Wednesday, January 16, 2013

How security groups work in SharePoint

It’s important to know how SharePoint groups behave when we break the permission inheritance. I’ll take a scenario to explain

Let’s assume I have a site collection with 2 sub sites (Web 1 and Web 2) where I’ve broken the permission inheritance. Then I go to site permission in each web and create groups (Group 1,2,3 and 4) as shown in the diagram below.


Following are some observations/conclusions.

1. Security groups are created at root (site collection) level

Although we break the inheritance, if we create a group it’ll be created in the root level. So all 4 groups will be listed in People and Groups in site level. That group collection is referred to as Site Groups.

2. Site Groups collection ≥ Local Web Groups collection

If we go to a web (e.g.: “Web 1”) and navigate to People and Groups we can see only a subset of groups (Group 1 and 2) from site groups (Group 1,2,3,4) . This is because those are the only groups used within that web.

3. A security group is available in web group collection only if that group is referred within that web

The 2nd  observation is in fact due to this. In local group collection of “Web 2” only 2 groups (“Group 1”, “Group 2”) are available because those are the only groups used within that web.

To explain the concept further, I’ll make the scenario broader. Now I’ll create a list in “Web 2” and break the permission inheritance. Then I’ll add “Group 1” to the list (Remember that we created “Group 1” for “Web 1” and was not available in local web group collection of “Web 2”). Updated scenario is given in below image.


If you navigate to People and Groups in “Web 2”, you can see “Group 1” also available in the collection of groups. So the conclusion is that if a group is used in somewhere in a web (irrespective of which web we used to create the group in same site collection), it will be available in local web groups collection

No comments: