| |||||
| |||||
Microsoft Windows SharePoint Services uses site groups to manage security across a SharePoint site. Each user must be a member of at least one site group in order to view or access a SharePoint site. Each site group possesses corresponding rights. Rights are rules associated with the system as a whole, granted to local groups, global groups, and users. A right within Windows SharePoint Services may be actions that users can perform, such as Manage Lists. In addition, you can edit the rights assigned to a specific site group, create an additional site group, or delete an unused site group. You manage site groups in Windows SharePoint Services from SharePoint Central Administration or by using the command-line administration tool.
Note You can add user accounts to a SharePoint site without assigning them to a site group. For example, you can create the user accounts and then assign the users to site groups later. You can also remove a user from all site groups. When you remove a user from all site groups, the user has no access to the Web site.
Windows SharePoint Services includes the following site groups by default:
Note When a member of the Reader site group creates a site using the Self-Service Site Creation feature, he or she becomes the site owner and a member of the Administrator site group for the new site. This does not affect the site group membership of the user for any other site.
Note The owner and secondary owner of a site collection are members of the Administrator site group for their site, but they are also identified separately in the configuration database as site collection owners. This owner flag can only be changed by using the Manage Site Collection Owners page in SharePoint Central Administration or by using the siteowner operation with Stsadm.exe. If you remove an owner from the Administrator site group for the site, the owner retains the owner flag in the database, and can still perform site collection administrative tasks.
Note These site groups are defined per SharePoint site. Users assigned to the Administrator site group are administrators only for a particular SharePoint site. To perform any administrative tasks that affect settings for all SharePoint sites and virtual servers on the server computer, a user must be an administrator for the server computer (also known as a local machine administrator) or a member of the SharePoint administrators group, rather than a member of an Administrator site group for a specific SharePoint site.
You can create a site group or customize an existing site group to include only the rights you want (except for the Guest and Administrator site groups, which cannot be customized). For example, to allow only the Web Designers to be able to edit lists on the site, you can remove the Edit Items right from the Contributor site group.
Note Some rights depend on other rights. You must be able to view items before you can edit items. If a right is deleted from a site group, any rights dependent on that right are also deleted. For example, when the View Items right is deleted, the Add Items, Edit Items, and Delete Items rights are also deleted. In the same way, if you add a right that requires another right, the required right is also added. So, if you grant the Edit Items right to a user, the View Items right is granted automatically.
User rights grant users the ability to perform certain actions on a Web site, and restrict other users from performing those actions. Some rights do not completely restrict certain actions. The Apply Themes and Borders and Apply Style Sheets rights allow users to make changes to an entire Web site. Any user with the Add and Customize Pages right, however, can perform the same changes on a page-by-page basis in the actual HTML code. Be aware that if you give users the Add and Customize Pages right by assigning them to a site group that contains the right, you also give them the ability to change the theme, border, and style sheets for individual pages in the SharePoint site.
When you assign rights to site groups, ensure that you assign the appropriate rights, and do not unintentionally allow members of the site group to perform more actions that you want on the SharePoint site. Conversely, ensure that members of the site group are not unintentionally restricted from performing the actions they need to perform.
When a user creates a site, the user is listed as the site owner. Depending on your configuration, the user may also be required to specify a secondary contact for the site. Confirmation notifications are automatically sent to the site owner and to the secondary contact, if one exists.
The owner and secondary owner of a site collection are members of the Administrator site group for their site, but they are also identified separately in the configuration database as site collection owners. This owner flag can only be changed by using the Manage Site Collection Owners page in Central Administration or by using the siteowner operation with Stsadm.exe. If you remove an owner from the Administrator site group for the site, the owner retains the owner flag in the database, and can still perform Web site administrative tasks.