Chat now with support
Chat with Support

ControlPoint 8.6 - User Guide

Preface Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Using ControlPoint Dashboards Searching for SharePoint Sites Managing SharePoint Objects Using ControlPoint Policies to Control Your SharePoint Environment Managing SharePoint User Permissions Data Analysis and Reporting
Specifying Parameters for Your Analysis Analysis Results Display Generating a SharePoint Summary Report Analyzing Activity Analyzing Object Properties Analyzing Storage Analyzing Content Generating a SharePoint Hierarchy Report Analyzing Trends Auditing Activities and Changes in Your SharePoint Environment Analyzing SharePoint Alerts Analyzing ControlPoint Policies Analyzing Users and Permissions The ControlPoint Task Audit Viewing Logged Errors
Scheduling a ControlPoint Operation Saving, Modifying and Running Instructions for a ControlPoint Operation Using the ControlPoint Governance Policy Manager Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity Provisioning SharePoint Site Collections and Sites Default Menu Options for ControlPoint Users About Us

Managing Permissions Inheritance

The ControlPoint Manage Permissions Inheritance action lets you break or restore permissions inheritance of sites, subsites, lists, folders, and items across your SharePoint farm.

In a multi-farm environment, permissions inheritance can be managed across multiple farms.

SharePoint Objects Included in the Operation by Default

The following table identifies the SharePoint objects that are included in the Break/Restore Inheritance operation by default.

Operation

Scope

Objects Included by Default

Restore Inheritance

 

·Farm

·Web Application, or

·Site Collection

All sites, subsites, lists, folders and items within the selected scope.

NOTE:  You can use the Change Selection option if you want to exclude individual sites, lists, folders, and items.

Site

The site itself and all lists, folders and items within the site.

NOTE:  If you have checked the Include Children box in the Selection pane (that is, you want to include child sites of the selected site), you can also choose to exclude the selected site itself (so that child sites will inherit from it).

List

The list itself.

NOTE:  By default folders and items are not acted upon.  You can, however, use the Change Selection option to explicitly select any folders, and items you want to include.

Break Inheritance

 

·Farm

·Web Application, or

·Site Collection

All sites and subsites within the selected scope.

NOTE:  By default, lists, folders, and items are not acted upon.  You can, however, use the Change Selection option to explicitly select any lists, folders, and items you want to include.

Site

The site itself and all subsites.

NOTES:

· By default, lists, folders, and items are not acted upon.  You can, however, use the Change Selection option to explicitly select any lists, folders, and items you want to include.

· If you have checked the Include Children box in the Selection pane (that is, you want to include child sites of the selected site), you can also choose to exclude the selected site itself (so that child sites will no longer inherit from it).

List

The list itself.

NOTE:  By default, folders and items are not acted upon.  You can, however, use theChange Selection optionto explicitly select any folders, and items you want to include.

To manage permissions inheritance:

1Select the object(s) for which you want to break or restore inheritance.

2Choose Users and Security > Manage Permissions Inheritance.

3Use the information in the following table to determine the appropriate action to take.

If you want to ...

Then ...

restore permissions inheritance

select the Restore Inheritance radio button.

Restore Inheritance

break permissions inheritance

a.Select the Break Inheritance radio button.

b.Select whether you want to:

·Copy Permissions from Parent

OR

·Leave Permissions Empty.

4If you initiated the action at the site level and want to act only on child site(s), check the Include Children only (exclude selected sites) box.

NOTE:  This option is valid only if one or more sites (other than root sites) were explicitly selected.

Now you can:

·run the operation immediately (by clicking the [Run Now] button)

OR

·complete the Enforce Policy section and schedule the operation to run at a later time.

OR

·save the operation as XML Instructions that can be run at a later time.

Snippet Task Audit

Managing SharePoint Groups

ControlPoint Manage SharePoint Groups is a farm-level action that lets you propagate the permissions and membership of a SharePoint group on one site with groups on one or more different sites in the same farm.  You can either:

·overwrite the membership and permissions of an existing group (but retain the group's name)

EXCEPTION:  Permissions of a group within a list, folder, or item that has unique (non-inherited) permissions will not be changed.

OR

·create a new group with the same name, membership, and permissions as the model group.

ControlPoint Group Management Terminology

Association - The relationship between the SharePoint group whose permissions and membership you want to propagate and all of the groups to which you want to propagate them.

Model Group -The SharePoint group whose permissions and membership you want to propagate.

Dependent Group(s) -  The SharePoint group(s) to which you are propagating the membership and permissions of the model group.  You "adopt" a new dependent group when you add it to an association.

Synchronize - The act of propagating permissions and membership of a model group to its dependent groups.  Whenever you synchronize groups within an association, the existing permissions and/or membership of dependent groups are overwritten with those of the model group.

NOTE:  Synchronization is a one-way process (that is, model to dependents only).  Although changes to model groups are not automatically propagated to dependent groups, you can schedule a synchronization to run on a regular basis to ensure that model and dependent groups remain in sync.  You can choose to synchronize the permissions of the model group only, the group's membership only, or both permissions and membership.

In a multi-farm environment, SharePoint groups can be managed for a single farm; either the home farm or a remote farm.

To access the Manage SharePoint Groups workspace:

From the farm or Web Application level of the SharePoint Hierarchy, choose Automation > Manage SharePoint Groups.  

Group Management

The top grid lists all existing associations with the following information:

·the Association Name

·a link that enables you to Edit the Association Name.

·the model Group Name

·the Group Description (as specified in SharePoint Group Settings page)

·the Site Name and Site URL where the model group resides

·Permissions associated with the group

·the # of Users with Permissions for the group

·a Details link that lets you open the SharePoint People and Groups page for the model group.

When you select a group in the top grid, the bottom grid lists all of the dependent groups in the association, along with the following information:

·the dependent Group Name

·the Site Name and Site URL where the dependent group resides

·the Adoption Date (that is, the date the dependent group was added to the association)

·a View Details link that lets you open the SharePoint People and Groups page for the dependent group.

Now you can:

·Associate a SharePoint Group from One Site with Other Sites

·Maintain SharePoint Group Associations

·Dissolve Group Associations and/or Delete SharePoint Groups.

 

Associating a SharePoint Group from One Site with Other Sites

Factors to Consider Before Associating Groups

·A group can be a member of only one association; either as a model or a dependent.

·A dependent group cannot be created on a site that inherits permissions from its parent.

·If the permission level of the model group does not exist in the target site collection, it will be created there.  

·If the owner of the model group is either a valid "user" or a SharePoint group that exists in the target site collection, that user or group will become the owner of the dependent group.  If the owner is not a valid user (for example, a SharePoint group or built-in account such as SharePoint\system or NT AUTHORITY\authenticated users) or is a SharePoint group that does not exist in the target site collection, the user requesting the action will become the owner of the dependent group.

EXCEPTION:  If the dependent group already exists in the target location (that is, you are not creating a new group), group ownership will remain unchanged.

To create a new association:

1From the Group Management workspace, click [Create New Association] to display the model group picker.

NOTE:  By default, the left side of the picker includes Web Applications within the selected scope.  You can, however, check the Expand Scope box to include all Web Applications within the farm.

Create Association

2Use the information in the table below to determine the appropriate action to take.

If you want to  ...

Then ...

use an existing group as the model

select the group that you want to use as a model from the left pane and move it to the right pane.  

NOTE:  You cannot select a group that already belongs to an association (either as a model or a dependent).

create a new group to use as a model

a.Select the site within which you want to create the model group in the left pane.

b.Click [Create New SP Group].

Group Mgt Create Group

c.Complete the appropriate fields on the SharePoint New Group page.

d.Click [Create] to close the page.

The group you just created will now be available for selection in the model group picker.

3Click [Create Association].

The model group displays in the grid at the top of the workspace with the following information:

§Association Name (This is, by default, the name of the model group.  You can, however click the Edit Assoc. Name Edit link and specify a different name.)

§Group Name and Group Description (as specified on the SharePoint Group Settings page)

§Site Name and Site URL

§Permissions level(s)

§# Users in the group.

Group Mgt New Association

To open the SharePoint People and Groups page for the group, click the View link in the Details column.

4Scroll to the bottom of the workspace.

5Click [Adopt New Dependents] to display the dependent group picker.

Group Mgt Adopt Dependent

6Use the information in the following table to determine the appropriate action to take.

NOTE: By default, the left side of the picker includes Web Applications within the selected scope.  You can, however, check the Expend Scope box to include all Web Applications within the farm.   If you want to associate a dependent group in a newly-created site, it may take several minutes for the site to appear in the picker.  

If you want to ...

Then ...

associate one or more existing groups with the model group

NOTE:  When you choose this option, the name and owner of the dependent group will remain the same, but the membership and permissions will be overwritten with those of the model group.

select the group(s) from the left pane and move them to the right pane.

Group Management DEPENDENT GROUP

create a new group to associate with the model group

NOTE:  When you choose this option the name, membership, and permissions of the dependent group will be the same as those of the model group.

select the site within which you want to create the dependent group and move it to the right pane.

roup Management DEPENDENT SITE

7Click [Apply].

By default, both group membership and permissions are synchronized. However, if you want to synchronize only permissions or membership, uncheck the other option.

Group Management CHECKBOXES

Now you can either:

·synchronize model and dependent group(s) immediately, (by clicking [Synchronize])

OR

·complete the Schedule Synchronization section and schedule the synchronization to run at a later time or on a recurring basis.

TIP:  Schedule the synchronization to run on a recurring basis if you want to ensure that groups remain in sync.

Maintaining SharePoint Group Associations

Synchronizing Associated SharePoint Groups

When you create a new association, the membership and site-level permissions associated with the model group are copied to the dependent group(s) as part of the operation.  To copy future changes to group membership or permissions, you must synchronize the model group with its dependents.  

TIP:  You can run a synchronization on a regular schedule, to ensure that groups remain in sync.

Synchronization applies to an entire association (that is, any changes to the model group will be propagated to all dependents in the association).  Keep in mind that that, when you synchronize an association, any changes that have been made directly to a dependent group will be overwritten.

To synchronize associated groups:

1In the Group Management workspace, highlight the model group (in the top grid) whose dependents you want to synchronize.

2Either

§synchronize groups immediately, by clicking the [Synchronize] button

OR

§schedule the synchronization to run at a later time and/or on a regular schedule.

NOTE:  You can only synchronize (or schedule a synchronization for) one association at a time, and you cannot schedule a synchronization for a newly-created site until Discovery has been run.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating