Académique Documents
Professionnel Documents
Culture Documents
Andi Comisioneru
Principal Group Program Manager
Microsoft Corporation
Microsoft
Agenda
Who is Secured
What is Secured
Logic and the Effective Permissions
Guidelines and Best Practices
Explorer
System
Integration
(Web+
Administratio
Manageme
Excel-Add
n
nt
In)
User and
Version
Group
Manageme
Permission
nt
s
Model
Entities
Permissions to Hierarchy
Hierarchy
Members
Hierarchy
Model
Security
DB
A
Members
Hierarchy
Security
Member
1
Member
Type
Leaf
Consolidate
d
Collections
Collectio
ns
Hierarchy
Member
2
Hierarchy
Member
n
Microsoft
Access levels
Microsoft Confidential
Manage Users
Properties
Active Directory
MDS
Membership
Microsoft Confidential
Manage Groups
Properties
Group types
Active Directory
LocalGroup
ActiveDirectoryGroup
Membership
Microsoft Confidential
Function Permissions
o Role based permissions
o Assign access to one or more functions to a user or group
Microsoft Confidential
Model Permissions
o Attributes (Column) based permissions
Selected group
Restrict assignments to a
model
Access location of selected security
assignment
Lists all security
assignments for the selected model
Microsoft Confidential
Microsoft Confidential
Effective Permissions
Calculated from
Order of Operations
1. Hierarchical inheritance is applied
2. Security roles are combined across the users groups and the direct user
permissions
. Special cases:
Read or Update cant override a higher level Deny (You cant change what you
cant see)
Members Security
o Assigned permissions are inherited and cascade down the hierarchy
from the closest ancestor
o For overlapping hierarchies, the most restrictive permission wins;
order of succession is as follows:
1. Deny
2. Read-only
3. Update
4. Unspecified
Examples
1.
2.
3.
Microsoft Confidential
o Keep it Minimal
o Security function is typically reserved for a single system
administrator
o Typical end-user will be granted permission to the Explorer
function only
o Keep It Generic
o Assign permissions to group security rather than users
o User roles change over time
o
13
2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S.
and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond
to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.