Microsoft Office Tutorials and References
In Depth Information
Web applications can also have custom permission policies. These are essentially permission
levels created to be applied at the web application level and affect all site collections contained
therein. We applied a permission policy in the “User Policies” section, giving Saffron the Full
Control policy to access all site collections in the web application with Full Control permissions.
Keep in mind that a permission policy (or permission level for site collections) is a combination
of individual permissions, such as View, Delete, and Edit Items. Permission policies are different
from permission levels because they have the option to explicitly allow or deny a permission,
and they have two default policies premade.
Going back to Central Administration, navigate to the Manage Web Applications page again
(under Application Management). Select the SharePoint-8080 web application, and click the
Permission Policy button in the ribbon to display the window shown in Figure 10.66.
Here you can manage permission policy levels—by adding, editing, and deleting them. Let’s
take a closer look at the Full Control policy level. Click the name of the policy to edit it.
This opens the Edit Permission Policy Level window (see Figure 10.67), which is an actual
browser window (basically using the old interface from WSS 3.0), not a form box. Editing a
permission policy level gives you a couple of options.
Web Application This section cannot be changed; it’s just here to remind you of what web
application is being edited (and is left over from the WSS 3.0 interface).
Name and Description Here you can edit the name and description for the policy level.
Site Collection Permissions You can have the permission policy level grant either Site
Collection Administrator rights or Site Collection Auditor rights. As you know, site
collection administrators have complete control over the site collection. Site auditors have full Read
access to the entire site collection. So, these grant one or both of the settings to the permission
policy level, granting that permission to every site collection in the web application.
Permissions Figure 10.67 shows this page, where you can set the individual permissions for
this policy level. Unlike customizing permission levels, when you set up a permission policy
level, you also have the option to explicitly deny a permission—so even if a site collection
administrator grants the user that permission explicitly, it’s still blocked by the permission
For example, you can explicitly deny the Create Alerts permission for a particular user or
group. So even if a site collection administrator grants them the Create Alerts permission,
they will still be unable to create alerts. Make sure you document any changes made to the
policies, particularly when denying a permission to aid future troubleshooting.