Simplify SharePoint Permissions with User Policies

By:   |   Comments   |   Related: > SharePoint


A SharePoint web application can potentially contain thousands of site collections. Granting or denying uniform access to all of those site collections for a set of users can be difficult to apply and manage.


A User Policy allows a Farm Administrator to grant or deny access for a set of users to all site collections contained within a web application. Permissions applied using a User Policy cannot be over-ridden at the individual site collection, providing Farm Administrators with the ability to supercede local permissions when necessary.

A User Policy can be used to grant permissions from four (4) pre-defined permissions sets:

  • Full Control
  • Full Read
  • Deny Write
  • Deny All

In this tip, I will demonstrate how to add a new User Policy to a web application.

Create a User Policy

User Policies for web applications are managed from SharePoint Central Administration, and require Farm Administration rights. To get started, open the Central Administration web site.

01. Click Manage web applications from the Application Management group.

Select Web Applications

02. Select a web application.

03. Click the User Policy button from the Web Applications tab on the Ribbon menu.

User Policy

04. Click Add Users from the Policy for Web Application dialog. You can also choose to delete or edit an existing policy from this dialog.

Add Users to a New Policy

05. Select a Zone. You can accept the default (All Zones), or click the drop-down menu to specify a specific zone for the policy.

06. Click the Next button.

Select User Policy Zone

07. Choose Users who will be added to the policy. Enter one or more user account names, group names, or email addresses. Click the Check button to ensure the accounts are valid, or select the Browse button to search for accounts.

08. Choose Permissions to grant selected users. Although the dialog provides the ability to select and apply more than one permission set. Permissions sets should be viewed as exclusive options. It would not be logical to grant the same users Full Control and Deny All in the same policy.

09. Optionally, select whether the Account operates as System. If this option is selected, when the account accesses the web application, the account will be displayed as "System Account", and the user will not be added to the User Information List as a site member. This option is most appropriate when granting a policy to a service account that does not represent a real user. In order to operate as the System account, the account must be granted Full Control.

10. Click the Finish button.

Edit Policy Details


A User Policy on a Web Application is a convenient and powerful way to ensure consistent security permissions across a set of site collections. Some common scenarios for User Policies include:

  • Granting the Search crawl account Full Read to allow indexing of SharePoint sites. This is an example of a default User Policy that is automatically created by the Search service application.
  • Granting all employees Full Read to the corporate Intranet and supporting corporate publishing sites.
  • Granting Farm Administrators Full Control to support centralized administration tasks.
  • Granting Deny All to sub-contractors or part-time workers that should not access a web application. 
Next Steps

sql server categories

sql server webinars

subscribe to mssqltips

sql server tutorials

sql server white papers

next tip

About the author
MSSQLTips author Chris Beckett Chris Beckett is a Business Solutions Architect, Mentor and Trainer with 20 years of experience.

This author pledges the content of this article is based on professional experience and not AI generated.

View all my tips

Comments For This Article

get free sql tips
agree to terms