{"id":1068,"date":"2013-06-06T18:47:41","date_gmt":"2013-06-06T17:47:41","guid":{"rendered":"http:\/\/blog.repsaj.nl\/?p=1068"},"modified":"2013-06-12T09:15:58","modified_gmt":"2013-06-12T08:15:58","slug":"sp2010-administrators-and-permissions","status":"publish","type":"post","link":"http:\/\/blog.repsaj.nl\/index.php\/2013\/06\/sp2010-administrators-and-permissions\/","title":{"rendered":"SP2010: Administrators and permissions"},"content":{"rendered":"<p>At my current job, I&#8217;m more of an administrator than I am a dev. It&#8217;s quite enlightening to be honest. As a developer, you don&#8217;t tend to think that much about site structure, governance and all those things. Not that I had no experience in that, but I surely have learned some things extra since my admin job. One of those is permission management and I&#8217;d like to share a little story about that. <!--more--><\/p>\n<p>At my customer, we made up the following requirements for our environment:<\/p>\n<ul>\n<li>Sites have to be restrained from growing excessively big by using quota&#8217;s.<\/li>\n<li>We will use site retention to automatically clean-up old, unused sites.<\/li>\n<li>We <span style=\"text-decoration: underline;\">do not<\/span> want to give users the &#8220;manage permissions&#8221; and &#8220;create groups&#8221; permissions. I won&#8217;t go in to too much detail there, just accept the requirements \ud83d\ude42<\/li>\n<li>Of course, there is a select group of admins who are allowed to manage permissions. So those people need to be granted that permission level.<\/li>\n<\/ul>\n<p>Ok. So to start with the bad news: I didn&#8217;t solve this puzzle (yet). And that might surprise you cause all of these things sound doable, right? Well, it&#8217;s the combination that&#8217;s the problem and I&#8217;ll explain why.<\/p>\n<p>Both the quota system and retention are e-mail based. That means the user will start getting e-mails when there&#8217;s something wrong. This is cool, but the e-mail is sent out to the account listed as <span style=\"text-decoration: underline;\">primary site collection administrator<\/span>. So, we need to ensure the end-user is listed as primary site collection administrator. Hmmm. That gives that user a lot of permissions, some of which we might not want to give out.<\/p>\n<p>At that point you should be looking at permission management on <strong>web application level<\/strong>. Basically there&#8217;s two options there:<\/p>\n<ul>\n<li>You can disable certain permissions completely, making them unavailable on all site collection in this web application. That&#8217;s nice, but disabling &#8220;manage permissions&#8221; will have <strong>serious<\/strong> impact. For instance: your approval workflows will get stuck because they cannot change the approver any more. Not really a good option.<\/li>\n<li>Secondly, there&#8217;s the option to use permission levels and Grant \/ Deny those to users. This works like in SQL: a deny always overrides all other grants. The problem with this is that you cannot say &#8220;I want to deny by default, except for my admin users&#8221;. Believe me: I tried all possible combinations you might think of, it just doesn&#8217;t work that way.<\/li>\n<\/ul>\n<p>Hmmm, getting more and more stuck. You might tell me: &#8220;you can create a custom permission level on your site collection via script, and give that permission level to your users&#8221;. Well yes, you can. But on site collection level, there&#8217;s no denying permissions; there&#8217;s just granting them. And your end-user the site collection administrator will have, well&#8230; site collection administrator permissions. Which boils down to: Full Control. So although this will do the trick for owners, it will not for site collection administrators.<\/p>\n<p>I made this a case with MS support, but didn&#8217;t get to a good solution with the support engineer. It just seems to be impossible. Which doesn&#8217;t mean I&#8217;m done with it, cause I still have the belief this should be possible some how. So&#8230; if you have a brilliant idea or solution, do me a favour and leave it in the comments please!<\/p>\n<p><strong>Update: <\/strong>you might be tempted (as I was) to think that the permission levels (or changes to&#8230;)\u00a0on web application level will be propagated to the site collections. That&#8217;s not the case. The Full Control permission level on a site collection contains all permissions (well duh&#8230;) and cannot be changed. Changes you make to &#8220;Full Control&#8221; on web application level are <strong>not<\/strong> propagated down to\u00a0the site collections (I expected this). These are two seperate levels which both affect the permissions a user has, but are not connected as such.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At my current job, I&#8217;m more of an administrator than I am a dev. It&#8217;s quite enlightening to be honest. As a developer, you don&#8217;t tend to think that much about site structure, governance and all those things. Not that I had no experience in that, but I surely have learned some things extra since<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[34],"tags":[7,47,89],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p3KFR1-he","_links":{"self":[{"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/posts\/1068"}],"collection":[{"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/comments?post=1068"}],"version-history":[{"count":0,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/posts\/1068\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/media?parent=1068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/categories?post=1068"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/tags?post=1068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}