Sharepoint2013 Rights Management of the old King Strum II

A simple introduction to the SharePoint farm and the site of some basic permissions concept, but these are not enough, I will continue to give you the opportunity to explain in detail in today's article, we mainly talk about how to achieve, users can only browse documents in the SharePoint site , but cannot be downloaded.

before the real implementation, first to take a look at a site to set permissions in the process, to help you clear the idea, by default, we open the SharePoint site Settings 650) this.width=650; "src=" http:/ S3.51cto.com/wyfs02/m01/6e/9b/wkiom1wa46wwn8jtaawjtyqt19c705.jpg "style=" Float:none; "title=" 2015-06-17_105249. PNG "alt=" wkiom1wa46wwn8jtaawjtyqt19c705.jpg "/>

In SharePoint site Settings, you can see that the main settings for users and permissions are the following four items, where we focus primarily on people and groups, and on the site permissions settings

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/97/wKioL1WA5VTRIU2oAAY8ShIVgn4878.jpg "style=" float: none; "title=" 2015-06-17_105321.png "alt=" Wkiol1wa5vtriu2oaay8shivgn4878.jpg "/>

Open people and groups, managers can see a very simple view, there are ready-made SharePoint security groups, if you need to do site authorization, only need to create new--add users to it.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/9B/wKiom1WA46XByXGgAAlDTI9wDw0568.jpg "style=" float: none; "title=" 2015-06-17_105351.png "alt=" Wkiom1wa46xbyxggaaldti9wdw0568.jpg "/>

For example, we want to add a SharePoint site visitor, just in the new place, choose to add the user, this part, also can be understood as the place where the final permissions are set, in this place, the administrator can add users directly, you can add security groups within the ad to the site permissions, and then say a few more words, The SharePoint Default Web site also has its own security permissions, and can also use AD's account to authorize, in fact, the real Ultimate grant permissions, or an ad account, or a SharePoint local account, One difference between SharePoint security permissions and AD permissions is that if you create a security group in SharePoint, this SharePoint security group cannot be nested, and if you assign an ad security group to people and groups in the Add site, into a SharePoint security group, the AD security group actually supports nesting.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6E/9B/wKiom1WA5HDDkbKGAAZQj1rZ48E993.jpg "title=" 2015-06-17_110703.png "alt=" Wkiom1wa5hddkbkgaazqj1rz48e993.jpg "/>

Click others below the people and groups to see all the people and groups, the groups that SharePoint creates, the groups that are specially generated, for example, everyone, authenticate users, and quickly deploy users.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/97/wKioL1WA5VWTRS7RAAstmDJcySA187.jpg "style=" float: none; "title=" 2015-06-17_105406.png "alt=" Wkiol1wa5vwtrs7raastmdjcysa187.jpg "/>

After looking at people and groups, we went further and looked at the site permissions and can see that there are many more settings than people and groups, such as granting permissions, creating groups, anonymous access, permission levels, prosecutorial permissions, site collection administrators, where you can see that currently existing SharePoint security groups, And the permission level that SharePoint security groups belong to, we'll look at this permission level in more detail.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/9B/wKiom1WA46awH7c6AAijllsHT9A672.jpg "style=" float: none; "title=" 2015-06-17_105822.png "alt=" Wkiom1wa46awh7c6aaijllsht9a672.jpg "/>

Then, the so-called grant of permissions, is to add the Ad Security group or AD account here, you can see and before in the people and Group settings, in people and groups, administrators can only add people to the group, and in the site permissions, the administrator can add AD Security group or AD account to the specified permission level or To the specified SharePoint security group, it feels more comprehensive than the settings inside the people and groups.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/97/wKioL1WA5VXy5tH8AAgr39Auh_U345.jpg "style=" float: none; "title=" 2015-06-17_105846.png "alt=" Wkiol1wa5vxy5th8aagr39auh_u345.jpg "/>

After granting permissions, let's look at creating groups, entering a group name, and, like Exchange, SharePoint supports group Approval, but requires the SharePoint farm to configure outgoing mail to support this operation.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/9B/wKiom1WA46fDXVd_AAvmBB9F0nU162.jpg "style=" float: none; "title=" 2015-06-17_105929.png "alt=" Wkiom1wa46fdxvd_aavmbb9f0nu162.jpg "/>

The focus is below, when we create a group in the site permissions, we will be asked to select the SharePoint security group, the required level of permission, that is, the user group can ultimately perform the site permissions, for example, we choose to view only, then this security group will be added in the future, the people are only view-only permissions.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6E/97/wKioL1WA5VbiBSFhAArIqowpo_A702.jpg "style=" float: none; "title=" 2015-06-17_110003.png "alt=" Wkiol1wa5vbibsfhaariqowpo_a702.jpg "/>

As we imagined, a security group was created in the permissions of the site, back to people and groups to see this security group, which helped us to clear a mystery, many people say that SharePoint has its own permissions, can create their own accounts, create groups, but actually not, SharePoint can simply create a security group of SharePoint itself, with a layer on top of an ad account or a local account.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6E/9B/wKiom1WA46fS9TCEAAivN0ViZf8629.jpg "style=" float: none; "title=" 2015-06-17_110036.png "alt=" Wkiom1wa46fs9tceaaivn0vizf8629.jpg "/>

After adding the group, we go back to the site settings, look to the right, each SharePoint security group corresponds to a permission level, then you have not wondered why this is the permission level, this level of permission corresponds to whether the site can execute those permissions, permission level can be set itself, The answer must be yes.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/97/wKioL1WA5VezUs-fAAh_0P0F3tM002.jpg "style=" float: none; "title=" 2015-06-17_110126.png "alt=" Wkiol1wa5vezus-faah_0p0f3tm002.jpg "/>

Select a permission level above

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/9B/wKiom1WA46jzGfknAACidCQhf2s767.jpg "style=" float: none; "title=" 2015-06-17_110148.png "alt=" Wkiom1wa46jzgfknaacidcqhf2s767.jpg "/>

You can see the permission levels that SharePoint defaults to, which are often applied directly to AD security groups or ad users, or to SharePoint security groups.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/97/wKioL1WA5Vegpmp6AAcc8IbIwdE981.jpg "style=" float: none; "title=" 2015-06-17_110210.png "alt=" Wkiol1wa5vegpmp6aacc8ibiwde981.jpg "/>

We click on a view-only permission level, we can see that only the permission level can be performed under the Site permissions, list permissions, as well as personal permissions, the so-called permission level, is to define the end of the user can actually perform those actions under the specific Action project

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/97/wKioL1WA5Vii7fxMAAqyoOi0CXY481.jpg "style=" float: none; "title=" 2015-06-17_110227.png "alt=" Wkiol1wa5vii7fxmaaqyooi0cxy481.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/9B/wKiom1WA46nzzuHnAA0arBzhom8765.jpg "style=" float: none; "title=" 2015-06-17_110250.png "alt=" Wkiom1wa46nzzuhnaa0arbzhom8765.jpg "/>

Speaking of which, people probably understand it? In fact, in a SharePoint site, the process of granting permissions behind the scenes is like this

From the back forward: first define the permission level, define the user can end up in the site, list, individual, perform those actions, after defining the permission level, in the site permissions to create groups, such as IT department, IT department to apply which permission level. After you have created a group, go to people and groups, add AD security groups or ad users to SharePoint security groups, or do not pass people and groups directly to the site permissions, grant permissions, apply ad security groups or ad users to permission levels, or SharePoint security groups.

From forward to say: Managers in people and groups, add AD security groups or ad users, actually added ad users to apply the permissions of SharePoint security groups, and this security group can execute those permissions, is in the site permissions by creating groups to define the selection, Each permission is specific to those actions that are created by the permission level.

Through the above explanation, I hope you can have a basic concept of the authorization of the SharePoint site, we will explain how to realize the user can read the website through the website permission, can browse the document in the browser, but cannot download.

If you read the https://technet.microsoft.com/zh-cn/library/cc721640.aspx this link inside the document, it is not difficult to see, in the list of permissions there is an item called Open item, if this item is checked, That is, the permission level for this permission, you can open the document in the Web site through office, and download the file.

So if you do not want the user to download the document, it is necessary to let the user's permission level, cannot include the open item, in the SharePoint site collection, by default, only view this permission level, is unable to open the project, so if you want users to browse the site, but do not want users can download the document, The simplest way, directly to give the user permission to view only, I am here directly in the site permissions to operate

Open Site Settings-site permissions-Select Grant Permissions

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/9B/wKioL1WBEG3RcSDZAAmSUPPZXXU754.jpg "title=" 2015-06-17_140353.png "alt=" Wkiol1wbeg3rcsdzaamsuppzxxu754.jpg "/>

To add a test account SP2013 to view only permission levels, note that a best practice is to recommend that you give SharePoint security group permissions for AD security groups. Or give permissions directly to AD security groups.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/9B/wKioL1WBEIOCU_S1AAf05C6jC2M457.jpg "title=" 2015-06-17_140428.png "alt=" Wkiol1wbeiocu_s1aaf05c6jc2m457.jpg "/>

After granting permission, I don't have to log in SP2013 account, I log in with another account with Read permission level

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/9F/wKiom1WBD7uT9ddLAAp2bJjFrXM034.jpg "title=" 2015-06-17_141111.png "alt=" Wkiom1wbd7ut9ddlaap2bjjfrxm034.jpg "/>

Although this account is a Read permission level, you can see that the user is actually able to download a copy of the document

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/9F/wKiom1WBD_Pgmz8JAAShfrlkayQ012.jpg "title=" 2015-06-17_141131.png "alt=" Wkiom1wbd_pgmz8jaashfrlkayq012.jpg "/>

Can be seen in the OWA interface can also be downloaded by

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/9B/wKioL1WBEZfTsF0TAAWmj85wJkA879.jpg "title=" 2015-06-17_141157.png "alt=" Wkiol1wbezftsf0taawmj85wjka879.jpg "/>

You can see in the Administrator connection to the site settings that although the read execution is low, the document can still be downloaded because Read permissions have permission levels to open the project

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/9F/wKiom1WBE0yTccsLAAy3SfwY-SQ014.jpg "title=" 2015-06-17_142631.png "alt=" Wkiom1wbe0ytccslaay3sfwy-sq014.jpg "/>

Below we switch to the permission level for view-only users, you can see that the download copy cannot be performed

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/9B/wKioL1WBFojQDi_CAAsIJVCXuKo530.jpg "title=" 2015-06-17_143108.png "alt=" Wkiol1wbfojqdi_caasijvcxuko530.jpg "/>

If you switch to the contents of the document library again, you cannot download the copy

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6E/9B/wKioL1WBFrrzWK-XAAkKHtPrRno865.jpg "title=" 2015-06-17_143131.png "alt=" Wkiol1wbfrrzwk-xaakkhtprrno865.jpg "/>

The user can preview the document again in the OWA interface, but it is also not possible to save in the OWA interface as

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/9B/wKioL1WBFtvSVCV-AAWkXNjng4g149.jpg "title=" 2015-06-17_143156.png "alt=" Wkiol1wbftvsvcv-aawkxnjng4g149.jpg "/>

Everyone think this looks good, do not need to use adrms, is to achieve such a good function, in fact, there are many good SharePoint inside the built-in features, but we seldom go to careful study, like this problem, but is to choose a suitable permission level of the problem, but the words back, As we do, there are advantages and disadvantages, the advantage is that we achieve the demand, but there is an unsafe place, is the only view of the user, in fact, can see the content of the site, in the site content interface, usually including the developer to write the page, as well as all the content of the site, This content is not needed for some basic users to see.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6E/9B/wKioL1WBF9mzmSzUAAmzMNO_AoU490.jpg "title=" 2015-06-17_143222.png "alt=" Wkiol1wbf9mzmszuaamzmno_aou490.jpg "/>

Once you've opened the site, you'll see the interface

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6E/9B/wKioL1WBF_-CNrTiAArHK3QrGqs719.jpg "title=" 2015-06-17_143321.png "alt=" Wkiol1wbf_-cnrtiaarhk3qrgqs719.jpg "/>

So, if you only view users, not the advanced users, they are just basic users, view documents, work together, then this page you do not need to let them see.

How to do it, at this time, we should not use only to view this permission level, should go to use restricted Read this permission level, restricted Read permission is lower than the level of permission to view only.

Open Site Settings-site permissions-permission levels

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/9C/wKioL1WBHCKgXzDiAAkoGgaQ2j4938.jpg "title=" 2015-06-17_144219.png "alt=" Wkiol1wbhckgxzdiaakoggaq2j4938.jpg "/>

Open the restricted Read permission level, and you can see that the restricted Read permission level is low, but you can still open the project.

So we're going to get rid of the open project.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/A0/wKiom1WBGojx4C_IAA1FJlNkaVc946.jpg "title=" 2015-06-17_144245.png "alt=" Wkiom1wbgojx4c_iaa1fjlnkavc946.jpg "/>

You can choose to create a new permission level for yourself, or you can choose to copy the existing permission level to modify it, here I choose to copy and modify

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/9C/wKioL1WBHIfiCL40AAzRiZk3myA207.jpg "title=" 2015-06-17_144557.png "alt=" Wkiol1wbhificl40aazrizk3mya207.jpg "/>

After the copy is done, rename the temporary personnel permission, cancel opening the project, and finally ensure that the temporary personnel permission level only has the view item, open the webpage, view the Page three permission actions

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6E/9C/wKioL1WBHb6TivYpAAyZ1sA5UKA757.jpg "title=" 2015-06-17_144646.png "alt=" Wkiol1wbhb6tivypaayz1sa5uka757.jpg "/>

After confirming the error, this option is submitted

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/9C/wKioL1WBHfnw3o0PAA2dwlJ4-74220.jpg "title=" 2015-06-17_144824.png "alt=" Wkiol1wbhfnw3o0paa2dwlj4-74220.jpg "/>

Once the submission is complete, you can see the permission level we created

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/A0/wKiom1WBHC7huiNXAAiPdvIoiAM577.jpg "title=" 2015-06-17_144843.png "alt=" Wkiom1wbhc7huinxaaipdvioiam577.jpg "/>

After creating the completion permission level, we then go to site permissions to select Create SharePoint security Group

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/A0/wKiom1WBHJWhCPuHAAtiagJmyAE932.jpg "title=" 2015-06-17_144940.png "alt=" Wkiom1wbhjwhcpuhaatiagjmyae932.jpg "/>

Select SharePoint security group permissions for temporary personnel permission level

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/9C/wKioL1WBHmXx03E-AA1NEfkhlBM297.jpg "title=" 2015-06-17_145002.png "alt=" Wkiol1wbhmxx03e-aa1nefkhlbm297.jpg "/>

After you create the SharePoint security group, we go to the people and groups interface, add ad groups or ad users to the SharePoint security group

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/9C/wKioL1WBHqTjzDYhAAhjbUYT-3Q240.jpg "title=" 2015-06-17_145213.png "alt=" Wkiol1wbhqtjzdyhaahjbuyt-3q240.jpg "/>

Login with SP2013 account after adding, you can see, also can't download

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/A0/wKiom1WBHSKgli9mAAna_d2F77M376.jpg "title=" 2015-06-17_145331.png "alt=" Wkiom1wbhskgli9maana_d2f77m376.jpg "/>

In OWA, you cannot save as

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6E/9B/wKioL1WBFtvSVCV-AAWkXNjng4g149.jpg "title=" 2015-06-17_143156.png "alt=" Wkiol1wbftvsvcv-aawkxnjng4g149.jpg "/>

And users can't now view the site content

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/A0/wKiom1WBHVugJcxdAAOuqlNEupw819.jpg "title=" 2015-06-17_145350.png "alt=" Wkiom1wbhvugjcxdaaouqlneupw819.jpg "/>

Through the series of explanations, we can see that SharePoint permissions control is actually relatively fine-grained, through the custom permission level, can meet a lot of permission control requirements, such as we want to control users can view the site, but not download, if the user is a senior user, such as developers, Then you can give the user a view-only permission level, and if the user is a basic user, such as a normal office person, you can give the user a restricted Read permission level and then manually modify it.

This article is from "a Stubborn island" blog, please be sure to keep this source http://wzde2012.blog.51cto.com/6474289/1662772

Sharepoint2013 Rights Management of the old King Strum II