Understanding Authorization in SharePoint 2013

In SharePoint 2013, you need an authorization process to control your user's access to SharePoint objects and content, such as websites, list items, folders and documents. Authorization is a method of granting user access to objects based on factors such as group membership, role assignment, or direct permissions. To grant access to an object, you can either grant permissions directly to the user, or add the user to a group and grant the group the permission required, or you can assign a role to the user and grant permissions to the role.

The scope of authorization
There will be scenarios in your SharePoint farm where you do not want all your SharePoint sites to be accessible by all of your users; this allows you to protect confidential information or sensitive departmental content. Some sites, such as a public-facing corporate website, will require access by all users. Other sites, such as an intranet portal, will need to be restricted to employees only.

You can grant permissions to users and groups on SharePoint 2013 sites and objects at the following levels:
  • Site
  • List or library
  • Folder
  • Item or document
Authorization security principals
Permissions control access to a site and its contents, but you assign permissions to security principals. A security principal is an object to which you can assign permissions and in SharePoint 2013 that means users and groups. If you add a user to a site, the user is the security principal; if you add a group to the site, the group is the security principal. The best way to control security and reduce the complexity of security maintenance in SharePoint 2013 is to maintain a relatively small number of security principals per scope.

This can be done by using security groups to grant access to large numbers of users. Groups will be discussed in more detail later in this lesson. Authorization in SharePoint 2013.

The following are examples of methods and features you can use to control access to resources in SharePoint 2013:
  • Objects can have permissions assigned directly to them.
  • Objects can inherit permissions from a parent object, such as a website, folder, or list.
  • Active Directory domain groups can be used to organize users into groups.
  • SharePoint groups can be used to organize your users and grant permissions to objects.
  • User permissions can be used to directly grant granular permissions to objects in a web application.
  • Permission levels that are collections of individual permissions can be used to grant several permissions at once.
  • Permission policies can be used to apply permission levels to objects in a web application.
  • Web application policies can be used to define broad permission policies on objects.
  • Anonymous access policies can be used to grant users the permission to view pages or to contribute anonymously to lists and surveys.