Basically we need to create the Custom Permision Levels to maximize security in SP2013.

Custom Viewers,Custom Members,Custom Owners

By default SharePoint has some default site permissions…

dino blog 1 pic 1

 

We can identify some specific Permission levels to be used within the site: Edit, Full Control, Read.

 

Form the Ribbon is possible to look at this Permission Levels.

dino blog 1 pic 2

dino blog 1 pic 3

 

If you like to see in detail for example the “Edit” permission level can click on it and see what specific options are checked:

dino blog 1 pic 5dino blog 1 pic 6dino blog 1 pic 7

As you can imagine Full control will have all the check boxes checked and Read will have much less options checked allowing the user group that inherit this permission only have limited access to the SharePoint Lists.

 

In order to create your own custom permission level, best practices suggest to start from a pre-existing Permission Level, then customize to your needs and once save it use it as needed.

 

For this example we like to create 3 custom permissions levels like Custom Viewers, Custom Members and Custom Owners.

 

The permissions allowed will be much restrictive than the default available by Microsoft Sharepoint. keeping security and governance in mind. you might choose to open more functionality, but will leave this to the reader decision.

 

For now here is the permissions to be used for our 3 Custom Permission levels.

dino blog 1 pic 8

 

Custom ViewersViewListItems, OpenItems, ViewVersions, CreateAlerts, ViewFormPages, CreateSSCSite, ViewPages, BrowseUserInfo, UseRemoteAPIs, OpenItems, Open

 

Custom MembersAddListItems, EditListItems, DeleteListItems, ViewListItems, OpenItems, ViewVersions, CreateAlerts, ViewFormPages, BrowseDirectories, CreateSSCSite, ViewPages, BrowseUserInfo, UseRemoteAPIs, UseClientIntegration, OpenItems, Open, EditMyUserInfo, ManagePersonalViews

 

Custom OwnersManageLists, AddListItems, EditListItems, DeleteListItems, ViewListItems, ApproveItems, OpenItems, DeleteVersions, ViewVersions, CreateAlerts, CancelCheckout, ViewFormPages, ManagePermissions, ViewUsageData, AddAndCustomizePages, BrowseDirectories, CreateSSCSite, ViewPages,EnumeratePermissions, BrowseUserInfo, ManageAlerts, UseRemoteAPIs, UseClientIntegration, OpenItems, Open, EditMyUserInfo, ManagePersonalViews

 

Will use the script in c:\template\powershell\custom_perm_levels.ps1

 

# URL Configuration to create

 

param (

[string]$siteURL = “http://sharepoint2013.com“,

[string]$path = $(throw “-path is required.”),

[string]$name = $(throw “-name is required.”),

[string]$sitename = $(throw “-sitename is required.”)

)

 

# .\my_create_custom_perm_levels.ps1 -path ‘/templates’ -name ‘/my’ -sitename ‘My’

 

$siteURL=[string]$siteURL;

$path=[string]$path;

$subsite=[string]$name;

$sitename=[string]$sitename;

 

$relpath=$path+$subsite

$siteURL=$siteURL+$relpath

Write-Host -ForegroundColor yellow “siteURL : [ $siteURL ]”;

 

# Create My Viewers

 

$spWeb = Get-SPWeb $siteURL

 

 

$perm = New-Object Microsoft.SharePoint.SPRoleDefinition

$perm.Name = “My Viewers”

 

$perm.Description = “My Viewers – ViewListItems, OpenItems, ViewVersions, CreateAlerts, ViewFormPages, CreateSSCSite, ViewPages, BrowseUserInfo, UseRemoteAPIs, OpenItems, Open”

$perm.BasePermissions = “ViewListItems, OpenItems, ViewVersions, CreateAlerts, ViewFormPages, CreateSSCSite, ViewPages, BrowseUserInfo, UseRemoteAPIs, OpenItems, Open”

 

 

$spWeb.RoleDefinitions.Add($perm)

$spWeb.Dispose()

Write-Host -ForegroundColor yellow “My Viewers Created : [ OK ] “;

 

 

# Create My Members

 

$spWeb = Get-SPWeb $siteURL

 

$perm = New-Object Microsoft.SharePoint.SPRoleDefinition

$perm.Name = “My Members”

 

$perm.Description = “My Members – AddListItems, EditListItems, DeleteListItems, ViewListItems, OpenItems, ViewVersions, CreateAlerts, ViewFormPages, BrowseDirectories, CreateSSCSite, ViewPages, BrowseUserInfo, UseRemoteAPIs, UseClientIntegration, OpenItems, Open, EditMyUserInfo, ManagePersonalViews”

$perm.BasePermissions = “AddListItems, EditListItems, DeleteListItems, ViewListItems, OpenItems, ViewVersions, CreateAlerts, ViewFormPages, BrowseDirectories, CreateSSCSite, ViewPages, BrowseUserInfo, UseRemoteAPIs, UseClientIntegration, OpenItems, Open, EditMyUserInfo, ManagePersonalViews”

 

 

$spWeb.RoleDefinitions.Add($perm)

$spWeb.Dispose()

Write-Host -ForegroundColor yellow “My Members Created : [ OK ] “;

 

# Create My Owners

 

$spWeb = Get-SPWeb $siteURL

 

$perm = New-Object Microsoft.SharePoint.SPRoleDefinition

$perm.Name = “My Owners”

 

$perm.Description = “My Owners – ManageLists, AddListItems, EditListItems, DeleteListItems, ViewListItems, ApproveItems, OpenItems, DeleteVersions, ViewVersions, CreateAlerts, CancelCheckout, ViewFormPages, ViewUsageData, AddAndCustomizePages, BrowseDirectories, CreateSSCSite, ViewPages,EnumeratePermissions, BrowseUserInfo, ManageAlerts, UseRemoteAPIs, UseClientIntegration, OpenItems, Open, EditMyUserInfo, ManagePersonalViews”

$perm.BasePermissions = “ManageLists, AddListItems, EditListItems, DeleteListItems, ViewListItems, ApproveItems, OpenItems, DeleteVersions, ViewVersions, CreateAlerts, CancelCheckout, ViewFormPages, ViewUsageData, AddAndCustomizePages, BrowseDirectories, CreateSSCSite, ViewPages,EnumeratePermissions, BrowseUserInfo, ManageAlerts, UseRemoteAPIs, UseClientIntegration, OpenItems, Open, EditMyUserInfo, ManagePersonalViews”

 

 

$spWeb.RoleDefinitions.Add($perm)

$spWeb.Dispose()

Write-Host -ForegroundColor yellow “My Owners Created : [ OK ] “;

 

 

Edit to reflect the new URL http://sharepoint2013.com

 

.\custom_perm_levels.ps1 -path ” -name ‘/’ -sitename ‘mysc’

dino blog 1 pic 9dino blog 1 pic 10

 

Looking at the Site Permission Levels:

For small sites create Custom Permission levels might be easier to perform using the web interface, however for large scale deployments where multiple Site Collections exist, is much easier to build the sites via powershell then call a script to create in a consistent manner all the desired corporate permission levels to be used and apply to the site.

The end result will be a set of custom permission levels that can be used to each of the security groups to maximize security and never leave nothing to default configurations. It can be as restrictive or open as needed.