3
Document Control
Version Date Author Notes
7
Access Control
Access control for SharePoint as an enterprise solution is based on supporting Active Directory technology. This integration, based on industry best practices, facilitates centralized management and enforces specific separation of duties among technical staff.Access Control Standards
1. All SharePoint permissions will be granted via Active Directory security groups. 2. All SharePoint AD groups will be contained within AD in a common Organizational Unit (OU) named SharePoint 3. AD security groups for SharePoint will use a specific naming convention a. All SharePoint security groups will begin with ‘SP’ b. All website SP security groups will begin with ‘SPweb’ c. All Intranet SP security groups will begin with ‘SPIntranet’ d. Department‐level and team sites will include at least two groups for contributors and administrators. i. SPIntranetDeptContribute_department‐or‐SPsite ii. SPIntranetDeptAdmin_department‐or‐SPsite 4. The DOMAIN USERS AD group will be used as a default for Read Only access to specific sites including the root of the Cabarrus County Intranet (http://intranet.cabarruscounty.us). 5. Sub‐sites will inherit security settings from parent sites by default. b. Sub‐Sites will use unique permission sets when: i. Contributor level permissions are assigned to specific end users. For example, each department site on the Intranet will be managed by departmental users and therefore one security group cannot be used for contribute permissions; rather, individual departmental security groups will be created and assigned as unique permissions to each department sub‐site. ii. Content should be secured based on legal statute. For example, specific reports within the Intranet data center contain private information which should be secured based on State and Federal guidelines. The permissions on these reports will be configured unique to the parent document library. 6. SharePoint Permission levels will be assigned to AD groups rather than utilizing the default SharePoint Groups created during site creation.SharePoint Permission Levels
In addition to standard SP2010 permission roles Cabarrus County ITS developed customized roles to meet specific business needs. SP2010 creates default Permission Level groups based on the type of site. CabarrusCounty.us and Intranet.CabarrusCounty.us were developed as publishing sites within SP2010. Default SP2010 Permission Levels for all Cabarrus County Sites (based on publishing template)Permission Level Description Permissions Included by Default
or document, without giving them access to the entire site. Cannot be customized or deleted.
Read View pages, list items and download documents. Limited Access permissions, plus: View Items Open Items View Versions Create Alerts Use Self‐Service Site Creation View Pages Contribute View, add, update, and delete items in the existing lists and document libraries. Read permissions, plus: Add Items Edit Items Delete Items Delete Versions Browse Directories Edit Personal User Information Manage Personal Views Add/Remove Personal Web Parts Update Personal Web Parts Design View, add, update, delete, approve, and customize items or pages in the Web site. Approve permissions, plus: Manage Lists Add and Customize Pages Apply Themes and Borders Apply Style Sheets
Full Control Allows full control of the scope. All Permissions for specific Site Restricted Read View pages and documents. For publishing sites only. View Items
Open Items View Pages Open Approve Edit and approve pages, list items, and documents. For
publishing sites only.
Contribute permissions, plus: Override Checkout
Approve Items Manage Hierarchy Create sites; edit pages, list items, and documents. For
Publishing sites only. Design permissions minus the Approve Items, Apply Themes and Borders, and Apply Style Sheets permissions, plus: Manage permissions View Web Analytics Data Create Subsites Manage Alerts Enumerate Permissions Manage Web Site The following list represents the current custom SP2010 permission levels.
9 CabarrusCounty.us Department Approvers Custom permission level for
