Permissions for site collection administrators
This article is designed to give site collection administrators a sense of the context and hierarchy in which they are working, as well as an overview of their role in establishing and delegating site collection permissions settings.
In this article
One of the advantages of deploying SharePoint Server 2010 into an organization is that the product is designed to distribute the administrative tasks involved in setting up and maintaining information technologies to a variety of people throughout the organization.
As a result, information workers have more control over their working environment, the ability to solve certain problems themselves, quickly, without going through Help Desk; and information technology professionals (IT pros) are freed up to address organization-wide issues.
Typical site collection administrator responsibilities
For you, as a site collection administrator, this means the following:
You might be expected to be the main point of contact between your part of the organization and your IT department.
You’ll need to work closely with people in certain roles in IT, such as your SharePoint farm administrator.
You’ll be performing some tasks that might previously have been referred to your organization’s IT team, such as deciding who has access to important intellectual property stored on your organizations web sites (that is, setting site-collection level permissions), and deciding which features to make available to the people who will be using the sites in your site collection.
You’ll probably be providing some technical support for the people who use your site collection.
Administrative and user accounts
As a site collection administrator, it’s a good idea to understand where you are in the hierarchy of people who control SharePoint, which depends on what type of account you have. There are two types of accounts in SharePoint – administrative accounts and user accounts. Despite the name, site collection administrators actually have the highest-level user account, (that is, you don’t actually have an administrative account.)
Tip The type of account you have is determined by what permissions you have. In SharePoint, permissions are assigned to groups. As a site collection administrator, you are a member of the site collection administrator group. For information, see About SharePoint groups or Default SharePoint groups. For information about working with the security and distribution groups that are included in Active Directory Domain Services, see Choose security groups.
People with administrative accounts install, configure, and deploy SharePoint tools and technologies on your organization’s server computers. They make decisions about how users will be authenticated, how Web application and content databases will be configured, and how many server computers your organization’s SharePoint installation will require.
There is one particular level of administrative account that it’s a good idea to know about, because you will need to work with people in this role and understand their goals and decisions about the overall SharePoint deployment in your organization: SharePoint farm administrators.
SharePoint farm administrators
SharePoint farm administrators control settings in the SharePoint Central Administration Web site – that is, settings that apply to all the site collections in your organization’s SharePoint deployment. They also create site collections and set the first layer of permissions for site collections.
These settings affect the types of decisions that you can make, as a site collection administrator. Here are the permissions decisions that farm administrators can make:
Enable or disable the anonymous access feature.
Specify which permission levels are available for you to choose from.
Specify which individual permissions are available within each permission level.
Choose how much of SharePoint Designer is available in the site collection.
Choose which users can manage service applications, such as the User Profile Service application, or Search. Each service application has its own customizable permission settings.
Add another user as a farm administrator.
Note Farm administrators also make decisions about which features to support. For example, if you want to take advantage of the new Multilanguage User Interface feature, you’ll need your farm administrator to install the appropriate language packs that the feature will use.
Farm administrators have no access to site content by default; they must take ownership of site collections to view any content. They can do this by adding themselves as site collection administrators—but ideally, they’ll leave the content management side to you, so they can focus on the software.
User accounts are given to the people in the organization who will be working with SharePoint sites and content, but not interacting with the server computers and databases that underlie the SharePoint installation.
As a site collection administrator, you have a user account, not an administrative account, but you perform administrative functions for all the sites within your site collection. Most importantly, within the constraints of the permissions decisions that your farm administrator made, you establish the default permissions settings that all the sites, sub-sites, and content in your site collection will inherit.
Note You can also choose to turn features on or off, you can audit all site content, and receive any administrative alerts (such as verifying whether a particular site is still being used). You are designated as the contact for the site collection both for your IT Pro team and any site owners or users of the site collection itself.
Generally, you’ll be designated the site collection administrator when the site collection is created, but you can add another site collection administrator, or change the site collection administrator through the Site Settings page if you have site collection administrator permissions.
Add or change a site collection administrator
At the top level of your site collection, click Site Actions and then Site Settings.
Under Users and Permissions, click Site Collection Administrators.
In the Site Collection Administrators field, type or browse to find the name of the person you want to designate a site collection administrator.
Download a chart of default groups and permission levels
When you set permissions for a new site collection, it can be very helpful to see all the default groups and permission levels that are available to you at a glance. You can download a Microsoft Office Excel template that displays this information and print it on 11 x 17-size paper, in portrait view by visiting Chart: Default Groups and Permission Levels.
Find information to help you talk to your farm administrator
When you need your farm administrator to take action to support your site collection’s business requirements, it’s a great idea to have a sense of the context in which they are working before you begin consulting with them. If you have the time to research this a little bit, the Microsoft TechNet site is a great place to visit.
TechNet: Plan security for sites and content in an enterprise. This section of TechNet delves deeply into all the issues that IT professionals have to consider when changing settings in Central Administration. If you know some of the vocabulary and limitations your IT Pro team is working with, you’ll probably find them much better able to get you what you need.
Control user access: Anatomy of SharePoint permissions. This article explains how SharePoint groups, permission levels, and permission inheritance work together to control access to SharePoint sites and content and is designed to give site collection administrators and site owners a map to a deeper understanding of how your choices will affect your site users, and why.
Support your site users with information about permissions
The permissions and user account hierarchies in SharePoint can be daunting for end users who are simply trying to edit their documents or share their blogs. Depending on how much interest and experience your end users have with SharePoint, you can point them to the following resources to help understand permissions in SharePoint:
Roadmap: Grant permissions for a site. This topic is designed for new site owners who might have created a site or inherited an existing site. You can direct them here to give them a high-level overview of the steps they need to take to grant permissions to team members or other users.
Governance 101: Best practices for creating and managing team sites. This article is designed to give team site owners an overview of the governance features that they can use in their SharePoint site, as well as why they might choose to investigate them.
Basics: What are permissions? This basic topic introduces the concept of permissions and explains in plain language how the user’s experience with SharePoint might be affected by them, for example, how the SharePoint user interface is trimmed according to the permission level of the user.