How Tos (http://go. For information about how to create a custom claims provider. Claims providers are displayed in the user interface of the Select People and Groups dialog box in the People Picker control. the user's token is validated and then used to sign in to SharePoint Foundation 2010. It additionally covers strategies and processes to mitigate issues if an environment is currently experiencing issues due to improper use or scale of fine-grained permissions. They provide the functionality used to find and select users. For more information about claims augmentation. Before reading this article.containing the membership. groups.com/fwlink/?LinkID=207579).microsoft. a claims provider augments a user token with additional claims during sign-in. or group membership. This article describes the use and benefits of claims providers. their architecture. Limited Access at the parent Web. Custom claims providers for People Picker (SharePoint Foundation 2010) Published: February 3. see Claims Provider (http://go. Uses and benefits A claims provider in SharePoint Foundation 2010 is used primarily for two reasons: To augment claims To provide name resolution In the augmentation role. and the process used to fix the issues found. e-mail address.microsoft. you should understand the concepts described in Plan authentication methods (SharePoint Foundation 2010) and The Role of Claims (http://go. and sites in SharePoint Foundation 2010. and how to plan for them. This process would enable FGP to be implemented via the workflow and/or event handler without impacting performance.com/fwlink/?LinkId=211324). and claims when permissions are assigned to items such as lists. Summary This paper describes best practices on how your organization can use fine-grained permissions and what potential performance issues can occur.microsoft.microsoft. When a user signs in to SharePoint Foundation 2010. which SharePoint Foundation 2010 then packages into security tokens for users.com/fwlink/?LinkID=208326). For additional information about claimsbased authentication. For information about the People Picker control. special considerations for custom claims providers. see People Picker overview (SharePoint Foundation 2010). . see SharePoint Claims-Based Identity (http://go. A claims provider in Microsoft SharePoint Foundation 2010 issues claims. 2011 A claim consists of information about the identity of a user.microsoft.com/fwlink/?LinkId=207578) and Creating Custom Claims Providers in SharePoint 2010 (http://go. libraries.microsoft. Lastly. for example when configuring the security of a SharePoint site or SharePoint service. SharePoint Foundation 2010 also uses one or more of the default claims providers listed in the following table. Claims picking enables an application to surface claims in the People Picker.microsoft. see Claims Provider (http://go. or you can create your own custom claims providers to provide additional claims in the security token for a user or to connect to additional sources of claims.com/fwlink/?LinkId=210014) . see People Picker overview (SharePoint Foundation 2010).microsoft. Depending on the authentication method selected for a zone of a Web application. a claims provider lists.microsoft. and determines the "friendly" display of users. if you have a CRM application that contains roles that are not found in the user repository in Active Directory.com/fwlink/?LinkID=208325) SPFormsClaimProvider (http://go.microsoft. You can use the claims providers that are included with SharePoint Foundation 2010.com/fwlink/?LinkId=210012) class provides an All Users claim that is displayed in the Select People and Groups dialog box for People Picker. For example. SharePoint Foundation 2010 automatically uses two default claims providers: The SPSystemClaimProvider (http://go. The SPAllUserClaimProvider (http://go. For more information about claims provider usage scenarios.com/fwlink/?LinkId=210011) class provides claims information related to the server farm where SharePoint Foundation 2010 is installed. resolves. you can create a custom claims provider to connect to that database and add CRM role data to a user's original claims token. groups. For more information about People Picker. searches.In the picking role.microsoft. Architecture When a Web application is configured to use claims-based authentication. Authentication method Windows authentication Forms-based authentication Security Assertion Markup Language (SAML) token-based authentication Claims provider SPActiveDirectoryClaimProvider (http://go.com/fwlink/?LinkID=207579).microsoft. and claims in the People Picker.com/fwlink/?LinkId=210013) SPTrustedClaimProvider (http://go. If your SharePoint Foundation 2010 solution will use SAML token-based authentication. assembly. you will need to create a custom claims provider. Note: When a Web application is configured to use SAML token-based authentication.microsoft. you can control what information is displayed and what results are returned in response to a query from the People Picker control. Claims providers are registered on a server farm as features that are deployed to the farm.microsoft. or claim. For information about how to override the default claims provider. You can see a list of claims providers for a farm by using the GetSPClaimProviderWindows PowerShell cmdlet. About custom claims providers By default. groups.These claims providers are displayed in the Select People and Groups dialog box for People Picker. These properties determine whether a registered claims provider is enabled for use in the farm. see SPClaimProviderDefinition Class (http://go. regardless of whether it is a valid user. For information about the SPClaimProviderDefinition class. list. see Creating Custom Claims Providers in SharePoint 2010 (http://go. To do this. the SPTrustedClaimProvider class does not provide search functionality to the People Picker control. if your Web application uses SAML authentication and you also want to resolve users from Active Directory. For example.microsoft. group. Each claims provider object uses the SPClaimProviderDefinition class to include information about the claims provider. You cannot change what information is supplied and how it is displayed when you use an out-of-box claims provider. or library.com/fwlink/?LinkId=207595). They are scoped at the farm level. you must have a developer create a custom claims provider that will meet the needs of your solution for finding and selecting users. For information about how to write a custom claims provider.com/fwlink/?LinkID=211324) and Claims Walkthrough: Writing Claims Providers for SharePoint 2010 (http://go. all claims providers are enabled when they are deployed to a server farm. and claims when a user assigns permissions to items such as a site. and type. such as display name.com/fwlink/?LinkId=207591).microsoft. description. and whether the claims provider is used by default in a particular zone. By default. the information that is resolved in People Picker when a query is performed depends on the information supplied by the claims provider.microsoft. For more information about zones and authentication. Two important properties of the SPClaimProviderDefinition class are IsEnabled and IsUsedByDefault. you should plan to create a custom claims provider to implement custom search and name resolution. see Claims Provider (http://go. see Plan authentication methods (SharePoint Foundation 2010). By default.com/fwlink/?LinkID=207579). you .com/fwlink/?LinkId=207589). see How to Override the Default Name Resolution and Claims Provider for SharePoint 2010 (http://go. Any text entered in the People Picker control will automatically be displayed as if it had been resolved. For additional examples of claims provider use scenarios. When you create a custom claims provider. For information about how to override the default claims provider. and customer partners. PublishingWeb. Depending on the number of zones needed for your SharePoint Foundation 2010 solution. In this . PartnerWeb. Configuring a Custom Claims Provider to be Used only on Select Zones in SharePoint 2010 (http://go. The second Web application. business partners. see How to Override the Default Name Resolution and Claims Provider for SharePoint 2010 (http://go. you can create a Windows PowerShell script that sets the claims provider for a zone by using the SPIisSettings.com/fwlink/?LinkId=207588) and Claims Walkthrough: Writing Claims Providers for SharePoint 2010 (http://go. In general.ClaimsProvider Property (http://go. Unless the IsUsedByDefault property is set to False. and the users for each zone. suppose that for the extranet zone on PartnerWeb. the IsEnabled and IsUsedByDefault properties are both set to True. see SPIisSettings.microsoft. Deploying and configuring custom claims providers By default.microsoft. see How to: Create a Claims Provider (http://go.com/fwlink/?LinkId=207592).microsoft. For information about how to create a custom application to configure claims providers for select zones. For example. the authentication methods used by each zone. To do this. Note: You cannot control the order in which claims providers are displayed in the Select People and Groups dialog box in People Picker. you must carefully plan the zones in which you want the custom claims provider to be displayed.ClaimsProviders property.com/fwlink/?LinkId=207597). you want employees to be able to collaborate with business partners but not customer partners. based on the user's identity.microsoft. and then register the claims provider on the server. when you register a custom claims provider on the farm. the custom claims provider is displayed in the Select People and Groups dialog box in People Picker for all zones.com/fwlink/?LinkId=207591). For information about the SPIisSettings.microsoft. consider a scenario where there are two Web applications: The first Web application. has two zones — one intranet that uses Windows claims-based authentication and one extranet that uses forms-based authentication — and is used for collaboration among employees and partners. or you can create a custom application to allow you to enable a custom claims provider for select zones. you write a custom claims provider that determines whether the current user is a business partner or customer partner. you should make sure that the IsUsedByDefault property is set to False. Now. Because claims providers are scoped at the farm level and enabled at the zone level.configure the Web application to use claims authentication. To configure a custom claims provider for select zones. you may want to limit the zones in which your custom claims provider is displayed in People Picker. has only one zone that uses forms-based authentication and is an Internet publishing site for employees. see the TechNet blog post. For information about how to write a custom claims provider.ClaimsProvider property. and then configure the SPIisSettings class for each zone in which you want to use the custom claims provider.com/fwlink/?LinkId=207589). You can also override the settings of the IsEnabled and IsUsedByDefault properties by using the Set-SPClaimProviderWindows PowerShell cmdlet. when a customer partner is authenticated. For information about how to use a feature receiver to deploy a custom claims provider. a claim for a role called CustomerPartner is added to the claim token. The following diagram illustrates the authentication methods and claims provider settings for each Web application and zone.com are business partners.com/fwlink/?LinkId=207590). . you configure the SPIisSettings class for that zone to use the custom claims provider. When a user who is a business partner is authenticated in the PartnerWeb Web application.example. you add a Web application policy on the PartnerWeb Web application for the extranet zone that explicitly denies access to any user who has a claim for a role called CustomerPartner. to enable this functionality on the extranet zone. The custom claims provider would also need to implement search and type-in support for the Web application policy to resolve the CustomerPartner role claim so it can be added to the Web application policy.com are customer partners. see Sample: Feature Receiver to Deploy a Claims Provider (http://go.microsoft. a claim for a role called BusinessPartner is added to the claim token. To make sure that customer partners are never added to the extranet collaboration site. Finally. Note: On the Central Administration Web site. while users from contoso. regardless of whether the IsUsedByDefault property is set to True. all claims providers are displayed in the Select People and Groups dialog box in People Picker. users from fabrikam. You can set the IsUsedByDefault property by configuring it in a feature receiver that you create for your custom claims provider. Register the claims providers on the additional farms in the same order that they were registered on the first farm. 3. the claims provider name. and what authentication methods are used in each zone? Are there any custom claims that should be added to users to enable more advanced security scenarios? Will you be using SAML authentication with a trusted identity provider? What will be the source of the values for the users and roles that will be displayed in People Picker query results? What claim data do you want to resolve in the Select People and Groups dialog box? . 1. the IsEnabled property should be set to True. For information about how to restore a farm. Considerations for custom claims providers As you plan custom claims providers for use with People Picker in your SharePoint solution. However. For information about how to back up a farm. This can be useful if you need to troubleshoot issues that might be caused by a custom claims provider. Use the following steps when you have installed a custom claims provider on a farm and you want to use the same claim on additional farms. see Restore a farm (SharePoint Foundation 2010).Important: Changing the IsEnabled property to False will disable the claims provider for the entire server farm. Perform a backup of the first farm. in general. and the order in which the claims provider was installed on the server. see Back up a farm (SharePoint Foundation 2010). consider the following questions: What zones does your Web application have. Using custom claims on more than one farm Claim values are a combination of the claim itself. Use the back up from the first farm to restore the other farms. 2. if you want to use a claim across multiple farms or environments. Therefore. you must install the claims providers in the same order on each farm in which you want to use the claim. protocols. and services in Microsoft SharePoint 2010 Products.microsoft. and gives detailed guidance about the specific hardening requirements for ports. For example. 2010 This article describes security hardening for Microsoft SharePoint Foundation 2010 Web server. which control membership. which help to secure content at the item and document level. An intranet portal for employee benefits should be available only to full-time employees. This section describes permissions for sites and site content and provides considerations for choosing permissions. Security hardening recommendations for these servers depend on the role each server plays. You can manage permissions by using Microsoft SharePoint Foundation 2010 groups.The SharePoint Foundation 2010 Content Publishing team would like to thank Steve Peschka for contributing to this article. individual servers play specific roles. Security planning for sites and content (SharePoint Foundation 2010) Published: May 12. and service guidance Secure server snapshots In a server farm environment. application server. whereas the home page of an Internet Web site is accessible by anonymous clients. protocol. This article does not include hardening guidance for other software in the environment. Plan security hardening (SharePoint Foundation 2010) Published: May 12. proprietary technical information should be accessible only on a need-toknow basis. His blog can be found here (http://go. and fine-grained permissions. In this article: Secure server snapshots Specific port.com/fwlink/?LinkId=210274). The characteristics defined for each category represent the optimal hardened state for Microsoft SharePoint 2010 Products. 2010 Some of the sites in your enterprise probably contain content that should not be available to all users. and database server roles. This article contains secure snapshots for two categories of server roles: Web server and application server roles Database server role The snapshots are divided into common configuration categories. Permissions control access to your sites and site content. . in these cases. used by search roles: Direct-hosted SMB (TCP/UDP 445) — this is the . Some of the guidance applies to specific service applications. Category Services listed in the Services MMC snap-in Characteristic Enable the following services: File and Printer Sharing World Wide Web Publishing Service Ensure that these services are not disabled: Claims to Windows Token Service SharePoint 2010 Administration SharePoint 2010 Timer SharePoint 2010 Tracing SharePoint 2010 VSS Writer Ensure that these services are not disabled on the servers that host the corresponding roles: SharePoint 2010 User Code Host SharePoint Foundation Search V4 Ports and protocols TCP 80.Web server and application server roles This section identifies hardening characteristics for Web servers and application servers. TCP 443 (SSL) File and Printer Sharing service —either of the following. the corresponding characteristics need to be applied only on the servers that are running the services associated with the specified service applications. tcp binding: 32845 (only if a third party has implemented this option for a service application) UDP port 1434 and TCP port 1433 — default ports for SQL Server communication. Ensure that ports remain open for Web applications that are accessible to users. configure a SQL Server client alias for connecting to the named instance. 138. TCP/25 (SMTP for e-mail integration) Registry Auditing and No additional guidance If log files are relocated. Block external access to the port that is used for the Central Administration site. This port must be open for inbound connections on Web servers or application servers where this service is turned on. ensure that the log file locations are updated to . TCP/IP 32846 for the Microsoft SharePoint Foundation User Code Service (for sandbox solutions) — This port must be open for outbound connections on all Web servers. If these ports are blocked on the SQL Server computer (recommended) and databases are installed on a named instance. 139) — disable this port if you do not use it Ports required for communication between Web servers and service applications (the default is HTTP): HTTP binding: 32843 HTTPS binding: 32844 net.recommended port NetBIOS over TCP/IP (NetBT) (TCP/UDP ports 137. Ensure that customErrors is turned on (<customErrors mode=""On""/>). Ensure <SafeMode> CallStack=""false"" and AllowPageLevelTrace=""false"".config file for each Web application should be set to WSS_Minimal (where WSS_Minimal has its low defaults as defined in 14\config\wss_minimaltrust. Set the Upload.net>/<defaultProxy>).config Database server role The primary recommendation forSharePoint 2010 Products is to secure inter-farm communication by blocking the default ports used for Microsoft SQL Server communication and establishing custom ports for this communication instead.) Follow these recommendations for each Web.config or by your own custom policy file. Performance can be affected by uploads that exceed 100 MB. The <trust> element in the Web. Ensure that the Web Part limits around maximum controls per zone is set low. Update directory access control lists (ACLs) also. For more information about how to .logging Code access security match. Ensure that you have a minimal set of code access security permissions enabled for your Web application. Ensure that the SafeControls list is set to the minimum set of controls needed for your sites. Ensure that your Workflow SafeTypes list is set to the minimum level of SafeTypes needed.aspx limit to the highest size you reasonably expect users to upload (default is 2 GB). Consider your Web proxy settings as needed (<system.config file that is created after you run Setup: Do not allow compilation or scripting of database pages via the PageParserPaths elements. Web. which is minimally set. the port number for a named instance can be reassigned if the instance is restarted (depending on whether the previously assigned port number is available). see Securing SQL Server (http://go. later in this article. the client computers query the SQL Server Resolution Service that is listening on UDP port 1434 to determine the port on which the database instance is listening. client computers that connect to SQL Server first connect by using TCP port 1433. Consider blocking TCP port 1433. .config file Blocking the standard SQL Server ports The specific ports used to connect to SQL Server are affected by whether databases are installed on a default instance of SQL Server or a named instance of SQL Server. By default. Category Ports Characteristic Block UDP port 1434.microsoft. The default instance of SQL Server listens for client requests on TCP port 1433. Additionally. and service guidance The rest of this article describes in greater detail the specific hardening requirements for SharePoint 2010 Products. Specific port.configure ports for SQL Server communication. see Blocking the standard SQL Server ports. protocol. This article does not describe how to secure SQL Server.com/fwlink/?LinkId=186828). If this communication is unsuccessful. For more information about how to secure SQL Server. A named instance of SQL Server listens on a randomly assigned port number. In this section: Blocking the standard SQL Server ports Service application communication File and Printer Sharing service requirements Service requirements for e-mail integration SharePoint 2010 Products services Web. you must configure a SQL Server client alias on all servers that connect to the SQL Server computer. There are several methods you can use to block ports. When you publish a service application. If you block UDP port 1434 on the SQL Server computer. the corresponding communication port is randomly assigned and can change. However. consider reassigning the port used by the default instance and blocking TCP port 1433. Configuring SQL Server database instances to listen on a nonstandard port SQL Server provides the ability to reassign the ports that are used by the default instance and any named instances. This can be accomplished by using Windows Firewall in Control Panel. the recommendation is to block these ports directly on the server that hosts SQL Server. you reassign ports by using SQL Server Configuration Manager. To install SQL Server client components. the ports used by SQL Server are well-publicized ports and the SQL Server Resolution Service has been the target of buffer overrun attacks and denial-of-service attacks.The default port-communication behavior of SQL Server introduces several issues that affect server hardening. the well-publicized ports remain a target. Even if SQL Server is updated to mitigate security issues in the SQL Server Resolution Service. In SQL Server 2005 and SQL Server 2008. if databases are installed on a named instance of SQL Server. To connect to an instance of SQL Server 2005 or SQL Server 2008. Consequently. Second. you can select either HTTP or HTTPS with the following bindings: . You can block these ports by using a firewall. including the "Slammer" worm virus. The ability to control which TCP ports are open or blocked is essential to securing your environment. Additionally. see Harden SQL Server for SharePoint environments (SharePoint Foundation 2010). the recommendation for a server farm is to assign static port numbers to named instances of SQL Server and to block UDP port 1434 to prevent potential attackers from accessing the SQL Server Resolution Service. First. or you change the default port for the default instance. unless you can be sure that there are no other routes into the network segment and that there are no malicious users that have access to the network segment. Configuring SQL Server client aliases In a server farm. This behavior can potentially prevent server-toserver communication in a hardened environment. you install SQL Server client components on the target computer and then configure the SQL Server client alias by using SQL Server Configuration Manager. Service application communication By default. communication between Web servers and service applications within a farm takes place by using HTTP with a binding to port 32843. all front-end Web servers and application servers are SQL Server client computers. run Setup and select only the following client components to install: Connectivity Components Management Tools (includes SQL Server Configuration Manager) For specific hardening steps for blocking the standard SQL ports. Communication between service applications and SQL Server takes place over the standard SQL Server ports or the ports that you configure for SQL Server communication. However. select the service application. NetBT is not considered as secure as direct-hosted SMB. The following table describes the hardening requirements that are introduced by the dependency on the File and Printer Sharing service. direct-hosted SMB is recommended instead of NetBT. The File and Printer Sharing service requires the use of named pipes. Named pipes can communicate by using either direct-hosted SMB or NetBT protocols. and then click Publish. third parties that develop service applications can implement a third choice: net. The front-end Web server communicates with content databases directly and sends results back to the servers that include crawl components. the following: Search queries All search queries require the File and Printer Sharing service. For a secure environment. but are not limited to. Named pipes can use NetBT instead of directhosted SMB. File and Printer Sharing service requirements Several core features depend on the File and Printer Sharing service and the corresponding protocols and ports. Crawling and indexing content To crawl content.tcp binding: port 32845 You can change the protocol and port binding for each service application.HTTP binding: port 32843 HTTPS binding: port 32844 Additionally. . On the Service Applications page in Central Administration. servers that include crawl components send requests through the front-end Web server. These include. Category Services Protocols Requirements File and Printer Sharing Named pipes that use directhosted SMB Disable NetBT Notes Requires the use of named pipes. The hardening recommendations provided in this article assume that SMB is used. This communication requires the File and Printer Sharing service. Direct hosting of SMB over TCP/IP (http://go. . you might allow access to this file by the server farm account only. you can either use the SMTP service or route outgoing email through a dedicated e-mail server in your organization.microsoft. For example. The recommendation is to set up a separate organizational unit (OU) in Active Directory for SharePoint 2010 Products objects. such as a Microsoft Exchange Server computer. When you configure e-mail integration.Ports Either of the following: Direct-hosted SMB (TCP/UDP 445) — recommended NetBT (TCP/UDP ports 137. the Microsoft SharePoint Directory Management Service. Only this OU should allow write access to the account that is used by the Microsoft SharePoint Directory Management Service. the recommendation is to restrict access to the Microsoft SharePoint Directory Management Service by securing the file associated with this service. which is SharePointEmailws. The SMTP service is required for incoming e-mail. this service requires permissions in the Active Directory environment to create Active Directory distribution list objects.asmx. 138. Additionally. When users create a SharePoint group and they select the option to create a distribution list. see the Microsoft Knowledge Base article 204279. for creating e-mail distribution groups. which lets users create distribution lists. 138.com/fwlink/?LinkId=76143). and 139) if it is not being used For more information about how to disable NetBT. you have the option to enable the Directory Management Service feature. 139) Disable NetBT (ports 137. the Microsoft SharePoint Directory Management Service creates the corresponding Active Directory distribution list in the Active Directory environment. Microsoft SharePoint Directory Management service SharePoint 2010 Products include an internal service. For outgoing e-mail. Service requirements for e-mail integration E-mail integration requires the use of two services: SMTP service Microsoft SharePoint Directory Management service SMTP service E-mail integration requires the use of the Simple Mail Transfer Protocol (SMTP) service on at least one of the front-end Web servers in the server farm. In security-hardened environments. config files. such as creating Internet Information Services (IIS) Web sites. This service is used by the SharePoint 2010 Timer service to perform actions that require administrative permissions on the server. When you do this. . You can use sandboxed solutions for load balancing solutions.NET Framework on the whole system. you can consider disabling the SharePoint 2010 Administration service only if you are aware of the consequences and can work around them.config file can be modified to affect the behavior of applications that use the . You must use Windows PowerShell to run the Start-SPAdminJob cmdlet (or use the Stsadm.NET Framework. the settings in the Web. For more information about ASP. and stopping and starting services. When you extend a Web application by using Central Administration. Web.NET\Framework\%VersionNumber%\CONFIG\ folder. for solutions that have not been fully tested.NET in particular. deploying code. The Web server and application server snapshot presented earlier in this article lists recommendations for configuring Web.config file is located in the %SystemRoot%\Microsoft. use XML-formatted configuration files to configure applications.config file override the settings in the Machine.SharePoint 2010 Products services Do not disable services that are installed by SharePoint 2010 Products (listed in the snapshot previously). Multiple configuration files can. This service is a Win32 service that runs as a local system.config file.config file that is created. SharePoint 2010 Products automatically create a Web. You can change the ASP.NET Framework are defined in the Machine.NET Configuration (http://go.NET configuration files and editing a Web. and typically do.NET Framework relies on configuration files to define configuration options.config file in the root folder of the application. including the Web. Plan sandboxed solutions (SharePoint Foundation 2010) Updated: February 10.config file for the Web application. exist on a single system. If your environment disallows services that run as a local system. see ASP.exe command-line tool to run the execadmsvcjobs operation) to complete multiple-server deployments for SharePoint 2010 Products and to run other deployment-related tasks. These recommendations are intended to be applied to each Web. The . System-wide configuration settings for the . If you disable this service.config file for the Central Administration site. and ASP. and for deploying user solutions in a hosted environment.microsoft.config file. you cannot complete deployment-related tasks from the Central Administration site. The Machine. 2011 Sandboxed solutions restrict access to network and local resources to provide greater security and stability.config file The . The default settings that are contained in the Machine.NET configuration settings for a single application if you create a Web. The configuration files are text-based XML files.com/fwlink/?LinkID=73257).config file. Sandboxed solutions can play a valuable part of a scaled deployment path for developers in your organization. but instead you . or where you want to provide the ability to run code that has not been fully tested or that your organization does not support. When an Internet hosting provider wants to let the owners of hosted SharePoint Foundation sites upload and run custom code. Sandboxed solutions can later be changed to full trust status by a farm administrator when the solution is shown to be safe for full deployment. You should determine whether your primary consideration is performance or security. When an organization wants to run code for employees on a production SharePoint Foundation site. In both cases. Using sandboxed solutions provides more process isolation. You cannot use a mixture of local and remote load balancing. Your load balancing choice determines the model that is used by the entire SharePoint Foundation farm. which enhances the security of your farm.Sandboxed solutions run in a separate worker thread so that they cannot access resources that belong to other solutions. Determine when to use sandboxed solutions Using sandboxed solutions is appropriate in scenarios where you want to load balance solutions across multiple servers. the server that the solution runs on is selected based on solution affinity. If you choose remote load balancing. When you plan sandboxed solutions. This saves time in servicing the request for the solution. from their test environment to a sandboxed solution in the production environment. Microsoft SharePoint Foundation 2010 determines which server to run the solution on. Plan to load balance sandboxed solution code You can select one of two load balancing schemes for sandboxed solutions. It is especially appropriate to use sandboxed solutions in the following scenarios: When you want to load balance solutions between multiple SharePoint Foundation servers. decide first whether to use sandboxed solutions at all. and they have limited access to local and network resources. each server must be running the SharePoint Foundation Sandboxed Code Service. and that code has not been stringently code reviewed and tested. see Sandboxed solutions overview (SharePoint Foundation 2010). the solution runs on the same server that received the request. In local load balancing. Based on the load balancing scheme. When you use sandboxed solutions. For more information about sandboxed solutions. and the sandboxed solution is run on a server where it is already loaded and has already been run. A farm that uses sandboxed solutions generates more worker and proxy processes than a farm that does not use sandboxed solutions. you must activate the SharePoint 2010 User Code Host service on each server on which you want to run the sandboxed solutions. Remote mode is more scalable than local mode. You obtain better performance by using the remote load balancing model in a SharePoint Foundation farm where there are multiple servers on which to run sandboxed solutions. When it is deployed in a site collection. The same consideration applies to adding users to . Anyone who is a site collection administrator can deploy a sandboxed solution. Determine where to deploy sandboxed solutions Sandboxed solutions are deployed at the root of a site collection. the sandboxed solution can be used anywhere within that site collection. Because farm administrators can change sandboxed solutions to fully trusted solutions that can be deployed anywhere on the farm. This service must be enabled on every server on which you want to run sandboxed solutions.must choose to implement one or the other. to deploy and activate a sandboxed solution you must be a site collection administrator for the site collection where you are deploying the sandboxed solution. you should be careful to limit the membership of the farm administrators group to appropriate users. For more information. you must enable the SharePoint Foundation Sandboxed Code Service. blocking or unblocking a solution. see Sandboxed solutions overview (SharePoint Foundation 2010). You must be a member of the farm administrators group to perform administrative tasks such as enabling or disabling the SharePoint Foundation Sandboxed Code Service. and you want to keep them restricted to the server from which they are called. and adjusting or resetting quotas. Note: It is not enough to be a site collection owner. Determine who can deploy sandboxed solutions When you plan for the user roles that are involved in deploying sandboxed solutions. If you are using sandboxed solutions as part of a development process. but its scalability is limited by the resources of the local server. When you are deciding which mode to implement consider the following: Local mode requires less administration. You can choose to run sandboxed solutions only on certain servers within your SharePoint Foundation farm or to all servers. but it requires administrative tasks to be performed on more servers. you must determine who will be authorized to deploy the solutions and who will be authorized to administer the solutions. To enable sandboxed solutions on a server. Members of the site collection administrators group can deploy sandboxed solutions. use the local mode load balancing. Resource AbnormalProcessTerminationCount Description Abnormally terminated process CPU Execution Time for site Critical Exception Units occurrence Resources per Point 1 Absolute Limit 1 CPUExecutionTime CriticalExceptionCount seconds events 3. In this way you can fine tune the use of sandboxed solutions in your farm. To plan where to deploy sandboxed solutions you should consider both which servers will run the SharePoint Foundation Sandboxed Code Service. If a sandboxed solution exceeds any of the resource quotas. This helps administrators to know when a particular sandboxed solution is making excessive demands on shared resources or in some cases where a resource-intensive sandboxed solution requires an increased quota. The default values that are assigned to sandboxed solution quotas are listed in the following table.the site collection administrators group if there is any concern over the security of the sandboxed solutions being deployed. see Block or unblock a sandboxed solution (SharePoint Foundation 2010). the solution is disabled for the remainder of the day or until a farm administrator manually resets the solution. If you enable sandboxed solutions on some site collections you should disable them on the remaining site collections by setting the quotas on those site collections to 0. Plan resource usage quotas for sandboxed solutions Sandboxed solutions are monitored for resource usage based on default resource quotas. For more information about blocking and unblocking sandboxed solutions. sandboxed solutions will not run on that site collection. The default quotas are satisfactory for most scenarios. Determine which site collections will run sandboxed solutions using quotas Sandboxed solutions can be enabled or disabled on specific site collections by adjusting their quotas. you can block that solution until the developer can correct the situation. however.600 10 60 3 . you can adjust individual quota limits to permit higher limits where appropriate. and which site collections will be able to run sandboxed solutions. If you set the quota for sandboxed solutions to 0 on a specific site collection. If you determine that a sandboxed solution is consistently misusing server resources. you should consider your processes for governance issues.0x10^9 100 SharePointDatabaseQueryTime seconds 120 60 UnhandledExceptionCount instances 50 3 UnresponsiveProcessCount instances 2 1 Plan sandboxed solutions governance While you are still planning for sandboxed solutions. including the following: .000 1 x10^8 200 ProcessVirtualBytes SharePointDatabaseQueryCount bytes instances 0 20 1.Events InvocationCount Solution Invocation Events Percent CPU usage by solution Solution CPU cycles Windows handles count Windows handles count Thread count in overall process Memory consumed Number of SharePoint database queries Elapsed time to execute query Number of unhandled exceptions Number of unresponsive processes events 100 100 PercentProcessorTime percentage 85 100 ProcessCPUCycles ProcessHandleCount ProcessIOBytes ProcessThreadCount cycles items items instances 1 x10^11 10.000 1 x10^11 1.000 0 10. In this article: Configuring managed accounts Resetting passwords automatically on a schedule Detecting password expiration Resetting the account password immediately Synchronizing SharePoint Foundation account passwords with Active Directory Domain Services Resetting all passwords immediately . you can decide to add people directly to the site collection administrators group rather than requiring them to ask permission to deploy the sandboxed solution. cryptographically-strong random string. To implement the automatic password change feature. the automatic password change feature enables you to update and deploy passwords without having to perform manual password update tasks across multiple accounts. When you are planning for who can deploy sandboxed solutions. 2010 To simplify password management. and Web applications. you have to configure managed accounts. You can configure the automatic password change feature to determine if a password is about to expire and reset the password using a long. Plan automatic password change (SharePoint Foundation 2010) Published: May 12. At what point will you transfer a sandboxed solution to the global catalog as a full trust solution? This decision applies to solution code that is developed by your organization’s developers. will you choose to add people to the site collection administrators group or establish a procedure for a limited number of site collection administrators to deploy sandboxed solutions on behalf of their users? Depending on the security concerns in your organization.At what point will the farm administrator block or unblock a sandboxed solution? Identifying the administrative policy for blocking and unblocking sandboxed solutions will eliminate confusion if there is any doubt about the need to block a solution. services. You should establish a policy for determining what level of testing is required for a sandboxed solution to be considered ready for production use in your organization. and then register each of these accounts in SharePoint Foundation 2010. To do this. Resetting the account password immediately You can always override any automatic password reset schedule and force an immediate service account password reset. If an Active Directory administrator changes an Active Directory account password without coordinating the password change with a SharePoint . Users have to be notified about planned password changes and related service interruptions. You can create multiple accounts in Active Directory Domain Services (AD DS). but the accounts used by a SharePoint farm. The new password is then immediately propagated to other servers in the farm. SharePoint Foundation 2010 can be configured to detect imminent password expiration. updating passwords required resetting each account password in AD DS and then manually updating account passwords on all of the services running on all the computers in the farm. services in the SharePoint farm will not start. Even without administrator intervention. The automatic password reset schedule is also configurable to ensure that the impact of possible service interruptions during a password reset will be minimal. the password for the service account can also be changed in AD DS by SharePoint Foundation 2010. and various services can be automatically reset and deployed within the farm as necessary. to use different domain accounts.Credential change process Configuring managed accounts Microsoft SharePoint Foundation 2010 supports the creation of managed accounts to improve security and ensure application isolation. In this scenario. based on individually configured password reset schedules. Using the automatic password change feature. using a specific password value. You can configure SharePoint Web applications and services. and send an e-mail notification to a designated administrator. You can map managed accounts to various services and Web applications in the farm. Synchronizing SharePoint Foundation account passwords with Active Directory Domain Services If AD DS and SharePoint Foundation 2010 account passwords are not synchronized. running on application servers in a SharePoint farm. Web applications. Detecting password expiration IT departments typically impose a policy requiring that all domain account passwords be reset on a regular basis. you had to run the Stsadm command-line tool or use the SharePoint Central Administration Web application. you can configure the automatic password change feature to deploy passwords across all services in the farm. SharePoint Foundation 2010 can be configured to generate and reset passwords automatically. every 60 days. Using managed accounts. for example. you can now register managed accounts and enable SharePoint Foundation 2010 to control account passwords. Resetting passwords automatically on a schedule Prior to the implementation of the automatic password change feature. it will retry. using a new sequence. site collection. Resetting all passwords immediately If an administrator suddenly leaves your organization. for a specified number of times. Security and permissions (SharePoint Foundation 2010) Configure custom permissions (SharePoint Foundation 2010) Published: May 12. and the generated password will be equivalent to the detected settings. 2010 For more control over the level of access to a site. You can use the script to generate new random passwords and deploy the new passwords immediately. If the account password update process succeeds. In this scenario. The password is updated and immediately propagated to the other servers in the SharePoint farm. or site content. each dependent service will be notified that they can resume normal activity. Credential change process When SharePoint Foundation 2010 changes the credentials for a managed account. a SharePoint administrator can immediately reset the password from the Account Management page using the password value that was changed in AD DS. For more information. then SharePoint Foundation 2010 will attempt to change the password using either a manually entered password. there is a risk of service interruptions. If it does not ultimately succeed. if necessary. or a long. the credential change process will occur on one server in the farm. you can quickly create a Windows PowerShell script that calls the password change cmdlets. it will proceed to the next dependent service. you can define custom permission levels. Either success in committing a password change or failure to commit will result in the generation of an automated password change status notification that will be sent by e-mail to farm administrators. If it is unable to commit the password change. or if the service account passwords need to be immediately reset for any other reason. where it will again attempt to commit a password change. see Determine permission levels and groups (SharePoint Foundation 2010) and User permissions and permission levels (SharePoint Foundation 2010). If the account password has not yet been changed.administrator. SharePoint Foundation 2010 will attempt to commit a password change. In this procedure: Customize an existing permission level Copy an existing permission level Create a permission level Customize an existing permission level . cryptographically-strong random string. The complexity settings will be queried from the appropriate policy (network or local). Each server in the farm will be notified that the credentials are about to change and servers can perform critical pre-change actions. You are a member of the Owners group for the site. To copy an existing permission level 1. 2. Verify that you have one of the following administrative credentials: You are a member of the Administrators group for the site collection. Click Submit. you can customize the default permission level. . You are a member of the Owners group for the site. You have the Manage Permissions permission. 5. In the Manage section of the ribbon. click the name of the permission level you want to customize. Copy an existing permission level If the custom permission level that you want is similar to an existing default permission level. click Permission Levels. To customize an existing permission level 1. 4. 6. select or clear the check boxes to add permissions to or remove permissions from the permission level. and then modify the copy and save it as a new permission level.If the custom permission level that you want is nearly identical to an existing default permission level and you do not need to use the default permission level. under Users and Permissions. click Site permissions. On the Site Settings page. click Permission Levels. 3. In the Manage section of the ribbon. You have the Manage Permissions permission. Verify that you have one of the following administrative credentials: You are a member of the Administrators group for the site collection. click Site permissions. In the list of permissions. you can copy the default permission level. In the list of permission levels. and you need to use both the default permission level and your custom permission level. 3. On the Site Settings page. 2. under Users and Permissions. To create a permission level 1. 8. 9.4. click Permission Levels. 6. In the list of permission levels. type a name for the new permission level. In the Manage section of the ribbon. type a name for the new permission level. in the Name field. In the list of permissions. On the Site Settings page. On the Add a Permission Level page. Verify that you have one of the following administrative credentials: You are a member of the Administrators group for the site collection. under Users and Permissions. In the list of permissions. 5. You are a member of the Owners group for the site. click the name of the permission level you want to copy. select or clear the check boxes to add permissions to or remove permissions from the permission level. click Site permissions. 4. On the toolbar. select the check boxes to add permissions to the permission level. in the Name field. 2. you can create one. 6. 7. click Add a Permission Level. On the Copy Permission Level page. Click Create. type a description of the new permission level. click Copy Permission Level. In the Description field. 7. Create a permission level If there is no permission level similar to the one you need. Click Create. . 5. In the Description field. type a description for the new permission level. 8. You have the Manage Permissions permission. 3. At the bottom of the page. In this section: Configure automatic password change (SharePoint Foundation 2010) .that is. If the account has a password -. Do not use Windows Server 2008 R2 managed accounts. 2010 Certain Microsoft SharePoint Foundation services and features must be associated with a Windows account in order to run. They are not compatible with SharePoint Foundation managed accounts. see Plan automatic password change (SharePoint Foundation 2010).then the password in SharePoint Foundation must be updated whenever the account's password changes. and propagates the changes to other servers in the farm. if the account is anything other than the Local System account. Passwords must be changed manually for the following things: SQL Server services The default content access account The articles in this section contain procedures for changing the passwords for accounts that SharePoint Foundation uses. you must change passwords in SharePoint Foundation manually when the passwords change in AD DS. For more information about managed accounts. Warning: Windows Server 2008 R2 includes managed accounts at the operating system level. updates the password in Active Directory Domain Services (AD DS). the Local Service account. SharePoint Foundation automatically generates a new password. We recommend that you use SharePoint Foundation managed accounts when possible. You can use managed accounts to control the passwords for the following things: Central administration Timer service Service applications Application pools When managed accounts are unsuitable.Change passwords used for administration accounts (SharePoint Foundation 2010) Published: July 8. To synchronize passwords automatically you can register managed accounts and configure SharePoint Foundation to change the managed accounts' passwords according to a schedule. or the Network Service account -. There are two ways to keep passwords synchronized between Windows and SharePoint Foundation: automatically and manually. This article contains information about how to configure People Picker for specific scenarios. group or claim. For more information about the People Picker properties. For more information about the People Picker control and how it works. Those settings will apply to every site within the site collection. By configuring the settings for the control. list. groups. The information in this article applies only to Web applications that use Windows authentication in either classic mode or claims mode. see People Picker overview (SharePoint Foundation 2010). Those settings will apply to every site within the site collection. Before you perform the procedures in this article. you can filter and restrict the results that are displayed when a user searches for a user. you can filter and restrict the results that are displayed when a user searches for a user. or claim. change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\14\Bin. In the command prompt on the driver where SharePoint Foundation 2010 is installed. and how to plan for People Picker. People Picker is configured at the zone level for a farm by using the Stsadm setproperty operation. . 2011 People Picker is configured at the zone level for a farm by using the Stsadm setproperty operation.Change passwords for SQL Server services (SharePoint Foundation 2010) Change the password for the default content access account (SharePoint Foundation 2010) Configure People Picker (SharePoint Foundation 2010) Published: February 3. see Peoplepicker: Stsadm properties. its relationship to authentication and claim providers. group. Open the command prompt window as an administrator to perform the procedures in this article. The People Picker control is used to find and select users. and claims when a site. or library owner assigns permissions in Microsoft SharePoint Foundation 2010. By configuring the settings for the control. Note: There are no Windows PowerShell commands to configure People Picker. you must do the following: Verify that the account you use to run Stsadm is a member of the local Administrators group on the server on which SharePoint Foundation 2010 is installed. com/enus/library/cc263318(office.In this article: Check the setting value for any property Clear a property value from People Picker Set an encryption key for use with a one-way trust Enable cross-forest or cross-domain queries when using a one-way trust Restrict People Picker to a certain group in Active Directory Define the location of administrator accounts Force People Picker to pick only from users in the site collection Filter Active Directory accounts by using LDAP queries Return only non-Active Directory user accounts Check the setting value for any property To check the setting for any People Picker property.microsoft. see Peoplepicker: Stsadm properties (http://technet. and using empty quotation marks for the property value. To remove a property setting from People Picker. . see Peoplepicker-searchadforests: Stsadm property (http://technet. type the following command: stsadm.12).aspx). you must first set the credentials for an account that is allowed to authenticate with the forest or domain to be queried before you can use the Stsadm peoplepicker-searchadforests property. type the following command: stsadm.exe -o getproperty -pn <Property Name> -url <Web application URL> For more information.microsoft. Clear a property value from People Picker You can remove the setting for a People Picker property by specifying the property name you want to clear.com/en-us/library/cc263460(office.exe -o setproperty -pn <Property Name> -pv "" -url <Web application URL> For more information.aspx). Set an encryption key for use with a one-way trust If the forest or domain on which SharePoint Foundation 2010 is installed has a one-way trust with another forest or domain.12). The Stsadm .12). if you have not already set an encryption key for the account. People Picker will only query the forests or domains that you specify in the peoplepicker-searchadforests property setting. To specify the forests or domains to be queried along with the credentials.microsoft. To set an encryption key.com. domain:Fabrikam. Restrict People Picker to a certain group in Active Directory If a Web application is using Windows authentication and the site user directory path is not set. However.Contoso\User1. Enable cross-forest or cross-domain queries when using a one-way trust If the forest or domain on which SharePoint Foundation 2010 is installed has a one-way trust with another forest or domain.com/fwlink/?LinkId=207666).Fabrikam\User2. and includes the credentials for each: STSADM. Password> -url <Web application URL> Note: You do not need to include the encryption key password that you assigned to the account when you use the peoplepicker-searchadforests property.com/en-us/library/cc263460(office. type the following command: stsadm.exe -o setapppassword -password <key> For more information about querying additional forests or domains. The following example configures People Picker for use with a forest named Contoso.com. in addition to the names of the forests or domains to be queried. you must specify the credentials to be used to query the forest or domain. type the following command: stsadm. see Peoplepicker-searchadforests: Stsadm property (http://technet.Password1.exe -o setproperty -pn peoplepicker-searchadforests -pv <Valid list of forests or domains. en error message will be displayed. see All you want to know about People Picker in SharePoint ( Functionality | Configuration | Troubleshooting ) Part-2 (http://go. Login name. instead of searching only users within a particular organizational unit (OU).com and a domain named Fabrikam. the People Picker control searches the entire Active Directory to resolve users' names or find users.microsoft.Password2" -url http://ServerName For more information.com.Note: The encryption key must be set on every front-end Web server in the farm on which SharePoint Foundation 2010 is installed.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Contoso.aspx). DC=local" -url http://ServerName For more information. the People Picker control will only search under that particular OU. you must also set the Stsadm peoplepickerserviceaccountdirectorypaths property so the administrator can manage the site collection.12). Define the location of administrator accounts Administrative user accounts are often located in a different OU from regular site users.aspx). After the directory path is set to a site collection.DC=local" –url http://ServerName Note: Because this property specifies only one OU at a time. To restrict People Picker to a certain OU in Active Directory.aspx).setsiteuseraccountdirectorypath operation allows the user's directory path to be set to a specific OU in the same domain.microsoft.com/en-us/library/cc263328(office.DC=ContosoCorp. see Setsiteuseraccountdirectorypath: Stsadm operation (http://technet. type the following command: Stsadm -o setproperty -pn peoplepicker-serviceaccountdirectorypaths -pv <A list of OU names> -url <Web application URL> The following example configures People Picker to allow users that are in the OU "FarmAdmin": stsadm -o setproperty -pn peoplepicker-serviceaccountdirectorypaths -pv "OU=FarmAdmin.12). use the Stsadm Peoplepicker-serviceaccountdirectorypaths property.DC=Contoso. If you have used the Stsadm setsiteuseraccountdirectorypath operation to force People Picker to only return query results from a specific OU. you should only run the Stsadm setsiteuseraccountdirectorypath operation once per site collection. see Peoplepicker-serviceaccountdirectorypaths: Stsadm property (http://technet. Note: Before the peoplepicker-serviceaccountdirectorypaths property will work.microsoft. the Setsiteuseraccountdirectorypath operation must be set and contain a value.com/en-us/library/cc263012(office. To define the location of administrator accounts. To set multiple OUs at one time. For more information. . type the following command: stsadm -o setsiteuseraccountdirectorypath -path <Valid OU name> –url <Web application URL> The following example configures People Picker to only return users and groups in the OU named "Sales": stsadm -o setsiteuseraccountdirectorypath -path "OU=Sales. Force People Picker to pick only from users in the site collection The People Picker control consists of a text box, and two buttons; the Check Names button and the Browse button. The Check Names button is used to resolve a user name, group name or email address exactly as it was typed into the text box. The Browse button opens the Select People and Groups dialog box, which can be used to submit a query for a full or partial string. The important difference between the two is that the Check Names button only resolves exactly what is in the text box, whereas the Select People and Groups dialog box searches for the query string. You can force People Picker to only return users who have permissions in the site collection by using either the PeoplePicker-Peopleeditoronlyresolvewithinsitecollection property or the PeoplePicker-Onlysearchwithinsitecollection property. However, the property you use to configure this restriction will depend on whether you want to set the restriction for the text box (People editor) and Check Names button, or for the Select People and Groups dialog box. To force People Picker to only return users who have permissions in the site collection when the Check Names button is clicked, type the following command: stsadm -o setproperty –pn peoplepicker-Peopleeditoronlyresolvewithinsitecollection –pv yes –url <Web application URL> To force People Picker to only return users who have permissions in the site collection when the Select People and Groups dialog box is used, type the following command: stsadm -o setproperty –pn peoplepicker-onlysearchwithinsitecollection –pv yes –url <Web application URL> For more information, see Peoplepicker-onlysearchwithinsitecollection: Stsadm property (http://technet.microsoft.com/en-us/library/cc261988(office.12).aspx) and Peoplepickerpeopleeditoronlyresolvewithinsitecollection: Stsadm property (SharePoint Foundation 2010). Filter Active Directory accounts by using LDAP queries You can use a Lightweight Directory Access Protocol (LDAP) query to create a custom filter for displaying query results. For more information about LDAP queries, see LDAP Query Basics (http://go.microsoft.com/fwlink/?LinkId=207670). To use a custom LDAP query, type the following command: Stsadm –o setproperty –pn peoplepicker-searchadcustomfilter -pv <LDAP query filter> -url <Web application URL> The following example filters out user accounts that do not have e-mail addresses, or that are disabled. Because security groups do not always have e-mail addresses associated with them, an OR statement is used to ensure that security groups are still included in the query results: stsadm –o setproperty –pn peoplepicker-searchadcustomfilter -pv "(|(&(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectcategory=group))" -url http://ServerName The following example only returns active users, and not groups: stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2) )" -url http://ServerName For an explanation of the user account control string used in this query, see Search Filter Syntax (http://go.microsoft.com/fwlink/?LinkId=210020). The following example returns a list of Active Directory users with the title "Manager": stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "((Title=Manager))" -url http://ServerName Important: Remember that every time you run the setproperty command for a specific property, that property's current values will be overwritten by the new values you specify. If you need to filter query results based on multiple criteria, you will need to build a compound LDAP query that includes all the values for which you want to filter. For more information, see Peoplepicker-searchadcustomfilter: Stsadm property (http://technet.microsoft.com/en-us/library/cc263452(office.12).aspx). Return only non-Active Directory user accounts If your Web application uses forms-based authentication, you can prevent People Picker from returning Active Directory accounts in the query results. To return only non-Active Directory user accounts, type the following command: stsadm -o setproperty -pn peoplepickernowindowsaccountsfornonwindowsauthenticationmode -pv yes -url <Web application URL> For more information, see Peoplepickernowindowsaccountsfornonwindowsauthenticationmode: Stsadm property (http://technet.microsoft.com/en-us/library/cc263264(office.12).aspx). User permissions and permission levels (SharePoint Foundation 2010) Updated: January 7, 2011 This article describes the default permission levels as well as the user permissions in Microsoft SharePoint Foundation 2010. In this article: Default permission levels User permissions Default permission levels Permission levels are collections of permissions that allow users to perform a set of related tasks. SharePoint Foundation 2010 includes five permission levels by default. You can customize the permissions available in these permission levels (except for the Limited Access and Full Control permission levels), or you can create customized permission levels that contain only the permissions you need. For more information about how to customize permission levels, see Configure custom permissions (SharePoint Foundation 2010). Note: Although you cannot directly edit the Limited Access and Full Control permission levels, you can make individual permissions unavailable for the entire Web application, which removes those permissions from the Limited Access and Full Control permission levels. For more information about how to manage permissions for a Web application, see Manage permissions for a Web application (SharePoint Foundation 2010). The following table lists the default permission levels for team sites in SharePoint Foundation 2010. Permission level Limited Access Description Allows access to shared resources in the Web site so that the users can access an item within the site. Designed to be combined with fine-grained permissions to give users access to a specific list, document library, folder, list item, or document, without giving them access to the entire site. Cannot be customized or deleted. Permissions included by default View Application Pages Browse User Information Use Remote Interfaces Use Client Integration Features Open Read View pages. and delete items in the existing lists and document libraries. plus: View Items Open Items View Versions Create Alerts Use SelfService Site Creation View Pages Contribute View. update. Read permissions. plus: Add Items Edit Items Delete Items Delete Versions Browse Directories Edit Personal User Information Manage Personal Views . add. list items and download documents. Limited Access permissions. plus: Manage Lists Add and Customize Pages Apply Themes and Borders Apply Style Sheets Full Control Allows full control of the scope. depending on the objects to which they can be applied. or you can create a new permission level to contain specific permissions. and more. approve. You can change which permissions are included in a particular permission level (except for the Limited Access and Full Control permission levels). list permissions apply only to lists and libraries. List permissions Permission Description Dependent Included in these . private Web Parts. add. and the permission levels in which it is included. delete. Approve permissions. which are used in the five default permission levels. All permissions User permissions SharePoint Foundation 2010 includes 33 permissions. and personal permissions. and customize items or pages in the Web site. site permissions apply to a particular site. site permissions. update. For example. the dependent permissions. The following tables describe what each permission is used for. Permissions are categorized as list permissions.Add/Remove Personal Web Parts Update Personal Web Parts Design View. and personal permissions apply only to things such as personal views. Contribute. Full Control Read. View Pages. View Items. Open View Items. Full Control Read. Open Override Check Out Design. Open View Items. Open Contribute. View past versions of list items or documents. Design. Design. View Pages. Full Control Edit Items Delete Items View Items. View Pages. Design. Full Control Read. edit documents in document libraries. Design. View Pages. Full Control Read. Full Control Design. and documents from a document library. and add or remove public views of a list. Approve minor versions of list items or documents. View Pages. Discard or check in a document that is checked out to another user without saving the current changes. View Pages. View Items. Open View Versions Delete Versions Create Alerts . Manage Personal Views View Items. Add items to lists. and customize Web Part Pages in document libraries. Full Control Contribute. Contribute. Open. Contribute. Open View Items. Open View Items. Design. Delete past versions of list items or documents. Full Control Manage Lists Create and delete lists. View Pages. Design. Open Contribute. View the source of documents with server-side file handlers.permissions permission levels by default Design. add or remove columns in a list. Full Control Contribute. Design. Open View Pages. Full Control Add Items View Items. View Pages. Create e-mail alerts. View items in lists. View Pages. and add documents to document libraries. Contribute. Open View Items. and documents in document libraries. Design. Full View Items Approve Items Open Items Edit Items. Open Items. View Versions. View Pages. Edit items in lists. Delete items from a list. Meeting Workspace sites. Open View Items. Add and Customize Pages. and application pages.css file) to the Web site. View Pages. Apply a style sheet (. Open Full Control Add and Customize Pages Add. Open View Pages. Full Control Apply Themes and Borders Apply Style Sheets View Pages. or delete HTML pages or Web Part pages. Full Control Design.Control View Application Pages Site permissions Included in these permission levels by default Full Control View forms. Perform all administration tasks for the Web site. and manage content. Open Items. Open View Pages. Browse Directories. Open All Permission Manage Permissions Description Create and change permission levels on the Web site and assign permissions to users and groups. Design. View Pages. Create subsites such as team sites. Open View Usage Data Create Subsites Full Control Full Control Manage Web Site View Items. View Versions. change. Open Design. Full Control . and Document Workspace sites. Browse User Information. Dependent permissions View Items. Enumerate Permissions. Enumerate lists. View reports on Web site usage. Open View Pages. views. Apply a theme or borders to the entire Web site. Browse Directories. and edit the Web site by using a Windows SharePoint Services-compatible editor. Browse User Information. Enumerate Permissions. View Pages. Browse User Information. Browse Directories. View Pages. View Pages. Design. Open View Pages. Create a Web site by using Self-Service Site Creation. Contribute. Contribute. Design. or folder to access items inside that container. View Pages. or SharePoint Designer 2010 interfaces to access the Web site. or list item. Open Contribute. Open Open View Items. folder. Open Open All Full Control All Use Client Integration Features Use Remote Interfaces. Open Full Control Contribute. Use SOAP. Design. users must work on documents locally and then upload their changes. Manage alerts for all users of the Web site. list. Browse User Information. Open All Open None All Edit Personal User Information Browse User Information. Full Control Use SelfService Site Creation View Pages View Pages. Browse User Information. Full Control . Design. Open a Web site. Web DAV. Full Control Read. Users can change their own user information. Full Control Full Control View pages in a Web site. such as adding a picture. Without this permission. Enumerate files and folders in a Web site by using Microsoft SharePoint Designer 2010 and Web DAV interfaces. list. Browse User Information. document. Open Enumerate Permissions Browse User Information Manage Alerts Use Remote Interfaces Enumerate permissions on the Web site.Create Groups Browse Directories Create a group of users that can be used anywhere within the site collection. Browse Directories. Use features that start client applications. Open Read. View information about users of the Web site. the authentication modes available to connect external content types to external systems. the authorization options available on stored objects. Update Web Parts to display personalized information. In this article: About this article Business Connectivity Services security architecture Business Connectivity Services authentication overview Business Connectivity Service permissions overview Securing Business Connectivity Services About this article Microsoft Business Connectivity Services include security features for authenticating users to access external systems and for configuring permissions on data from external systems. Microsoft Business Connectivity Services are highly flexible and can accommodate a range of security methods from within supported Microsoft Office 2010 applications and from the Web browser. View Pages. Full Control Contribute. Dependent permissions View Items. change. Design. Open Business Connectivity Services security overview (SharePoint Foundation 2010) Updated: September 9. Full Control Permission Manage Personal Views Add/Remove Personal Web Parts Update Personal Web Parts Description Create. Open View Items. Add or remove personal Web Parts on a Web Part page.Personal permissions Included in these permission levels by default Contribute. View Pages. Design. the supported security environments. View Pages. Open View Items. Full Control Contribute. Design. and the general techniques for configuring Microsoft Business Connectivity Services security. . 2010 This article describes the security architecture of the Microsoft Business Connectivity Services server and client. and delete personal views of lists. Business Connectivity Services security architecture This section describes the Microsoft Business Connectivity Services security architecture. An exception is that you cannot use SSL when transmitting messages to external systems using the SOAP 1.1 protocol or when connecting to a SQL server database. Security Note: We recommend that you use Secure Sockets Layer (SSL) on all channels between client computers and front end servers. three systems are involved: the logged on user’s client computer. Also we recommend using Secure Sockets Layer or Internet Protocol Security (IPSec) between servers running Microsoft SharePoint Foundation 2010 and external systems. However. . the Web server farm. in those cases you can use IPSec to protect the data exchange. and the external system. Accessing external data When a user accesses external data from a Web browser. From Web browsers. 3. users typically interact with external data in external lists or by using Web Parts. 2. The Secure Store Service securely stores credential sets for external systems and associates those credential sets to individual or group identities.1. . The BDC Server Runtime on front-end servers uses data from the Business Data Connectivity service to connect to and execute operations on external systems. Business Connectivity Services authentication overview Microsoft Business Connectivity Services can be configured to pass authentication requests to external systems by using the following types of methods: Credentials These are typically in the form of name/password. The following methods by which users can supply credentials for accessing external data are supported: Windows authentication: Windows Challenge/Response (NTLM) Microsoft Negotiate Authentication other than Windows Forms-based . If you need a secure store in SharePoint Foundation 2010. 4. Claims Security Assertion Markup Language (SAML) tickets can be passed to claimsaware services that supply external data. Some external systems may also require additional credentials such as a personal identification number (PIN) value. For an overview of claims-based authentication. Microsoft Business Connectivity Services can pass credentials to databases and Web services that are configured to use claims-based authentication. The Security Token Service is a Web service that responds to authentication requests by issuing security tokens made up of identity claims that are based on user account information.Important: The Secure Store Service is not included in SharePoint Foundation 2010. you must supply a custom secure store provider. see Plan authentication methods (SharePoint Foundation 2010). 5. Configuring Business Connectivity Services for credentials authentication Microsoft Business Connectivity Services can use credentials that a user supplies to authenticate requests for external data. Note: If the Web application is not configured to authenticate with Windows credentials. If the external system is a Web service. This mode is called User’s Identity in the Microsoft Business Connectivity Services administration pages and in SharePoint Designer 2010. This requires that the user’s credentials are known to the external system. You associate an authentication mode with an external content type in the following ways: When you create an external content type in Microsoft SharePoint Designer. For example. The following table describes the authentication modes of the Microsoft Business Connectivity Services: Authentication mode PassThrough Description Passes the credentials of the logged-on user to the external system. The authentication mode gives Microsoft Business Connectivity Services information about how to process an incoming authentication request from a user and map that request to a set of credentials that can be passed to the external content system. Alternatively.XML file that defines the external content type. You can specify the authentication mode by directly editing the .Digest Basic When configuring Microsoft Business Connectivity Services to pass credentials. it could specify that the user’s credentials should be mapped to an account that is stored in a Secure Store Service which should then be passed to the external system. the NT Authority/Anonymous Logon account is passed to the external system rather than the user's credentials. you can use the Microsoft Business Connectivity Services administration pages to specify the authentication mode. an authentication mode could specify that the user’s credentials be passed directly through to the external data system. the solution designer adds authentication-mode information to external content types. . The Web service should use basic or digest authentication when this mode is used. Credentials RDBCredentials For an external database. You must use Windows PowerShell to enable RevertToSelf mode before you can create or import models that use RevertToSelf. this mode uses a Secure Store Service to map the user’s credentials to a set of Windows credentials on the external system. To help preserve security in this mode.RevertToSelf When the user is accessing external data from a Web browser. Important: To help preserve security in this mode. For an external Web service. we recommend that the connection between the Microsoft Business Connectivity Services and the external system should be secured by using Secure Sockets Layer (SSL) or Internet Protocol Security (IPSec). This mode is called Impersonate Custom Identity in the Microsoft Business Connectivity Services administration pages and in Office SharePoint Designer. this mode uses a Secure Store Service to map the user’s credentials to a set of credentials that are supplied by a source other than Windows and that are used to access external data. Note: By default. this mode uses a Secure Store Service to map the user’s credentials to a set of credentials that are supplied by a source other than Windows. we recommend that the connection between the Microsoft Business Connectivity Services and the external system should be secured by . see RevertToSelf authentication mode. RevertToSelf mode is not enabled. RevertToSelf mode is not supported in hosted environments. This mode is called BDC Identity in the Microsoft Business Connectivity Services administration pages and in SharePoint Designer 2010. this mode is equivalent to PassThrough mode. When the user is accessing external data from an Office client application. WindowsCredentials For external Web services or databases. because Microsoft Business Connectivity Services running on the client will be running under the user’s credentials. This mode is called Impersonate Windows Identity in the Microsoft Business Connectivity Services administration pages and in SharePoint Designer 2010. this mode ignores the user’s credentials and sends the application pool identity account under which the BCS runtime is running on the Web server to the external system. For more information. this mode uses a Secure Store Service to map the user’s credentials to a set of credentials using Digest authentication. The following illustration shows the Microsoft Business Connectivity Services authentication modes when it uses credentials. . DigestCredentials For a WCF Web service. This mode is called Impersonate Custom Identity – Digest in the Microsoft Business Connectivity Services administration pages and in SharePoint Designer 2010. This mode is called Impersonate Custom Identity in the Microsoft Business Connectivity Services administration pages and in Office SharePoint Designer.using Secure Sockets Layer (SSL) or IPSec. .In PassThrough (User’s Identity) mode (A) the logged-on user’s credentials are passed directly to the external system. ” SharePoint Foundation includes a Security Token Service that issues security tokens. the user’s credentials are mapped to a set of credentials for the external system and Microsoft Business Connectivity Services passes those credentials to the external system.In RevertToSelf (BDC Identity) mode (B) the user’s logon credentials are replaced with the credentials of the process account under which Microsoft Business Connectivity Services is running. Three modes use the Secure Store Service: WindowsCredentials (Impersonate Windows ID. Solution administrators can either map each user’s credentials to a unique account on the external system or they can map a set of authenticated users to a single group account.) and Credentials. In those modes. A security token is made up of a set of identity claims about a user.) RdbCredentials (Impersonate Custom ID. and those credentials are passed to the external system. Configuring Business Connectivity Services for claims-based authentication Microsoft Business Connectivity Services can provide access to external data based on an incoming security tokens and it can pass security tokens to external systems. The following illustration shows how the Security Token Service and the Secure Store Service work together in claims-based authentication: . and the use of security tokens for authentication is called “claims-based authentication. 1. The client application requests a security token from the Secure Token Service. 2. . A user tries an operation on an external list that is configured for claims authentication. 5. Equally important is securing the data in external systems. in such a way that the credentials provide the least privilege needed to perform the needed tasks. if users somehow discover the URL to the trimmed external data. The Secure Store Service evaluates the security token and uses the target application identifier to return a set of credentials that apply to the external system. a security trimmer can keep external data from appearing in users' search results. you help enable solutions to securely incorporate external data. in the hosting case. Caution: Properly setting permissions in Microsoft Business Connectivity Services is one element in an overall security strategy. What can permissions be set on? Each instance of the Business Data Connectivity service (or. The correct way to prevent users from accessing external data is to set the appropriate permissions both in Business Connectivity Services and in the external system. Business Connectivity Service permissions overview Permissions in Microsoft Business Connectivity Services associate an individual account. and method instances that have been defined for that store’s purpose. The client receives the credentials and passes them to the external system so that an operation (such as retrieving or updating external data) can be performed. The Secure Token Service returns the security token to the client application. The client passes the security token to the Secure Store Service. external content types.3. group account. By correctly setting permissions on objects in Microsoft Business Connectivity Services. How you do this depends on the security model and features of the external system and is beyond the scope of this article. These objects exist in a hierarchy as depicted in the following illustration: . the Secure Token Service issues a security token that contains a set of claims and a target application identifier. Based on the requesting user’s identity. When planning a permissions strategy. external systems. 6. methods. However. For example. 4. each partition) contains a metadata store that includes all the models. they can access the external data if they have the necessary permissions to the metadata object and the external system. we recommend that you give specific permissions to each user or group that needs it. or claim with one or more permission levels on an object in a metadata store. Note: Business Connectivity Services uses the permissions on the metadata objects and the permissions on the external system to determine authorization rules. Note: In the previous hierarchy graphic, labels in parentheses are the names of objects as they are defined in the Microsoft Business Connectivity Services metadata schema. The labels that are not in parentheses are the names of each object as it appears in the user interface of the Business Data Connectivity service. For a full discussion of the Microsoft Business Connectivity Services metadata schema, along with walkthroughs of many development tasks, see the Microsoft SharePoint 2010 Software Development Kit (http://go.microsoft.com/fwlink/?LinkId=166117&clcid=0x409 ). The hierarchy of objects in a metadata store determines which objects can propagate their permissions to other objects. In the illustration, each object on which permissions can be set, and optionally propagated, is shown with a solid line; each object that takes its permissions from its parent object is shown with a dotted line. For example, the illustration shows that an External System (LobSystem) can be secured by assigning permissions to it, but an Action cannot be assigned permissions directly. Objects that cannot be assigned permissions take the permissions of their parent object. For example, an Action takes the permissions of its parent External Content Type (Entity). Security Note: When the permissions on an object in a metadata store are propagated, permission settings to all children of that item are replaced by the permissions of the propagating object. For example, if permissions are propagated from an External Content Type, all Methods and Method Instances of that External Content Type receive the new permissions. Four permission levels can be set on the metadata store and the objects it contains: Edit Security Note: The Edit permission should be considered highly privileged. With the Edit permission, a malicious user can steal credentials or corrupt a server farm. We recommend that, in a production system, you give Edit permission only to users whom you trust to have administrator-level permissions. Execute Selectable in clients Set permissions The following table defines the meaning of these permissions on the various objects for which they can be set. Object Metadata store Definition The collection of XML files, stored in the Business Data Connectivity service, that each contain definitions of models, external content types, and external systems. Edit permissions The user can create new external systems. Execute permissions Although there is no “Execute” permission on the metadata store itself, this setting can be used to propagate Execute permissions to child objects in the metadata Selectable in clients permissions Although there is no “Selectable in clients” permission on the metadata store itself, this setting can be used to propagate these permissions to child objects in the Set permissions permissions The user can set permissions on any object in the metadata store by propagating them from the metadata store. store. Model An XML file that contains sets of descriptions of one or more external content types, their related external systems, and information that is specific to the environment, such as authentication properties. The metadata definition of a supported source of data that can be modeled, such as a database, Web service, or .NET connectivity assembly. The user can edit the model file. The “Execute” permission is not applicable to models. metadata store. The “Selectable in clients” permission is not applicable to models. The user can set permissions on the model. External system The user can edit the external system. Setting this permission also makes the external system and any external system instances that it contains visible in SharePoint Designer. Although there is no “Edit” permission on an external content type itself, this setting can Although there is no “Execute” permission on an external system itself, this setting can be used to propagate Execute permissions to child objects in the metadata store. The user can execute operations on the external content type. Although there is no “Selectable in clients” permission on an external system itself, this setting can be used to propagate these permissions to child objects in the metadata store. The user can create external lists of the external content type. The user can set permissions on the external system. External content type A reusable collection of metadata that defines a set of data from one or more external systems, the operations The user can set permissions on the external content type. This is necessary. there is a set of special permissions for the Business Data Connectivity service: Farm administrators have full permissions to the Business Data Connectivity service. for example. be used to propagate these permissions to child objects in the metadata store. The user can execute the method instance. be aware that the farm administrator does not have execute permissions on any object in the metadata store and this right must be given explicitly by an administrator of an instance of the Business Data Connectivity service if it is required. There is no “Selectable in clients” permission on a method. The user can edit the method. Method An operation related to an external content type. However. Method instance For a particular method. There is no “Selectable in clients” permission on a method instance. this setting can be used to propagate Execute permissions to child objects in the metadata store.available on that data. The user can edit the method instance. The user can set permissions on the method. Special permissions on the Business Data Connectivity service Along with the general capabilities of setting permissions described earlier. to be able to maintain or repair an instance of the service. describes how to use a method by using a specific set of default values. and connectivity information related to that data. The user can set permissions on the method instance. Although there is no “Execute” permission on a method itself. . in most cases. SharePoint Designer users should not be given Set permissions permissions. Task Create a new object in the metadata store Permissions To create a new metadata object. you can limit the permissions of the SharePoint Designer user to a subset of the metadata store. a user must have permissions on the external content type. When deploying the tested solution to a production environment. be given the following permissions on the whole metadata store: Edit. Caution: To help ensure a secure solution. For example. SharePoint Designer should be used to create external content types in a test environment in which Edit permissions can be assigned freely.Windows PowerShell users are farm administrators and can run commands on the Business Data Connectivity service. Common tasks and their related permissions This section describes common tasks in the Business Data Connectivity service and the required permissions to perform them. SharePoint Designer users should. See the illustration earlier in this article for child/parent relationships among objects in the metadata store. a user must have edit permissions on the metadata store. To delete a metadata object. Application pool accounts on front end servers have the same permissions to the Business Data Connectivity service as farm administrators. remove the edit permissions to help protect the integrity of the external data. a user must have edit permissions on the model. Execute. If necessary. the user who imported it will be given edit Delete an object from the metadata store Adding an external content type to a model Importing models . To add an external content type to a model. This permission is necessary to generate deployment packages based on Microsoft Business Connectivity Services. and Selectable in clients. a user must have edit permissions on that object. To import a model to the metadata store. to create a new method in an external content type. a user must have edit permissions on the parent metadata object. If explicit permissions are not assigned on the model. To delete an object and all its child objects (such as deleting an external content type and all its methods) the edit permission is also required on all the child objects. Generating a deployment package Setting initial permissions on the metadata store. . RevertToSelf authentication mode is disabled on SharePoint Foundation 2010 by default. Deployment packages are generated by the application pool account that is used by the front-end server. You should review all applications to ensure that they do not use FileBackedMetadataCatalog class and RevertToSelf authentication before installing them on a production system. 2010 Procedures in this article illustrate how to configure a forms-based Web application to use an LDAP provider.permissions on the model. However. The choice of which method to use depends on the specific communication channels you are securing and the benefits and tradeoffs that are most appropriate for your organization. this does not prevent applications that use the FileBackedMetadataCatalog class from importing models and executing calls that use RevertToSelf authentication. Internet Protocol security (IPsec) is one method that can be used to help protect communication. Server to server communication Securing the communication between the Business Data Connectivity service application and external systems helps ensure that sensitive data is not compromised. Configure forms-based authentication for a claims-based Web application (SharePoint Server 2010) Updated: September 23. a user must have edit permissions on the model and on all external systems contained in the model. Applications that use FileBackedMetadataCatalog For security reasons. The farm administrator has full permissions to the store and can set initial permissions. You need to use an encrypted communication channel to protect data that is sent between servers running SharePoint Foundation 2010 and external systems. Exporting models To export a model from the metadata store. Securing Business Connectivity Services This section discusses additional measures that can be used to help secure Business Connectivity Services Service account For security isolation. its metadata store is empty. When an instance of the Business Data Connectivity service is first created. This can result in elevating privileges for users by granting privileges to the application pool account. the Business Data Connectivity service application and the front-end server should not use the same service account. This account has full permissions to the metadata store so that it can perform this task. 5. 3. 7. In the example Web. click Manage web applications. . click Claims Based Authentication. Verify that the user account that is performing this procedure is a site collection administrator. If you need to migrate an existing Microsoft Office SharePoint Server 2007 Web application from forms-based authentication to claims-based authentication in SharePoint Server 2010. and the name of the role manager is rolemanager. 4. Click OK to create the Web application. Type a membership provider name and a role manager name. In the Claims Authentication Types section. select Enable Forms Based Authentication (FBA). the name of the membership provider is membership. In the Authentication section of the Create New Web Application dialog box. 6.The procedures in this article provide guidance to enable you to configure forms-based authentication for a Microsoft SharePoint Server 2010 claims-based Web application. In Central Administration. click New. Configure a forms-based Web application to use an LDAP provider by using Central Administration Configure the LDAP Web. 2.Config file depicted in this article. see Migrate from forms-based authentication to claims-based authentication (SharePoint Server 2010). In the Contribute group of the ribbon. in the Application Management section.Config files Configure a forms-based Web application to use an LDAP provider by using Windows PowerShell Configure a forms-based Web application to use an LDAP provider by using Central Administration Perform the steps in the following procedure to use Central Administration to configure formsbased authentication for a claims-based Web application. To configure forms-based authentication for a claims-based Web application by using Central Administration 1. Config file 1. PublicKeyToken=71e9bce111e9429c" server="yourserver.Config file To configure the Central Administration Web.Configure the LDAP Web. modify the following Web.Config files: The Central Administration Web application Web. Version=14. Culture=neutral.0.LdapMembershipProvider.Server. 2. Right-click SharePoint Central Administration and then click Explore.cn" /> </providers> </membership> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > <providers> <add name="roleManager" .com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts. Start IIS Manager by typing INETMGR at a command prompt.DC= distinguishedName (of your userContainer)" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn.Config file The Security Token Service Web.Config files After you have successfully created the Web application (described in the preceding procedure). Open the Web. 5.Office. 3. Microsoft.Security.Config file.DC=yourcompany. Find the <Configuration> <system.DC=internal.0.web> section and add the following entry: <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="membership" type="Microsoft.Server. 4.0.Config file The forms-based authentication claims-based Web application Web.givenname. Go to the SharePoint Central Administration site in IIS.Office. Find the <Configuration> <system. 6.Office.com" port="389" useSSL="false" groupContainer="DC=internal. Version=14.Office. 3.web> section and add the following entry: <membership> <providers> <add name="membership" type="Microsoft.LdapMembershipProvider. Microsoft.Server. Culture=neutral.DC= distinguishedName (of your groupContainer)" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="((ObjectClass=group)" userFilter="((ObjectClass=person)" scope="Subtree" /> </providers> </roleManager> Important: After you have added the preceding entry. save and close the Web.Security.Server. Version=14.0. 4. 2.0. Microsoft.0.Server.DC=yourcompany. PublicKeyToken=71e9bce111e9429c" server="yourserver.Security. To configure the Security Token Service Web.type="Microsoft.0.Config file.Config file. Go to the SecurityTokenServiceAppliction sub-site. Open the Web.LdapRoleProvider. Go to the SharePoint Web Services site. Start IIS Manager by typing INETMGR at a command prompt. 5.Config file 1.com" port="389" useSSL="false" userDNAttribute="distinguishedName" .Office.Office.Server.0. PublicKeyToken=71e9bce111e9429c" server="yourserver.0. Culture=neutral. Right-click SecurityTokenServiceAppliction and then click Explore. userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> </membership> <roleManager enabled="true" > <providers> <add name="rolemanager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="yourserver.com" port="389" useSSL="false" groupContainer="DC=internal,DC=yourcompany,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" /> </providers> </roleManager> Important: After you have added the preceding entry, save and close the Web.Config file. To configure the forms-based authentication claims-based Web application Web.Config file 1. Start IIS Manager by typing INETMGR at a command prompt. 2. Go to the Claims Forms site. 3. Right-click Claims Forms and then click Explore. 4. Open the Web.Config file. 5. Find the <Configuration> <system.web> section. 6. Find the <membership defaultProvider="i"> section and add the following entry: <add name="membership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="yourserver.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts,DC=internal, DC=yourcompany,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> Find the <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> section and add the following entry: <add name="roleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="yourserver.com" port="389" useSSL="false" groupContainer="DC=internal,DC=yourcompany,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" /> Important: After you have added the preceding entry, save and close the Web.Config file. Warning: Do not overwrite any existing entries in this Web.Config file. Configure a forms-based Web application to use an LDAP provider by using Windows PowerShell Perform the steps in the following procedure to use Windows PowerShell to configure formsbased authentication for a claims-based Web application. To configure a forms-based Web application to use an LDAP provider by using Windows PowerShell 1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin. 2. On the Start menu, click All Programs. 3. Click Microsoft SharePoint 2010 Products. 4. Click SharePoint 2010 Management Shell. 5. From the Windows PowerShell command prompt, type the following: $ap = New-SPAuthenticationProvider -Name "ClaimsForms" ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager" $wa = New-SPWebApplication -Name "Claims Windows Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount "internal\appool" -Url http://servername -Port 80 -AuthenticationProvider $ap Note: The value of the ApplicationPoolAccount parameter must be a managed account on the farm. 6. After you have successfully created an authentication provider and a Web application, modify the following Web.Config files by using the sample entries provided in the Configure the LDAP Web.Config files section of this article: To configure the Central Administration Web.Config file To configure the Security Token Service Web.Config file To configure the forms-based authentication claims-based Web application Web.Config file 7. After you have modified the Web.Config files, create a SPClaimsPrincipal and a site collection, as shown in the following example: manage. role. Clients interact with the IP-STS when they request security tokens that represent an identity that is contained in the identity store of the IP-STS. and validate security tokens. An Identity Provider-STS (IP-STS) is a Web service that handles requests for trusted identity claims. or an anonymous identifier). An STS is a specialized Web service that is designed to respond to requests for security tokens and provide identity management.$cp = New-SPClaimsPrincipal -Identity "membership:SiteOwner" -IdentityType FormsUser $sp = New-SPSite http://servername:port -OwnerAlias $cp.Encode() -Template "STS#0" Configure the security token service (SharePoint Server 2010) Published: May 12. such as Security Assertion Markup Language (SAML) tokens. For additional information about the Security Token Service. Security tokens consist of a collection of identity claims (such as a user's name. The core functionality of every STS is the same. and to relying party applications that must validate identities presented to them by clients. such as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Service (AD LDS). An IP-STS uses a database called an identity store to store and manage identities and their associated attributes. 2010 This article provides guidance to enable you to configure the Microsoft SharePoint Server 2010 security token service (STS). and issues tokens to. federation partner Relying Party STS Web applications. Clients can create or provision managed Information Cards (using a card selector such as CardSpace) that represent identities registered with the IP-STS. Tokens can be issued in different formats. This . The identity store for an identity provider may be a simple. Security tokens can be protected with an X. but the nature of the tasks that each STS performs depends on the role the STS plays in relation to the other STS Web services in your design. In this article: How Web applications that use an STS work Configure a SharePoint claims-based Web application by using Windows PowerShell Edit bindings Configure a Web application that uses an STS How Web applications that use an STS work Web applications that use a security token service handle requests to issue. After authentication. Each IP-STS has a federated trust relationship with. Relying party applications can establish trust relationships with an IP-STS. the IP-STS issues a trusted security token that the client can present to a relying party application. each of which are referred to as an RP-STS. such as a SQL database table.509 certificate to protect the token's contents in transit and to enable validation of trusted issuers. see Plan authentication methods (SharePoint Server 2010). An IP-STS may also use a complex identity store. An IP-STS is available to clients who want to create and manage identities. 5. 2. In turn. To configure a SharePoint claims-based Web application by using Windows PowerShell 1. create an x509Certificate2 object.X509Certificate2("path to cert file") 6. Create a trusted login provider by first creating a value for the realm parameter. On the Start menu. as shown in the following example: $signinurl = "https://test-2/FederationPassive/" . Each organization continues to manage its own identity stores. 3. PS C:\>). A relying party STS (RP-STS) is an STS that receives security tokens from a trusted federation partner IP-STS. relying party applications can examine security tokens presented by clients and determine the validity of the identity claims they contain. Create a claim type mapping to use in your authentication provider. as shown in the following example: $realm = "urn:" + $env:ComputerName + ":domain-int" 8. the RP-STS issues new security tokens to be consumed by a local relying party application. as shown in the following example: New-SPClaimTypeMapping "http://schemas.Cryptography. Click Microsoft SharePoint 2010 Products. 4. Create a value for the signinurl parameter that points to the Web application.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming 7.Security. After the trust relationship is established. Configure a SharePoint claims-based Web application by using Windows PowerShell Perform the following procedures to use Windows PowerShell to configure a SharePoint claimsbased Web application. click All Programs. From the Windows PowerShell command prompt (that is. The use of RP-STS Web applications in federation with IP-STS Web applications enables organizations to offer Web single-sign-on (SSO) to users from partner organizations.xmlsoap. Verify that you meet the following minimum requirements: See Add-SPShellAdmin. as shown in the following example: $cert = New-Object System. Click SharePoint 2010 Management Shell.X509Certificates.enables them to validate the security tokens issued by an IP-STS. as shown in the following example: $site = New-SPSite $webappurl -OwnerAlias $claim. as shown in the following example: $ap = New-SPTrustedIdentityTokenIssuer -Name "WIF" -Description "Windows® Identity Foundation" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1[.ToEncodedString() -template "STS#0" Edit bindings .9. Create a value for the Web application URL ($webappurl = "https://" + $env:ComputerName)..InputClaimType 10. as shown in the following example: $claim = New-SPClaimsPrincipal -TrustedIdentityTokenIssuerr $ap -Identity $env:UserName 13. use New-SPManagedAccount. 11. Create a site. To create a managed account. Create a Web application by first creating a value for the application pool account (for the current user). as shown in the following example: $account = "DOMAIN\" + $env:UserName Note: The application pool account must be a managed account.$map2. as shown in the following example: $wa = New-SPWebApplication -name "Claims WIF" -SecureSocketsLayer -ApplicationPool "SharePoint SSL" -ApplicationPoolAccount $account -Url $webappurl -Port 443 -AuthenticationProvider $ap 12.InputClaimType). using the same IdentifierClaim value as in a claim mapping ($map1. Create the trusted login provider. Create a site by first creating a claim object.] -SignInUrl $signinurl -IdentifierClaim $map1. select any listed certificate. 2. 11. 10. 6. Select Enable support for Web-browser-based identity federation. edited the bindings and configured the Web. Start IIS Manager by typing INETMGR at a command prompt. Under SSL Certificate. To edit bindings 1. . 5. Type a relying party name and click Next. Configure a Web application that uses an STS After you have configured a SharePoint Server 2010 claims-based Web application. To configure a Web application that uses an STS 1. Type the name of the Web application URL. In the left pane. and append /_trust/ (for example: https://servername/_trust/). click Start. On the first page of the wizard. 8. click Add Relying Party. click Next. This opens the Active Directory Federation Services (AD FS) 2. 4. Open the Active Directory Federation Services (AD FS) 2. In the left pane. and select Edit Bindings. 4. Make sure Active Directory Federation Services (AD FS) 2. Click Next. 3. 9. expand Policy.After you have configured a SharePoint claims-based Web application.0Management console. Go to the Claims Web Application site in IIS. you can use the procedure in this section to configure a Security Token Service Web application.0 configuration wizard. and click Add. Select https and click Edit. and select Relying Parties. If you are not planning to use an encryption certificate.Config file. 5. 3. In the right pane.0 Server Profile is selected. Click Next. Click Enter relying party configuration manually. 7. and click Next. Type an identifier. 2. edit the bindings. right-click Claims Web Application. and click Next. 15. Returns an authentication provider. You can use Windows PowerShell cmdlets to administer security for Microsoft SharePoint Foundation 2010. Returns a claim provider manager. Returns the names of all users who have the SharePoint_Shell_Access role. 13. click Save. 19. 22. 18. expand New Rule. Use this console to configure the mapping of claims from an LDAP Web application to SharePoint. 2010 21. Under Outgoing Claim Type. click Next and then click Close. select E-Mail Address. . Under LDAP Attribute. Returns a claim provider. Cmdlet name Add-SPShellAdmin Get-SPShellAdmin Remove-SPShellAdmin Add-SPClaimTypeMapping Get-SPAuthenticationProvider Get-SPCertificateAuthority Get-SPClaimProvider Get-SPClaimProviderManager Description Adds a user to the SharePoint_Shell_Access role for the specified database. and select Predefined Rule. Select Create Claims from LDAP Attribute Store. Adds a claim mapping to a trusted security token service (STS) identity provider. On the Summary page.12. from the Attribute Store drop-down list. Published: May 12. In the left pane. Returns the SharePoint certificate authority (CA). 17. 16. select sAMAccountName. In the right pane. 14. Security cmdlets (SharePoint Foundation 2010) 20. In the left pane. This opens the Rules Editor Management console. Removes a user from the SharePoint_Shell_Access role. select Enterprise Active Directory User Account Store. Returns all managed paths that match the given criteria. Deletes a claim type mapping rule for a security token service (STS) identity provider.Get-SPManagedAccount Get-SPManagedPath Get-SPSecurityTokenServiceConfig Get-SPServiceApplicationSecurity Get-SPTrustedIdentityTokenIssuer Get-SPTrustedRootAuthority Get-SPTrustedServiceTokenIssuer Grant-SPObjectSecurity Initialize-SPResourceSecurity New-SPAuthenticationProvider New-SPClaimProvider New-SPClaimsPrincipal New-SPClaimTypeMapping New-SPManagedAccount New-SPManagedPath New-SPTrustedIdentityTokenIssuer New-SPTrustedRootAuthority New-SPTrustedServiceTokenIssuer Remove-SPClaimProvider Remove-SPClaimTypeMapping Remove-SPManagedAccount Remove-SPManagedPath Retrieves accounts registered in the configuration database. Returns a trusted root authority. Returns an identity provider. Registers a new claim provider in the farm. Registers a new managed account. Removes a managed account registration from the farm. Returns the object that represents the farm trust. Creates a trust with a SharePoint farm. Creates a claim mapping rule for a security token service (STS) identity provider. Returns the SPObjectSecurity object for a service application. Adds a new security principal to an SPObjectSecurity object. Creates an identity provider in the farm. Creates a new authentication provider in the farm. Creates a new managed path for the given Web application for all host header site collections. Creates a trusted root authority. Deletes the specified managed path from the . Unregisters a claim provider. Returns the security token service (STS) for the farm. Creates a new claims principal. Enforces resource security on the local server. Updates a trust with the farm. Updates the SPObjectSecurity object for a service application. Deletes a trusted root authority. Creates a new trusted root authority. Removes a security principal from a SPObjectSecurity object. Updates registration of a claims provider. Deletes the object that represents the farm trust. re-encrypts all the data. Configures the managed account. using the new key. RemoveSPTrustedIdentityTokenIssuer Remove-SPTrustedRootAuthority RemoveSPTrustedServiceTokenIssuer RepairSPManagedAccountDeployment Revoke-SPObjectSecurity Set-SPClaimProvider Set-SPManagedAccount Set-SPSecurityTokenServiceConfig Set-SPServiceApplicationSecurity Set-SPTrustedIdentityTokenIssuer Set-SPTrustedRootAuthority Set-SPTrustedServiceTokenIssuer Update-SPFarmEncryptionKey Deletes a security token service (STS) identity provider from the farm. Sets the identity providers of a Web application. Changes the value of the farm encryption key and. Updates the settings of the SharePoint security token service (STS) identity provider. Repairs the local managed account credential deployment.specified host header or Web application. .
Copyright © 2024 DOKUMEN.SITE Inc.