Simplify SharePoint Permissions with User Policies
A SharePoint web application can potentially contain thousands of site collections. Granting or denying uniform access to all of those site collections for a set of users can be difficult to apply and manage.
A User Policy allows a Farm Administrator to grant or deny access for a set of users to all site collections contained within a web application. Permissions applied using a User Policy cannot be over-ridden at the individual site collection, providing Farm Administrators with the ability to supercede local permissions when necessary.
A User Policy can be used to grant permissions from four (4) pre-defined permissions sets:
- Full Control
- Full Read
- Deny Write
- Deny All
In this tip, I will demonstrate how to add a new User Policy to a web application.
Create a User Policy
User Policies for web applications are managed from SharePoint Central Administration, and require Farm Administration rights. To get started, open the Central Administration web site.
01. Click Manage web applications from the Application Management group.
02. Select a web application.
03. Click the User Policy button from the Web Applications tab on the Ribbon menu.
04. Click Add Users from the Policy for Web Application dialog. You can also choose to delete or edit an existing policy from this dialog.
05. Select a Zone. You can accept the default (All Zones), or click the drop-down menu to specify a specific zone for the policy.
06. Click the Next button.
07. Choose Users who will be added to the policy. Enter one or more user account names, group names, or email addresses. Click the Check button to ensure the accounts are valid, or select the Browse button to search for accounts.
08. Choose Permissions to grant selected users. Although the dialog provides the ability to select and apply more than one permission set. Permissions sets should be viewed as exclusive options. It would not be logical to grant the same users Full Control and Deny All in the same policy.
09. Optionally, select whether the Account operates as System. If this option is selected, when the account accesses the web application, the account will be displayed as "System Account", and the user will not be added to the User Information List as a site member. This option is most appropriate when granting a policy to a service account that does not represent a real user. In order to operate as the System account, the account must be granted Full Control.
10. Click the Finish button.
A User Policy on a Web Application is a convenient and powerful way to ensure consistent security permissions across a set of site collections. Some common scenarios for User Policies include:
- Granting the Search crawl account Full Read to allow indexing of SharePoint sites. This is an example of a default User Policy that is automatically created by the Search service application.
- Granting all employees Full Read to the corporate Intranet and supporting corporate publishing sites.
- Granting Farm Administrators Full Control to support centralized administration tasks.
- Granting Deny All to sub-contractors or part-time workers that should not access a web application.
- Review the default User Policies on an existing SharePoint web application.
- Create a new User Policy to grant or restrict access to a user or group for a web application.
- Check these other articles:
Last Updated: 2011-06-30
About the author
View all my tips