Back Forward Home Print Search
SharePoint Server 2007 Help and How-to >  Site management >  Managing security and permissions
Grant access to the portal site
Grant access to the portal site
What do you want to do

Learn about permission groups and levels

One of the fundamental responsibilities of a site administrator is to control who can access the portal site, who can work with portal site content, and who can make changes to the portal site pages and functionality. A site administrator may want to give read/write access to specific people and at the same time give view-only access to others.

For example, on a site that describes employee benefits, the site administrator wants only the people in the employee-relations department to add or update information on the site. However, everyone in the larger organization should be able to view the information on the site. Granting specific permission to groups of people enables the site administrator to control who can view data, who can add or change information, and who can manage content on the site.

To effectively control site access, site administrators need to determine who needs access to the site, what level of access they need, and what parts of the portal site to include in their permissions. The three basic permission groups and their default permission levels are are follows:

  • Owners   This group has Full Control permissions, which enable group members to make changes to the site content, pages, or functionality. Full Control access should be limited to site administrators only.
  • Members   This group has Contribute level permissions, which allow group members to view pages, edit items, submit changes for approval, and delete items from a list.
  • Visitors   This group has Read level permissions, which enables group members to view pages, list items, and documents.

In additional to the three basic groups, a site administrator can create new groups, modify the permission level of any of the groups, or use any combination of the following groups to create more precise access levels over a larger and more complex organization:

  • Approvers   Members of this group have permission to publish a major version of a list item (such as a page) from draft to final version and allow it to be accessible to anonymous and restricted users.
  • Designers   This group has access permissions similar to those of site administrators. Designers can change the performance, alter the look and feel of the site, and add code to the master page gallery. Designer level access is generally restricted to a small set of Web developers, site administrators, or both.
  • Hierarchy manager   Members of this group have permission to rename sites or move sites within a site collection to change the hierarchy of the site collection. This hierarchy affects the navigation structure of the site, and any pages in the site that use the portal site navigation will reflect the changes. This group is intended to replace the Channel Manager group in Microsoft Content Management Server (CMS) 2000. If you upgrade from CMS 2000, channel managers are migrated to hierarchy managers.
  • Quick Deploy Users   This group is intended to facilitate quick content updates for sites that have separate authoring and deployment tiers. It enables group members to easily schedule and propagate data from an authoring tier to a production tier.
  • Restricted readers   Members of this group access the site and all of its contents with read-only permissions on the major versions of each list or item. Typically this level of access is given to people who only need to view and read information on a site but never directly contribute to it.

 Note    Individual users and groups can have different permission levels for different securable objects. For example, you can assign different users and groups different permission levels for a specific site, list, library, folder within a list or library, list item, or document.

 Top of Page

Set up groups

To specify which permission-level group to assign to site visitors, site members, and site owners, do the following:

  1. On the portal site home page, click the Site Actions menu, point to Site Settings, and then click People and Groups.
  2. On the People and Groups page, on the Quick Launch, click Groups.
  3. On the People and Groups: All Groups page, on the Settings menu, click Set Up Groups.
  4. On the Set Up Groups for this Site page, select a permission-level group for each set of users that you want to change. Or click Create a new group to assign a custom group to a set of users.
 Top of Page

Add users to groups

  1. On the portal site home page, click Site Actions, point to Site Settings, and then click People and Groups.
  2. On the People and Groups page, in the Quick Launch, click Groups.
  3. Click the name of the group to which you want to add users.
  4. On the New menu, click Add users, and then type the account names that you want to add, or click Browse to find users from Active Directory directory service.
  5. Make sure that Add users to a SharePoint group is selected and the correct group is displayed, and then click OK.

     Note    In rare cases, you might want to give individual permissions to a user by clicking Give users permission directly. However, assigning individual permission levels to large numbers of users can quickly become difficult and time-consuming to manage. We recommend that you use groups as much as possible to manage site access.

  6. Click OK.
 Top of Page

Create a new group

You are not restricted to using only the default Microsoft Office SharePoint Server 2007 groups. If you have a particular requirement that a default group does not meet, you can either modify an existing group or create a custom group. You can also use the following procedure to block specific groups from accessing your site:

  1. On the portal site home page, click Site Actions, point to Site Settings, and then click People and Groups.
  2. On the New menu, click New Group.
  3. Type a name for the group, and then type a brief description of the group's attributes.
  4. To change the owner of the group, type a new account name, or click Browse to find an individual's account name in Active Directory.
  5. Click options in the Group Settings section to determine whether the group is private or publicly available and who can make changes to the group members.
  6. Click options in the Membership Requests section to specify whether you will accept requests to be added or removed from this group, and to add the e-mail address that users can send requests to. If you select Auto-accept requests, users are automatically added or removed when they make a request.
  7. In the Give Group Permission to this Site section, select the permission level that you want to allow for this group.

    To create a group that is blocked from accessing your site, clear all the check boxes for permission levels.

  8. Click Create.
  9. To add individuals to the group, follow the procedure in Add users to groups.
 Top of Page

Change the permission level of a group

  1. On the portal site home page, click the Site Actions menu, point to Site Settings, and then click People and Groups.
  2. On the People and Groups page, in the Quick Launch, click Groups.
  3. On the People and Groups: All Groups page, click the name of the group whose permission level you want to change.
  4. On the People and Groups: Group Name page, click the Settings menu, and then click Group Settings.
  5. On the Change Group Settings page, in the Give Group Permission to this Site section, select the check box next to the permission level that you want to give to the group, and clear the check box next to the permission level that no longer applies to the group.
  6. Click OK.
 Top of Page