Access Control with SharePoint Groups
SharePoint groups are defined at the site collection level, and consist of a set of SPMember objects, being these either individuals or groups.
Access control is achieved by assigning each group a permission level (called a role), and assigning this to a particular securable object (called a securable scope inside SharePoint).
SPMember <--> SPRoleDefinition <--> Securable Scope (ISecurableObject).
Nested groups
It is not possible to put one SharePoint group inside another. If nested groups are required, you will need to use nested Active Directory groups.
Site collection groups
The hierarchy will look like this, for example:
Site Collection (SPSite) <--- groups including their members defined here
- Root Web site (SPWeb)
- - Sub site (SPWeb)
- - - - Sub site 1.a (SPWeb)
- - Sub site 2 (SPWeb)
- - - - Sub site 2.a (SPWeb)
- - - - Sub site 2.b
The groups used for a particular site are expressed through RoleBindings, which bind a securable scope with a particular group and permission level.
Breaking inheritance gives the site owner an option to create new groups, or re-use existing ones.
User interface pages
SharePoint provides the following user interface pages for configuring groups.
| Page | Title | SharePoint description | Notes |
|---|---|---|---|
| people.aspx | People and Groups: People | Use this page to view and manage all people for this site collection. | parameters : MembershipGroupId |
| groups.aspx | People and Groups: All Groups | Use this page to view and manage all groups for this site collection. | |
| user.aspx | Permissions | Use this page to assign permission levels to users and groups. | Also used for managing rolebindings for items that don't inherit permissions. |
| editprms.aspx | Edit Permissions | N/A | |
| role.aspx | Permission Levels | N/A | |
| addrole.aspx | Add a Permission Level | N/A | |
| permsetup.aspx | Set Up Groups for this Site | Use this page to specify who can access your site. You can create new SharePoint groups or re-use existing SharePoint groups. | |
| newgrp.aspx | New Group | Use this page to create a group. | |
| editgrp.aspx | Change Group Settings | Use this page to change the settings of this SharePoint group. | |
| aclinv.aspx | Add Users | Use this page to give new permissions. | |
| userdisp.aspx | User information | N/A | |
| mngsiteadmin.aspx | Site Collection Administrators | Use this page to add and remove site collection administrators. | |
| associatedgroups.aspx | Edit Group Quick Launch | Use this page to change which SharePoint groups appear in the Quick Launch on the People and Groups page | |
| ViewGroupPermissions.aspx | View Site Collection Permissions | Use this page to view the permission assignments that this SharePoint group has in this site collection. In addition to the listed URLs, this group has access to any sites, lists, or items that inherit permissions from these URLs. |