Windows SharePoint Services 之Security

Security

Security can be divided into two primary components: authentication and authorization.

Authentication Provider

Windows SharePoint Services authentication is configured by the Web application’s authentication provider. Windows SharePoint Services 3.0 supports Windows authentication, which enables users to authenticate with accounts stored in the server’s local security accounts manager (SAM) database or in Active Directory (AD). Additionally, you can configure a Web application to use forms-based authentication, which supports any ASP.NET 2.0 authentication provider or Active Directory Federated Services (ADFS).

In order to support more than one authentication provider, you will need to create or extend more than one Web application. For example, you might want to give Windows SharePoint Services 3.0 access to users within your organization who maintain accounts in Active Directory, as well as to partners who access Windows SharePoint Services 3.0 through an extranet site by using accounts stored in an ASP.NET 2.0 authentication provider. To give this access, you need to create a Web application (for example, http://intranet.contoso.com) that uses Windows authentication. You would then extend that application to another Web application (for example, http://extranet.contoso.com) that would utilize forms-based authentication. Both sites would be attached to the same content database. Therefore, regardless of which URL they accessed, users would see the same content.

Authentication Timeout for Forms Based Authentication

If the Web application uses forms-based authentication, the user will remain authenticated until the user closes his or her browser or until the authentication timeout occurs. You can configure this expiration time, set by default to 30 minutes, for a Web application in the application’s Web.config file. Add or modify the timeout attribute of the forms element, for example:

<forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" timeout="100" />

Authentication for a Site

To allow a user to authenticate to a specific site, you must add to the site collection (by using the People and Groups link in the site’s settings) the user’s account or a group to which the user belongs. The definition of valid users and groups is contained at the site collection level and, once added, you can give to a user or group permissions to any object (site, list, library, item, or document) within the site collection.

Anonymous Access

Users without user or group accounts in the site collection are considered anonymous users. You must set anonymous access, which is off by default, at the Web application level before such users can access any site or list. Once you have enabled anonymous access for the Web application, you can configure it for a site to support access to the entire site or to specific lists and libraries. Each list and library can then deny or allow anonymous access.

Access to Securable Objects

After authentication as either a valid user account or as an anonymous user, access to any securable object (a site, list, library, item, or document) is controlled by the permissions for that object. Permissions should be assigned to groups defined in either the SharePoint site collection or the authentication provider (such as Active Directory groups), but can also be assigned to a user defined in the authentication provider. By default, permissions are inherited from the parent object. The permissions assigned to the top-level site in a site collection are inherited by each site within the collection, each library and list within that site, and each document and item within the library or list. You can edit permissions on any securable object, but by doing so, you break the inheritance of that object’s permissions from its parent, and any changes to the parent’s permissions will no longer affect the child object.

Permission Levels

The permission levels you can configure on a securable object for a user or group are, by default, Full Control, Design, Contribute, Read, and Limited Access. You can modify these permission levels at the site collection level to enable the configuration of additional security-related roles.

Permissions

Each permission level is itself composed of granular permissions. For example, the Read permission level comprises eleven permissions such as View Pages, View Items, and Create Alerts. By default, all Windows SharePoint Services permissions are available for use in defining permission levels in a site collection. However, you can restrict which permissions are available to site collections within a Web application by configuring User permissions for Web application in SharePoint Central Administration.

Web Application Policies

Finally, Windows SharePoint Services 3.0 enables you to override object-level permissions through security policies configured for the Web application. By default, the administrators of the server hosting Windows SharePoint Services do not have access to any Windows SharePoint Services content. If business needs mandate such access, you can configure a security policy for each Web application that enables appropriate access for the administrators group. Similarly, corporate policy may require that a team of auditors or security personnel have access to content within a Web application. A Full Control or Full Read policy will provide the assigned users access to content throughout the Web application, overriding any more restrictive permissions on objects within the application. Alternatively, a particular group of users might need to be restricted from accessing content, even if permissions have been granted that would otherwise allow access. A Deny Write or Deny All policy will override any more liberal permissions on objects within the Web application.

Security Control Summary

·         Authentication provider: Configured for the Web application in SharePoint Central Administration.

·         Authentication timeout for forms-based authentication: By default, 30 minutes. Configured for the Web application in Web.config. Add or modify a timeout attribute to the forms element.

·         Authentication for a site: Configured by adding the user or a group to which the user belongs to the site collection in People and Groups.

·         Anonymous authentication: Enabled for the Web application in its authentication provider configuration. Then enabled for the site (none, entire site, or lists and libraries) and then further restricted or enabled per list or library.

·         Access to securable objects: Configured for the securable object (site, list, library, item, or document). By default, inherited from parent object. Permission levels assigned to a user in the authentication provider or to a group in either the authentication provider or the site collection’s groups.

·         Permission levels: Defined in the site’s Permissions settings. By default, inherited from the parent site.

·         Permissions: Enabled for the Web application in SharePoint Central Administration.

·         Security policies: Configured for the Web application in SharePoint Central Administration.

Control

Configured for Windows SharePoint Services Component

Location for Configuration

Notes

Authentication provider

Web application

SharePoint Central Administration: Application Management: Authentication providers: Edit Authentication

Windows, forms-based, or Web single sign-on (SSO) is available.

Authentication timeout for forms-based authentication

Web application

Web application’s Web.config file: The timeout attribute of the forms element

Configure the lifetime of the authentication cookie. Authentication will time out at this interval or when the user closes the browser.

Authentication for a site

Site collection

People and Groups: All People or People and Groups: All Groups

Add a user or a group to which the user belongs to the site collection.

Anonymous access

Web application

SharePoint Central Administration: Application Management: Authentication Providers: Edit Authentication

Anonymous access to any object within the Web application is not possible unless enabled by the Web application.

 

Site

Site Settings: Permissions

At the site level, anonymous access can be:

·         Blocked

·         Enabled for the entire site

·         or enabled for specific lists and libraries

 

List or library

List Settings: Permissions for this list

A list or library can enable anonymous users to add, edit, view, and/or delete items.

Access to securable objects

Object (site, list, library, item, or document)

Permissions

By default, permissions are inherited from the parent object. Permission levels are assigned to a user in the authentication provider or to a group in either the authentication provider or the site collection’s groups.

Permission levels

Site

Site Settings: Permissions

By default, permission levels such as Full Control, Contribute, Read, and Limited Access are inherited from the parent site.

Permissions

Web application

SharePoint Central Administration: Application Management: User permissions for Web application

Permissions supported by Windows SharePoint Services 3.0 can be enabled or disabled for a Web application. Enabled permissions are used to create permission levels for a site.

Security policies

Web application

SharePoint Central Administration: Application Management: Policy for Web application

Security policies allow you to enable or deny access to users or groups. Policies override the permissions on securable objects.

 

posted @ 2009-09-09 13:41  莫贝特(MBetter)  阅读(621)  评论(0编辑  收藏  举报