Farm Administrators
Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:
Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm.
You can give Farm Administration rights to groups and users:
Authentication Providers
With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access:
Web Application Level Permission Policies
With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. SharePoint gives us four predefined policies by default:
Web Application Level User Policies
User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”.
Web Application Level Anonymous Policy
You can also define web application level anonymous users’ policy through Central Administration -site (you can only select the policy from a three predefined policies):
Web Application Level User Permissions
This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections, you can add/reduce certain permission for the whole web application:
Site Collection Administrators
Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users as site collection administrators. With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:
Anonymous Access Permissions
You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:
Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site.
If anonymous access is enabled, you can control the permission of anonymous in list or library:
Site Collection Level Permission Levels
Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.
SharePoint has these permission levels defined in site collections:
You can also define your own permission levels, if predefined levels do not match the requirements. Own permission levels can be created in similar fashion as web application level permission policies:
SharePoint Groups
SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of AD. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission levels. While permission level can change for the group the members are globally defined.
Here is a small clipping of Group creation settings:
SharePoint Groups do not directly give any rights to AD users or AD groups. You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.
Site Permissions
Site permissions are where all the permission management begins. More specifically the root site permissions. These are the permissions that all sub-items (except column permission)will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default unless the inheritance chain is broken.
When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly.
Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):
Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.
Library or List Permissions
Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.
With lists and libraries you have also some other security related features.
For example you can control Draft Item Security:
Folder, Document or Item Permissions
Like with library and site permissions, folders, documents or items can be granted with their own permissions by breaking the permissions inheritance chain.
You can access document and item level permission settings page directly from the object you are interested in:
Column Permissions
In SharePoint, this level of permissions does not exist. But the new permission control for SharePoint has been provided by BoostSolutions, so you can assign different permissions to different users for different columns.
After install Column Permission product on SharePoint, you can access column permission settings page in List Settings page to assign the different permissions for columns.
You can see the specific configuration of column permissions in http://www.BoostSolutions.com/columnpermission.html