Friday, August 5, 2016

Configuring Web Application User Policy in SharePoint 2013 / 2016

A SharePoint web application may have hundreds or thousands of site collections. Providing same access to all of those site collections for a set of users can be difficult task, isn't it? So here is where SharePoint Web application Policies comes to play. Consider these practical scenarios where:

  • Your SharePoint search crawl account needs read access on all site collections.
  • You'll have to provide Read access to all site collections to "Auditors" group of your organization
  • You may want to provide read access to all users for an Intranet web application.  
  • Your CIO wants to get Full control on all site collections. 
  •  Your fellow farm administrator needs full control over all site collections on the SharePoint 2013 web application, etc.
Web application user polices are the comprehensive way to apply to permission to all site collections in a web application. Web application policy either grant or deny permissions to a set of users. By default, a web application has these four permission policy levels predefined:
  • Full Control
  • Full Read
  • Deny Write
  • Deny All
In fact, the Web application User policy is basically a mapping between Active Directory user or group and certain Web Application Level Permission policy. 

Permissions applied using web application User Policy simply supersedes all other permissions applied at the individual site collection level. E.g., if a user has Read access to some site collections, granting the Full Control permission gives the user "Full Control" all site collections within the entire web application. With web application level permission policies you can control centrally manage access to all content in the web application without individually adding site collection administrators on each site.

Deny permission level takes precedence over any existing permissions applied. E.g. Applying Deny All to a user prevents any and all access to a web application and all its site collections. BTW, Deny policy at web application level is the only way to block someone's access to SharePoint.

To access the user policy for a web application using Central Administration:
  1. Open SharePoint 2016/2013/2010 Central Administration site as a Farm Administrator
  2. Click Application Management >> Select Manage Web Applications.
  3. Select your target web application >> Click the User Policy button from the ribbon.web application policy in sharepoint 2013
  4. This page lists all user policies created for the web application. Usually, you'll find the search service application crawl account here with full read access user policy to granted. web application user policy sharepoint 2016
How to add new Web application user Policy:
To add a new policy, click the Add Users link. Then perform the following steps:
  1. From the Policy for Web Application dialog box, click on "Add Users" link. 
  2. Select All Zones for the web application and click on Next (You can optionally select a single zone such as Internet and limit the policy with the zone)web application policy sharepoint
  3. Enter one or more user account names or security groups. You can enter multiple users or security groups.
  4. Select the permission policy levels that you want to apply. You can add custom permission policy levels from "Permission Policy".
  5. Optionally, you can select the "Account Operates As System" check box, which means if a user creates or modifies any item in this web application, the Created By and Modified by entries will be shown as: System Account.Add user to web application user policy sharepoint 2016
  6. Click Finish to save your changes. This ensures consistent security permissions across site collections of a web application.
By providing permissions policy at the web application level, Our purpose is to control who has access to the content within the site collections that are associated with the web application.
Edit Existing User Policies:
To edit any of the existing policy:
  • Click on the corresponding "Display Name" value (or you can check the policy and click the Edit Permissions Of Selected Users link). 
  • In the edit policy dialog box, adjust any required settings, such as permissions and click on Save once done..

To Delete a Web Application User Policy:
To remove a user policy, simply select the policy and click on "Delete Selected Users" link, Confirm when prompted.

As a best practice, use Active directory security groups in SharePoint web application user policies as adding individual users triggers search crawl to trigger. This procedure applies to all version of SharePoint SharePoint 2016, 2013, 2010, and 2007!

Related post: PowerShell script to Add Web Application User Policy in SharePoint

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.

Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!

You might also like:

Related Posts Plugin for WordPress, Blogger...