Basically we need to create the Custom Permision Levels to maximize security in SP2013.
Custom Viewers,Custom Members,Custom Owners
By default SharePoint has some default site permissions…
We can identify some specific Permission levels to be used within the site: Edit, Full Control, Read.
Form the Ribbon is possible to look at this Permission Levels.
If you like to see in detail for example the “Edit” permission level can click on it and see what specific options are checked:
As you can imagine Full control will have all the check boxes checked and Read will have much less options checked allowing the user group that inherit this permission only have limited access to the SharePoint Lists.
In order to create your own custom permission level, best practices suggest to start from a pre-existing Permission Level, then customize to your needs and once save it use it as needed.
For this example we like to create 3 custom permissions levels like Custom Viewers, Custom Members and Custom Owners.
The permissions allowed will be much restrictive than the default available by Microsoft Sharepoint. keeping security and governance in mind. you might choose to open more functionality, but will leave this to the reader decision.
For now here is the permissions to be used for our 3 Custom Permission levels.
|Custom Viewers||ViewListItems, OpenItems, ViewVersions, CreateAlerts, ViewFormPages, CreateSSCSite, ViewPages, BrowseUserInfo, UseRemoteAPIs, OpenItems, Open|
|Custom Members||AddListItems, EditListItems, DeleteListItems, ViewListItems, OpenItems, ViewVersions, CreateAlerts, ViewFormPages, BrowseDirectories, CreateSSCSite, ViewPages, BrowseUserInfo, UseRemoteAPIs, UseClientIntegration, OpenItems, Open, EditMyUserInfo, ManagePersonalViews|
|Custom Owners||ManageLists, AddListItems, EditListItems, DeleteListItems, ViewListItems, ApproveItems, OpenItems, DeleteVersions, ViewVersions, CreateAlerts, CancelCheckout, ViewFormPages, ManagePermissions, ViewUsageData, AddAndCustomizePages, BrowseDirectories, CreateSSCSite, ViewPages,EnumeratePermissions, BrowseUserInfo, ManageAlerts, UseRemoteAPIs, UseClientIntegration, OpenItems, Open, EditMyUserInfo, ManagePersonalViews|
Will use the script in c:\template\powershell\custom_perm_levels.ps1
# URL Configuration to create