Introduction to managing SharePoint groups and users

A fundamental responsibility concerning site security is managing who can access resources on your site. Microsoft Office SharePoint Server 2007 enables you, as a site owner, to control what users or groups of users can access your SharePoint sites. This effectively transfers the task of managing users from the server administrator to site owners.

Office SharePoint Server 2007 uses Windows security groups and user accounts and Windows authentication mechanisms to manage and log users onto a site. As a site owner, you can either add Windows security groups and user accounts directly to your site or add them to SharePoint groups to manage user accounts at the top-level site or subsite level. Conversely, you can also remove Windows security groups and user accounts from your site and SharePoint groups.

Inside an organization, this typically means that site owners select Windows security groups and user accounts, typically from the organizations Windows domains, and add them to a SharePoint group or directly to the site. For example, SharePoint groups can contain Windows domain groups (such as domain name\Department_A, where domain name is the name of the Windows domain) or individual users with a user account on the local server or in a Windows domain (such as domain name\user name).

Note: A SharePoint administrator must first import Windows security groups and users accounts into the SharePoint server using SharePoint Central Administration. Windows security groups and users accounts will only be available in SharePoint if the import has been performed. For information about importing users into a SharePoint server, see Import user profiles.

Default SharePoint groups

The following SharePoint groups are provided by default with the installation of Office SharePoint Server 2007. You can customize the groups by adding and removing permission levels. You can also create new SharePoint groups with the permission levels that you want. For information about permissions levels, see Manage permission levels.

SharePoint group	Default permiss ion level
Site name Owners	Full Control
Designers	Design
Site name Members	Contribute
Site name Visitors	Read
Restricted Readers	Restricted Read
Approvers	Approve
Hierarchy Managers	Manage Hierarchy
Viewers	View Only
Style Resource Readers	Limited Access

Note: Your site may have different default SharePoint groups, depending on the template that was used to create the site and the features that are enabled.

Customizing SharePoint groups

To meet the needs of your organization, many options are available for customizing SharePoint groups. For example, you can:

• Create a new SharePoint group or customize an existing one to include only the permission levels you want (except for the Limited Access permission level). Note that you can also create custom permission levels which you can then assign to your SharePoint groups.

  If your organization has people who should all have the same permissions on one or more securable objects, you should consider creating a SharePoint group for them. For example, you could create a SharePoint group for leads called SharePoint Leads, and one for analysts called SharePoint Analysts, and so on.

  Anyone assigned a permission level that includes the Create Groups permission can create new SharePoint groups. Site collection administrators and site owners have this permission, by default.

• Delete an unneeded SharePoint group.

• Add Windows security groups and user accounts to your SharePoint groups.

• Remove Windows security groups and user accounts from your SharePoint groups.

Although you can, for example, assign the Design permission level to the Site name Members SharePoint group, it is more practical to create a new custom SharePoint group and assign the permission level you need to that new group. This way, you won't have SharePoint group names that imply a different permission level than they actually have.

Assigning users and groups

If the purpose of your site is for a logical grouping of users to share documents and information, you typically add a Windows security groups that contains the user accounts to an appropriate SharePoint group on your site. For example, you can add the Windows security groups that you want to allow to contribute to your site to the Site name Members SharePoint group. This way they can add documents and update lists. You can also add other Windows security groups to the Site name Visitors SharePoint group so that they can read documents and view lists, but not contribute to the site. You might also want help managing the site, so you can assign individual Windows user accounts to the Site name Owners SharePoint group.

In addition to adding Windows security groups and user accounts to SharePoint groups, you can also add them directly to your site. Users that you add directly to your site can be individually granted permission to a securable object on your site. Although this might work for a small number of users, individually assigning users to securable objects, and individually assigning a permission level to each user can quickly become difficult and time-consuming to manage. Therefore, we recommend that you use SharePoint groups when working with a large number of securable objects.