Wednesday, October 17, 2007

Policy for Web Application

Learning from my own mistakes, I wanted to share the following bit about defining security policies for a web application using Central Admin. If you open up the Application Management you see the following section :

Now there is a 'no-touchy' link and 'yes, please touch me link'. The 'no-touchy' link is the 'User permissions for Web Application" link, when you touch and uncheck some options like 'Manage Web Site'. You will experience strange behavior and errors described in some previous posts Self-Service Site Creation and permissions and Permissions and workflow.

Best practice is to leave that thing alone and define your own 'user-permissions for Web Application' using the 'yes, please touch me link' ;)

Once there, click on the "Manage Permissions Policy Levels" (on the left)

Click on "Add Permission Policy level", then you see an overview all the permissions (like in "User Permisisions for web application" link) and you can deny of grant the permissions according to the requirements that you have.

So give it a proper name and description, check the permissions you want to give and click on OK. Next step is to add a group of users (in my case ALL the users) to use that permission level. Click on "Add Users", click Next (you can apply the custom policy to zones here (for example an internet zone on the same webapplication has different permissions that the intranet zone))

Type in the Groupname (or just particular users), check your custom permission level and click on Finish et voila. You've assigned all the users to make use of your custom permission level. Thereby letting all the service accounts use their own permissions levels.



paulshaver said...

I like the article, but what does it really do. What is advantageous about it?

Anonymous said...

I believe the point is that these are policies for admin users/indexers external to the actual permissions defined per site collection etc. The policies define here essentially bypass the actual security on each site/list/item that an end user would see

Anonymous said...

Is there a way to create a farm-level policy? One that applies to all web applications by default?

Robin Meuré said...


unfortunately there is no farm wide level permission policy setting.

Gordon Bone said...

Great article - thanks. This showed me exactly how to do what I needed (which was to allow our CIO to have read-access to the entire web-app, regardless of how permissions have been set on the zillions of sites we have. Thanks!

Herschel said...

great post, I tried to use to prevent all users from creating subsites, but unfortunetly, that blocks admins as well. I wish you could create a policy and add a few users to create subsites, but it doesn't appear you can have one policy trump another...

Anonymous said...

This saved me, thank you!

Prologic Corporation said...

This is a good article & good site.Thank you for sharing this article. It is help us following categorize:
healthcare, e commerce, programming, multi platform,inventory management, cloud-based solutions, it consulting, retail, manufacturing, CRM, technology means, digital supply chain management, Delivering high-quality service for your business applications,
Solutions for all Industries,
Getting your applications talking is the key to better business processes,
Rapid web services solutions for real business problems,
Web-based Corporate Document Management System,
Outsourcing Solution,
Financial and Operations Business Intelligence Solution,

Our address:
2002 Timberloch Place, Suite 200
The Woodlands, TX 77380