Windows SharePoint Services Manageability Controls (Governance Series Part 1 of 5)

To design a manageable Microsoft® Windows® SharePoint® Services infrastructure, an organization’s design team must identify the components of Windows SharePoint Services logical architecture that enable aspects of control and manageability.

Windows SharePoint Services logical architecture comprises the following components:

·         Server farm or single server deployment: The top-level design construct of a Windows SharePoint Services infrastructure is a stand-alone or server farm deployment of Windows SharePoint Services. A stand-alone installation includes Windows SharePoint Services and Microsoft SQL Server® on the same server. A server farm allows the separation of application and database server roles. An enterprise can support one or more Windows SharePoint Services farms. You administer each server farm as a unit from the shared administrative tools in the server farm’s SharePoint Central Administration site.

·         Web application: A Web application is a logical component that is associated in a one-to-one relationship with a unique Microsoft Internet Information Services (IIS) Web site. You use the server farm’s SharePoint Central Administration site to manage Web applications.

·         Site collection: A site collection is a component that encompasses one or more Windows SharePoint Services sites. You manage some features of site collections by using SharePoint Central Administration, and you manage others from the Site Settings page of the site collection’s top-level site.

·         Site: Within a site collection, you can create one or more Windows SharePoint Services sites.

·         Top-level site: The top-level site within a site collection is the site with the URL of the site collection itself. Top-level sites define certain configurations, such as features and templates, that affect all sites within the site collection.

·         Lists and libraries: Lists and libraries are basically the equivalent of data tables in a database application. Whereas lists can support document attachments, libraries are a type of list in which the document is the focal point, and columns in the list provide metadata about the document.

·         Items and documents: The records in a Windows SharePoint Services list are called items. A library is a list that contains documents.

These components of Windows SharePoint Services are illustrated in the graphic in the whitepaper.

For more information about the components of Windows SharePoint Services and how to design a Windows SharePoint Services infrastructure, see the Windows SharePoint Services 3.0 Technical Library (http://go.microsoft.com/fwlink/?LinkID=73952&clcid=0x405).

Windows SharePoint Services Manageability Controls

Windows SharePoint Services 3.0 offers several features that let you configure aspects of manageability. You can implement each of these features, which we will refer to as “manageability controls,” by configuring properties of specific Windows SharePoint Services components. For purposes of this discussion, manageability controls will be grouped into the following categories: security, branding, navigation, content management, content administration, search, and service management.

Security

Security can be divided into two primary components: authentication and authorization.

Authentication Provider

Windows SharePoint Services authentication is configured by the Web application’s authentication provider. Windows SharePoint Services 3.0 supports Windows authentication, which enables users to authenticate with accounts stored in the server’s local security accounts manager (SAM) database or in Active Directory (AD). Additionally, you can configure a Web application to use forms-based authentication, which supports any ASP.NET 2.0 authentication provider or Active Directory Federated Services (ADFS).

In order to support more than one authentication provider, you will need to create or extend more than one Web application. For example, you might want to give Windows SharePoint Services 3.0 access to users within your organization who maintain accounts in Active Directory, as well as to partners who access Windows SharePoint Services 3.0 through an extranet site by using accounts stored in an ASP.NET 2.0 authentication provider. To give this access, you need to create a Web application (for example, http://intranet.contoso.com) that uses Windows authentication. You would then extend that application to another Web application (for example, http://extranet.contoso.com) that would utilize forms-based authentication. Both sites would be attached to the same content database. Therefore, regardless of which URL they accessed, users would see the same content.

Authentication Timeout for Forms Based Authentication

If the Web application uses forms-based authentication, the user will remain authenticated until the user closes his or her browser or until the authentication timeout occurs. You can configure this expiration time, set by default to 30 minutes, for a Web application in the application’s Web.config file. Add or modify the timeout attribute of the forms element, for example:

<forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" timeout="100" />

Authentication for a Site

To allow a user to authenticate to a specific site, you must add to the site collection (by using the People and Groups link in the site’s settings) the user’s account or a group to which the user belongs. The definition of valid users and groups is contained at the site collection level and, once added, you can give to a user or group permissions to any object (site, list, library, item, or document) within the site collection.

Anonymous Access

Users without user or group accounts in the site collection are considered anonymous users. You must set anonymous access, which is off by default, at the Web application level before such users can access any site or list. Once you have enabled anonymous access for the Web application, you can configure it for a site to support access to the entire site or to specific lists and libraries. Each list and library can then deny or allow anonymous access.

Access to Securable Objects

After authentication as either a valid user account or as an anonymous user, access to any securable object (a site, list, library, item, or document) is controlled by the permissions for that object. Permissions should be assigned to groups defined in either the SharePoint site collection or the authentication provider (such as Active Directory groups), but can also be assigned to a user defined in the authentication provider. By default, permissions are inherited from the parent object. The permissions assigned to the top-level site in a site collection are inherited by each site within the collection, each library and list within that site, and each document and item within the library or list. You can edit permissions on any securable object, but by doing so, you break the inheritance of that object’s permissions from its parent, and any changes to the parent’s permissions will no longer affect the child object.

Permission Levels

The permission levels you can configure on a securable object for a user or group are, by default, Full Control, Design, Contribute, Read, and Limited Access. You can modify these permission levels at the site collection level to enable the configuration of additional security-related roles.

Permissions

Each permission level is itself composed of granular permissions. For example, the Read permission level comprises eleven permissions such as View Pages, View Items, and Create Alerts. By default, all Windows SharePoint Services permissions are available for use in defining permission levels in a site collection. However, you can restrict which permissions are available to site collections within a Web application by configuring User permissions for Web application in SharePoint Central Administration.

Web Application Policies

Finally, Windows SharePoint Services 3.0 enables you to override object-level permissions through security policies configured for the Web application. By default, the administrators of the server hosting Windows SharePoint Services do not have access to any Windows SharePoint Services content. If business needs mandate such access, you can configure a security policy for each Web application that enables appropriate access for the administrators group. Similarly, corporate policy may require that a team of auditors or security personnel have access to content within a Web application. A Full Control or Full Read policy will provide the assigned users access to content throughout the Web application, overriding any more restrictive permissions on objects within the application. Alternatively, a particular group of users might need to be restricted from accessing content, even if permissions have been granted that would otherwise allow access. A Deny Write or Deny All policy will override any more liberal permissions on objects within the Web application.

Security Control Summary

·         Authentication provider: Configured for the Web application in SharePoint Central Administration.

·         Authentication timeout for forms-based authentication: By default, 30 minutes. Configured for the Web application in Web.config. Add or modify a timeout attribute to the forms element.

·         Authentication for a site: Configured by adding the user or a group to which the user belongs to the site collection in People and Groups.

·         Anonymous authentication: Enabled for the Web application in its authentication provider configuration. Then enabled for the site (none, entire site, or lists and libraries) and then further restricted or enabled per list or library.

·         Access to securable objects: Configured for the securable object (site, list, library, item, or document). By default, inherited from parent object. Permission levels assigned to a user in the authentication provider or to a group in either the authentication provider or the site collection’s groups.

·         Permission levels: Defined in the site’s Permissions settings. By default, inherited from the parent site.

·         Permissions: Enabled for the Web application in SharePoint Central Administration.

·         Security policies: Configured for the Web application in SharePoint Central Administration.

Branding

Branding refers to the look-and-feel of your SharePoint sites. Your sites should reflect the standards of your organization for logo usage, color, layout, and boilerplate content (such as a copyright notice).

Master Page

The primary branding control is the master page. ASP.NET 2.0 master pages create a common appearance to pages in a site by defining components such as headers, footers, and navigational elements. A master page contains one or more content controls that expose the unique content of a page. Each content page is linked to its master page. When that page is requested, the server renders the master page, and then renders the content page in the appropriate content controls of the master page.

A Windows SharePoint Services site can contain one or more master pages in its master pages gallery, accessible through the Site Settings page. A site also inherits master pages that have been made available in parent sites. Therefore, you can use a single master page in the top-level site of a site collection to drive branding on all sites within the site collection, or you can deploy multiple master pages to support variations in look-and-feel.

Note that if multiple master pages are available within a site, you must use Microsoft Office SharePoint Designer 2007, or a developer tool such as Microsoft Visual Studio® 2005, to assign the master page for each content page. Microsoft Office SharePoint Server 2007 provides a user-accessible method for selecting a master page in the Web-based interface of the site.

Branding Control Summary

·         Master pages: Master pages are maintained by a site in its master pages gallery. A site also inherits master pages maintained by parent sites.

Navigation

A manageable implementation of Windows SharePoint Services 3.0 will provide appropriately consistent navigation within and between sites, site collections, and Web applications. You can code navigational elements into the master page or pages, or you can use the top link bar and Quick Launch, which are supported out-of-the-box with Windows SharePoint Services 3.0.

Top Link Bar

The top link bar is, by default, a series of tabs near the top of the site’s pages that provide navigation to the top-level site and each first-level site. By default, each site inherits the top link bar of its parent site. However, you can configure the top link bar in each site’s settings. To remove the top link bar entirely, you can simply delete each link in the bar.

Office SharePoint Server 2007 enables a richer out-of-box navigation capability, with a top link bar  that provides drop-down menus for navigation to sites or external links.

Quick Launch

Quick Launch appears, by default, on each user-facing page of a Windows SharePoint Services 3.0 site. It does not appear on the Site Settings or List Settings pages. Quick Launch is designed to provide a consistent navigational experience for all pages within a site. You enable it in the Site Settings page by clicking Tree View. You configure its contents by clicking Quick Launch.

Tree View

A tree view is also available to display a site’s contents in a tree-like structure. You enable it in a site’s settings by clicking Tree View, which will display the site’s lists, libraries, and sites.

Navigation Control Summary

·         Top link bar: Inherited by default from the parent site. Configured in the site’s settings.

·         Quick Launch: Enabled by using Tree View settings in site settings. Configured by using Quick Launch in site settings.

·         Tree View: Enabled by using Tree View in site settings.

Content Management

An enterprise typically requires control over the information that is maintained in a system such as Windows SharePoint Services 3.0. Managing consistency across disparate content stores, such as lists and libraries, enables more effective searching, analysis, and knowledge management. To better understand the manageability controls related to content management, we will explore a scenario within the sales department of Contoso.com.

The most granular component of Windows SharePoint Services content is the item in a list, or the document in a library. For purposes of this discussion, items and documents can be described together. Each is, in effect, a record in a data table composed of fields called columns. Columns are also referred to as properties, attributes, or metadata, and are defined for the list or library. In a list of customers, for example, Contoso might define a column for “Customer Status”. The status could be a choice column, which appears as a drop-down list when editing or creating items, and choices could include “Sales Lead,” “Opportunity,” and “Active Customer”.

List Template

You have several options for managing content in this scenario. First, you could save the list that maintains customers as a list template. List templates are stored in the list template gallery of the site collection, which you can manage from the top-level site’s settings. Once you create it, you can use the list template as the basis for a new list anywhere in the site collection, creating consistency and ease-of-use. You also can download the list template and then load it into the list template gallery of another site collection.

Site Column

Second, you can define the “Customer Status” column as a site column. Site columns are a definition of a custom field and contain the same options as a list column. However, you can reuse site columns across lists and sites within the site. If Contoso defined a site column for the “Customer Status” choice, you could add that column to any list or site within the site. If, at a later date, you needed to add a choice to the column in each list, you would need to add it only to the definition of the site column. The site column thus provides a single point of management for defining a column throughout a site. It is recommended that you manage site columns from the top level site in a site collection, making those columns available to all sites in the collection.

Content Type

Content types are the most powerful option for managing content in Windows SharePoint Services 3.0. A content type is a definition of an entire item, document, or folder. It describes attributes including columns, workflows, forms used for editing and viewing, and, in the case of documents, the document template and version settings. Content types are hierarchical, deriving their columns from a parent document type. So, for example, Contoso might create a content type for “Customer,” derived from the Windows SharePoint Services 3.0 default “Contact” content type. The “Customer” content type would thus inherit all contact fields, such as names, address, phone number, and e-mail address. Contoso could then add columns such as the customer’s time zone, office hours, photo, and the “Customer Status” column. You could then use the “Customer” content type in any list that contains customer information, and you would not have to redefine any of the columns, workflows, template, or other properties of the content type.

Content types are defined for a site and are available to all sites within that site. It is recommended that you manage content types from the top level site of a site collection, so that the content types are available to all sites in the collection.

Content Management Summary

·         List template: Managed using the top-level site’s list template gallery. Available to all sites in the site collection.

·         Site column: Managed using the site’s settings. Available to the site and all sites within it. Recommended to manage using top level site’s settings to provide site column to all sites in the collection.

·         Content type: Managed using the site’s settings. Available to the site and all sites within it. Recommended to manage using top level site’s settings to provide content type to all sites in the collection.

Content Administration

The category of “content administration” relates to issues of managing the type, quantity, and lifecycle of content in a Windows SharePoint Services implementation, as well a