Microsoft Office Tutorials and References
In Depth Information
to the web application overall is considered a “policy.” That means configuring anonymous
access, users, or their permissions for a web application are each a policy.
User policies are covered in more detail in Chapter 12.
Anonymous Policy Because this is truly a security setting, to allow nonauthenticated users
to have access to content, it is reasonably applied by zone. You can apply an anonymous
access policy to all the zones of a web application or to just specific zones (each can have a
different policy if necessary).
Allowing anonymous access occurs in two parts—first when creating the web application
such as when configuring the web application’s security information (or when editing its
authentication provider) and second when enabling and configuring it at the site collection
level. When anonymous access is enabled for the web application, it makes it possible to
configure the anonymous policy for that web application or its zones.
If you click the Anonymous Policy button, you’ll get an Anonymous Access Restrictions box
with two sections: Select The Zone (where you can choose all zones or a particular one if the
web application has them set up) and Permissions. The Permissions section contains three
settings: None (meaning there are no explicit restrictions for anonymous access), Deny Write
(restricts any anonymous user accessing any site in the web application from having write
permissions), and Deny All (restricts any user trying to access sites in the web application
anonymously, as a fail safe).
As mentioned earlier, allowing anonymous access to a web application’s contents (even if
you intend to allow it for only one of the site collections in the web application) takes at least
two steps. It’s first applied in the settings for the web application’s authentication providers
(or in the settings during web application creation). That will enable the Anonymous Policy
settings for the web application, in case you want to use a policy. If the Anonymous Policy
button is grayed out for a web application, it’s because it wasn’t enabled for web
application. Once Allow Anonymous is enabled for the web application, it becomes available to
be allowed at the site collection level. Although anonymous access will be available to be
enabled for the site collections within the web application, it must be explicitly allowed at the
site collection level to be applied. So, the second step is allowing anonymous access to the site
collections. At the site collection level, you can enable anonymous access to either the whole
site or to selected lists or libraries. Therefore, if you just want to give anonymous access to a
particular list or library, the third possible step is to enable it at the particular list or library
rather than the whole site. To learn how to apply anonymous policy and how it affects access
at the site collection level (or even at the list level), see Chapter 10.
Permission Policy Permission policies are basically permission levels, or combinations
of permissions, that are applied at the web application level. (For more about permissions,
see Chapter 12.) There are four default permission policies (or as they can also be known,
permission-level policies ): Full Control (the kind site collection administrators have), Full Read
(the kind of permissions a site collection auditor would have, so they can read all pages,
items, and settings), Deny Write (explicitly refuses the user write permissions to site
collections in the web application, even if they are permitted them there), and Deny All (blocks the
user from being able to access site collections in the web application, even if they are added
as a user). This setting is also listed under General Security.