Configuring Portal Site Security

Important  The portal site includes potentially sensitive information such as account names and organizational information. To protect this data against intrusion and detection on the network, see Security Planning.

The following are the recommended steps for configuring security on the portal site:

1. Create Windows groups   Create Microsoft Windows groups for users who will have the same set of rights. For example, you might create a group for all writers with one set of rights, and a group for the marketing department with another set of rights.
2. Assign groups to site groups   Assign each of these groups to one of the six default Microsoft SharePoint Portal Server site groups:
   • Reader   Has rights to view items and use search on the portal site.
   • Member   Has Reader rights, plus rights to add items, personalize Web Parts, use alerts, and create personal sites.
   • Contributor   Has Member rights, plus rights to add and edit items, manage list permissions, manage personal groups and views, and personalize Web Parts Pages. Contributors cannot create new lists or document libraries, but they can add content to existing lists and document libraries.
   • Web Designer   Has Contributor rights, plus rights to cancel check-out, delete items, manage lists, add and customize pages, define and apply themes and borders, and link style sheets. Web Designers can modify the structure of the site and create new lists or document libraries.
   • Administrator   Has all rights from other site groups, plus rights to manage site groups and view usage analysis data. The Administrator site group cannot be customized or deleted, and there must always be at least one member of the Administrator site group. Members of the Administrator site group always have access to, or can grant themselves access to, any item in the Web site.
   • Content Manager   Has rights to manage all settings or content in an area. A Content Manager can approve and reject submission requests, move content to the archive, and change security.
   Adding groups to a site group rather than adding individual users is a more flexible way of configuring security — as group membership changes, this will automatically be reflected in the site group membership. For more information, see Related Topics.
3. Edit the rights on site groups   Go to the site group management pages to ensure that the rights assigned to the default site groups are the rights that you want to assign to these respective groups. To go to these pages, do the following:
   1. On the Site Settings page, in the General Settings section, click Manage security and additional settings.
   2. On the Manage Security and Additional Settings page, in the Users and Permissions section, click Manage site groups.
   3. On the Manage Site Groups page, click the site group name for which you want to manage rights.
   4. On the Members of "site_group_name" page, click Edit Site Group Permissions.
   5. On the Change Site Group Rights page, edit the rights for the site group, and then click OK.
4. Customize security for areas   You can customize security for each area. Administrators are advised to add groups to site groups before customizing area security to avoid a potentially inconsistent security policy. Setting security on a parent area will cause these settings to be applied to all of its subareas. If you customize the security on a subarea, you will break inheritance. The subarea will no longer inherit changes made to the parent area.

   To grant full control on an area, including the ability to customize Web Parts and Web Part Pages, ensure that the user is also a member of the site-wide Contributor site group.

   To go to the Manage Security Settings page for an area, click Manage Security.

5. Prevent Members from creating a personal site   By default, members of the Member site group are given the right to create a personal site (My Site). All site groups except Reader can create personal sites. If you want to revoke this right, copy the rights from the Reader site group and create a site group with those permissions (View Area, View Pages, and Search). Assign groups or individual users to this new site group to prevent them from creating a personal site.

   For information about creating a site group, see Creating a Site Group.

Related Topics

Granting Access to the Portal Site

Editing Rights for a Site Group