Paul Liebrand’s Weblog

Welcome to my blog mainly about SharePoint

SharePoint Security / Permission Levels

Paul Galvin recently posted an article on SharePoint Security Fundamentals and Avoiding Pitfalls. It’s a well written post and the information is very informative for those who want to understand some key points about the security model in SharePoint.

I would like to point out some other issues I have come across specifically around the MOSS membership functions and the default groups created with sites.

When creating a new SharePoint site with unique permissions you will be prompted to selected members for three (3) groups.  Those groups are broken down into Visitors, Members, and Owners. They play an important role in your environment especially if you are using Office 2007 and the “My SharePoint Sites” feature.

By default, these groups are created with the site name in front of their default name. For example, if I create a team site called ACME, the three (3) groups will be called ACME Visitors, ACME Members, and ACME Owners. If you rename these groups the MOSS My SharePoint Site Office 2007 client propagation functionality does not work.

It seems bad that the membership functions rely on the string values of a group name to function correctly but unfortunately they do so we have to deal with that fact.

Along those same lines, you should always avoid deleting the default permission levels that are created by SharePoint. You will run into this issue more if you are accessing SharePoint via the object model. Consider the following code:

using (SPSite site = new SPSite("http://sharepointsite"))
    using (SPWeb web = site.OpenWeb())
        SPRoleDefinition roleDef = web.RoleDefinitions.GetByType(SPRoleType.Contributor);

If you delete the contributor permission level (even if you create a new one with the same name) the GetByType method will fail.

In my opinion you should not mess around with the default “stuff” that Microsoft provided when it comes to the security within SharePoint.

You can refer to some other posts I have made about the MOSS membership functionality and Office 2007 propagation:

Office 2007 and My SharePoint Sites
MOSS 2007 and User Memberships

Thank you for your time.


December 6, 2007 - Posted by | SharePoint


  1. I am new to Sharepoint, and I was hired to create the corporate Intranet site using that program. Recently, I started setting up the groups and permissions. None of the default groups worked for me, so I deleted them all and created my own. No problem. This week, we started encountering problems all over the place. Glad this blog explained why and pointed me in the right direction!

    Comment by Angela Hohman | February 21, 2008 | Reply

  2. I agree– just shave yourselves the grief and avoid messing with the default “stuff”.

    However, what happens if you unintentionally deleted the contributor permission? đŸ˜¦ Is there a way to “recover” it? I made a mistake in my code and instead of creating a copy of the contributor permission, it kept changing the original and when I finally realized my mistake it was too late–I’d already deleted it.

    any ideas?

    Comment by juliana | May 6, 2009 | Reply

  3. oops, I meant shave = save đŸ˜›

    Comment by juliana | May 6, 2009 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: