Actualización 12/18/07: Ver o artigo de Paul Liebrand para algunhas consecuencias técnicas de eliminar ou modificar os nomes de grupos estándar (ver o seu comentario a continuación, así).
Visión global:
SharePoint security is easy to configure and manage. Con todo, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Eu admite a ter este problema me). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.
Nota importante:
This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or enviar correo-e me. I’ll make corrections post haste.
Fundamentos:
Aos efectos da presente Resumo, existen catro aspectos fundamentais para a seguridade: usuarios / grupos, obxectos que poden ser protexidos, niveis de permisos e de herdanza.
Usuarios e Grupos quebran-se en:
- Os usuarios individuais: Tirado do Active Directory ou creado directamente no SharePoint.
- Grupos: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" a un obxecto específico protexido.
Obxectos que poden ser protexidos romper a polo menos:
- Sitios
- As bibliotecas de documentos
- Elementos individuais en listas e bibliotecas de documentos
- Cartafois
- Varias opcións BDC.
Existen outros obxectos que poden ser protexidos, pero comeza a foto.
Os niveis de permiso: Un feixe de granular / low level access rights that include such things as create/read/delete entries in lists.
Herdanza: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.
Usuarios e grupos se relacionan con obxectos que poden ser protexidos a través de niveis de permiso e de herdanza.
Os máis importantes Normas de Seguridade para entender, Ever 🙂 :
- Os grupos son simplemente coleccións de usuarios.
- Grupos son globais dentro dun conxunto de sitios web (i.e. non hai tal cousa como un grupo definido a nivel local).
- Nome do grupo non resistir, grupos non facer, en si, have any particular level of security.
- Groups have security in the context of a specific securable object.
- Pode asignar niveis de permiso diferentes para o mesmo grupo para cada obxecto protexido.
- Aplicación web políticas trunfo todo isto (mira abaixo).
Os administradores de seguridade perdidas nun mar de grupo e lista de usuarios poderá contar con estes axiomas para xestionar e entender a súa configuración de seguridade.
Problemas comúns:
- Os nomes dos grupos implicar falsamente permiso: Fóra da caixa, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" grupo non pode contribuír en todo, pero só ler (por exemplo). This would not be a good idea, obviamente, xa que sería moi confuso.
- Os grupos non son definidos a nivel local. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" ligazón. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
- Grupos de adhesión non varía pola web (i.e. é a mesma en todas partes do grupo se usa): Consider the group "Owner" e dous locais, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, Eu podería acceder as persoas e con grupos a través da web de RH, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. En realidade, I’m removing her from the global Owners group. Hilarity ensues.
- Deixar de citar grupos baseados en papel específico: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Eu debería crear dous novos grupos: "HR Owners" and "Logistics Owners" e asignar niveis de permiso por cada cordas e ao importe mínimo esixido para os usuarios fagan o seu traballo.
Outras referencias útiles:
- Web aplicación política Gotcha: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!255.entry
- Cámara de seguridade do SharePoint: http://www.sharepointsecurity.com/
- Ligazóns de Joel Oleson: http://blogs.msdn.com/joelo/archive/2007/08/23/sharepoint-security-and-compliance-resources.aspx
Se chegou aquí:
Please let me know your thoughts via the comments or email me. If you know other good references, faga o mesmo!
Ola,
Gran blog con informacións interesantes.
Podo usalo t resolver o meu problema.
Thanx
M.
http://www.vanjobb.hu/
Máis trampas:
* Hai certas permisos especiais dispoñibles noutras partes do SSP e non visible nas persoas e grupos sección: "Personalization services permissions"and "Business Data Catalog permissions"
* Lin que hai tamén os permisos do SharePoint Designer especiais dispoñibles nalgúns xml arcano enterrados en algún lugar dentro html.
* Os administradores Primario e Secundario para unha colección sitio son mantidas en outro lugar na configuración do Conxunto de outros sitios, e non están visibles na sección Persoas e Grupos.
* Certas contas teñen máxico (especial) habilidades, con independencia do que ve na área de Persoas e Grupos: membros do grupo interno Administradores nos servidores web, ea conta de servizo Farm.
(PS: Excluíndo os comentarios de spam sería mellorar a lexibilidade aquí.)
Ben, eu creo que o deseño do seu blog é moi interesante.
Ola, O meu nome é John, and my site is http://geocities.com/whitejohn29/
Novembro 27 9:04 AM
(http://www.EndUserSharePoint.com)