Deleting User Permissions
Delete User Permissions is a ControlPoint action that lets you delete SharePoint user permissions from one or more site collections/sites. You can also choose whether to:
·delete the user's entry from the selected site(s) (so that they no longer appear in the site's All People list)
·delete alerts associated with the user
·delete the user's My Site site collection, and/or
·reassign a user's permissions to one or more target users before performing the deletion
EXCEPTION: You cannot reassign Site Collection Administrator privileges using this action.
NOTE: This action does not remove users from any Web application policies, workflows that may be in effect, or Active Directory.
If a wildcard is used to select users, at the time you attempt to run, schedule, or save the operation a pop-up dialog will display, warning that you may be running the operation on a large number of Active Directory users and groups.
If you want to back up all permissions for the selected site(s) before running, saving, or scheduling the operation and have not already elected to do so, click [Cancel] to cancel the operation and check the Backup site permissions before operation box. To dismiss the dialog and run, schedule, or save the operation, click [OK].
CAUTION: Deleting Users from SharePoint Groups
The Delete User Permissions action will remove the selected user(s) from SharePoint groups in which they are listed as a member. Because groups are defined at the site collection level and may be used anywhere in the site collection, if you are performing the action on one or more individual sites that includes groups that are used elsewhere in the site collection, the user(s) will lose permissions on unselected sites within the collection as well.
NOTE: This action does not remove users from Active Directory groups. Therefore, if a user is granted permissions via an Active Directory group, those permissions will not be impacted.
Deleting Permissions from Lists, Folders, or Items with Unique Permissions
When user permissions are added to a list, folder, or item that has unique permissions, SharePoint automatically creates an entry for the user on its first non-inherited parent object and assigns a permissions level of Limited. This entry will be deleted only if that parent object is included in the scope of the action. If the parent object is not included in the scope, the following message will display in the Task Audit:
User [user_name] permissions cannot be removed from [object_type] [object_name]. Go to the first non-inheriting parent [object_type] to remove this permission.
To delete the permissions of one or more users:
1Select the object(s) from which you want to delete permissions.
2Choose Users and Security > Delete User Permissions.
3For Delete All Permissions for User(s), select the user whose permissions you want to delete.
NOTE: Delete User Permissions is one of the ControlPoint actions that can be performed on unvalidated users. (For example, you can delete the SharePoint permissions of a user that you know has been removed from Active Directory or alternate authentication provider database.) However, any individual user(s) entered into the Reassign Deleted Permissions to People Picker must be validated.
4Specify the remaining parameters as appropriate. Use the information in the table below for guidance.
|
If you want to ... |
Then ... |
|---|---|
|
remove the user(s) from the site collection's People and Group list |
check the Delete User Entries from the Site Collection box .(If you leave this box unchecked, permissions will be deleted but user entries will remain in the People and Groups list). NOTES: ·The action will not be carried out for explicitly-selected objects that have unique permissions, as removing a user from the People and Group list will, by extension, also delete any other permissions the user might have within that site collection. ·If a user was granted permissions only through an Active Directory group, that user may have an "invisible entry" in the site collection's People and Group list. This action will remove that entry. ·If the Delete direct permissions only is selected, this option becomes disabled. The removal of a user from the site collection would remove all of that user's permissions, including those granted through membership in SharePoint groups. |
|
remove only direct permissions and retain permissions granted through SharePoint group membership |
check the Delete direct permissions only (Leave group permissions intact) box. NOTE: If Delete User Entries from the Site Collection is selected, this option becomes disabled. Removal of a user from the site collection would remove all of that user's permissions, including those granted through membership in SharePoint groups. |
|
reassign the permissions of the user(s) to be deleted to one or more other users |
a.Check the Reassign Deleted Permissions to box. b.Select the user(s) to whom you want to copy the permissions. NOTE: If you entered the name of more than one user in the Delete Users field, the permissions of every one of those users (if different) will be reassigned to the target user. |
|
delete SharePoint alerts that have been set for the user(s) |
check the Delete Alerts box. |
|
delete the user My Site site collection(s) |
check the Delete My Sites box. |
Now you can:
·run the operation immediately (by clicking the [Run Now] button)
OR
·complete the Enforce Policy section and schedule the operation to run at a later time.
OR
·save the operation as XML Instructions that can be run at a later time.
If you chose the Run Now, option, after the operation has been processed:
·a confirmation message displays at the top of the page, and
·a ControlPoint Task Audit is generated for the operation and displays in the Results section.
If you schedule the operation, a link to the Task Audit is included in the scheduled action notification email.
See also The ControlPoint Task Audit.
NOTE: If you chose to reassign permissions, the delete action will not be carried out unless the permissions are successfully reassigned.
Duplicating a User's Permissions
Duplicate User Permissions is a ControlPoint action that lets you copy the permissions of one SharePoint user to one or more others. Permissions can be copied for multiple site collections in a farm or Web application, or for individual site collections and sites.
EXCEPTIONS:
·You cannot duplicate Site Collection Administrator privileges using this action. You also cannot duplicate permissions that were granted via an Active Directory group (as an alternative, you can simply add the new user(s) to the Active Directory group).
·At a list-level scope, you cannot duplicate user permissions to a member of a SharePoint group.
All of a user's permissions for a site collection, including any unique permissions for sites, lists, and libraries, and items are copied. Any Web Application policy permissions are not copied, however.
NOTE: If your ultimate goal is to delete a user after copying his or her permissions to another user (for example, if the user is leaving the department or company and is being replaced by someone else), you can do so as part of the procedure for Deleting User Permissions.
In a multi-farm environment, a user's permissions can be duplicated across multiple farms.
If a wildcard is used to select users, at the time you attempt to run, schedule, or save the operation a pop-up dialog will display, warning that you may be running the operation on a large number of Active Directory users and groups.
If you want to back up all permissions for the selected site(s) before running, saving, or scheduling the operation and have not already elected to do so, click [Cancel] to cancel the operation and check the Backup site permissions before operation box. To dismiss the dialog and run, schedule, or save the operation, click [OK].
To duplicate a user's permissions:
1Select the site(s) for which you want to duplicate permissions.
2Choose Users and Security > Duplicate User Permissions.
3Complete the Parameters section as follows:
a)For Model User Name, select the user(s) whose permissions you want to duplicate.
NOTE: Make sure that the permissions of the user you want to use as the model are appropriate for the target user(s). Remember that you can review the permissions of the model before continuing. If you entered the name of more than model user, the permissions of every one of those users (if different) will be assigned to the target user(s).
b)For Duplicate Permissions To, select the target user(s).
c)If you want permissions of the model user(s) to replace those of the target user(s), check the Delete existing permissions from target box.
NOTE: If you leave this box unchecked, model user permissions will be added to any existing permissions.
Now you can:
·run the operation immediately (by clicking the [Run Now] button)
OR
·complete the Enforce Policy section and schedule the operation to run at a later time.
OR
·save the operation as XML Instructions that can be run at a later time.
If you chose the Run Now, option, after the operation has been processed:
·a confirmation message displays at the top of the page, and
·a ControlPoint Task Audit is generated for the operation and displays in the Results section.
If you schedule the operation, a link to the Task Audit is included in the scheduled action notification email.
See also The ControlPoint Task Audit.
Duplicating a Permissions Level
The Duplicate Permissions Levels action lets you copy a SharePoint permissions level as it is defined for a selected site collection or site to one or more other site collections and/or sites. For target sites that inherit permissions levels, you can choose whether to copy the permissions level to the root site, skip any sites whose permissions level are inherited, or break inheritance and apply the permissions level from the source site. You can also choose whether or not to override a permissions level of the same name on a target site.
To duplicate a permissions level:
1Select the site collection or site whose permissions level you want to duplicate.
NOTE: Unlike many other ControlPoint operationswhich are initiated for target objects (that is, objects that you want to act on)you initiate the Duplicate List Properties operation by selecting the source list (that is, the list you want to copy from).
2Choose Users and Security > Duplicate Permission Levels.
3From the Selection panel, select the site collection(s) and/or sites to which you want to copy the permissions level, then click [Apply].
4From the Select Permissions Level drop-down, select the permissions level you want to duplicate.
If you want to open the SharePoint Permissions Level Page, where you can view and edit permissions level for the source site, click the View Permissions Levels link.
5Use the information in the following table to determine the appropriate If target is inheriting permissions levels: selection.
|
If you want to ... |
Select ... |
|---|---|
|
add the permissions level to the root site of each site collection within the selected scope (and by extension, to all subsites that inherit from it ) |
Add Permission Level to Root Site. |
|
break permissions level inheritance of all sites within the selected scope that have inherited permissions and add the permissions level to each of those sites |
Break Inheritance (of permissions and levels). |
|
skip the action for any sites that inherit permissions |
Do Not Break Inheritance (Skip Action). |
6If you want to skip sites for which a permissions level with the same name already exists, uncheck the Override Permissions Level Definition box.
If you leave this box checked and ControlPoint encounters a permissions level with the same name, it will be overwritten with the permissions level definition from the source site.
TIP: If you leave the Override Permission Level Definition box checked, you may also want to schedule the action to run on a recurring basis to ensure that any changes to the permissions level definition on the source site will be applied to the target site(s).
Now you can:
·run the operation immediately (by clicking the [Run Now] button)
OR
·complete the Enforce Policy section and schedule the operation to run at a later time.
OR
·save the operation as XML Instructions that can be run at a later time.
If you chose the Run Now, option, after the operation has been processed:
·a confirmation message displays at the top of the page, and
·a ControlPoint Task Audit is generated for the operation and displays in the Results section.
If you schedule the operation, a link to the Task Audit is included in the scheduled action notification email.
See also The ControlPoint Task Audit.
Cleaning Up User Permissions
The Clean-up Permissions action lets you analyze the permissions of individual users within site collections and identify SharePoint Groups and/or Active Directory groups with matching permissions.
If you have chosen to include SharePoint groups in the action, you then have the option of moving users with direct permissions into SharePoint groups with matching permissions in accordance with SharePoint best practices. (Because Active Directory groups are managed independent of SharePoint, you cannot use this action to add users to Active Directory groups.)
Before cleaning up permissions, it is recommended that you run a User to Group Analysis for more detailed information about a user's direct permissions and the permissions of comparable SharePoint groups.
NOTE: You can initiate a Clean-Up Permissions action from the site collection level of the SharePoint Hierarchy only. However, you can include multiple site collections in your selection.
To clean up user permissions:
1Select the site collection(s) for which you want to clean up permissions.
2Choose Automation > Clean-up User Permissions.
3Select the user(s) whose permissions you want to clean up.
4If different from the default (Include SharePoint Groups only), check/uncheck the appropriate option(s) to Include Active Directory Groups only or both Include SharePoint and Include Active Directory Groups.
NOTE: At least one of these options must be checked.
5Click [Get Permissions].
NOTE: Retrieving permissions is a resource-intensive process. Depending on the scope and number of users you have selected, the operation may take a long time to complete. If you want to cancel the operation, click [Cancel Get Permissions].
The following information is returned for each site collection and user within the scope of your analysis:
·the user's login name and the number of unique (non-inherited) Direct Permissions they currently have, and
·a list of SharePoint and/or Active Directory groups that are candidates for adding the user tothat is, they have the same permissions or fewer
·the number of Matching Permissions between the user and group.
Note that, if the user is already a member of a group with matching permissions, a check mark will display in the Group Member column.
To replace a user's direct permissions with membership in a SharePoint group with comparable permissions:
Check the Add to Group box to the left of the SharePoint group to which you want to add the user.
NOTES:
·If the user is already a member of the selected group, the action will delete the direct permissions and retain his/her membership in that group. Otherwise, the action will add the user to the selected group and delete his/her direct permissions.
· If you chose to include Active Directory groups, the action identifiesbut does not allow you to add tomatching groups. (If matching Active Directory groups are found, the Add to Group checkbox will be absent.)
Note that when you check an Add to Group box, the Direct Perms Left count is decreased by the number of matching permissions, and those permissions are added to the Selected Permissions column.
NOTE: If the number of direct permissions that a user has is greater than the number of permissions for the matching group, you may want to create a new SharePoint group for the remaining permissions after completing the cleanup operation. The ControlPoint User to Group Analysis.
Now you can:
·run the operation immediately (by clicking the [Run Now] button)
OR
·schedule the operation to run at a later time or on a recurring basis.
OR
·save the operation as XML Instructions that can be run at a later time.
If you chose the Run Now, option, after the operation has been processed:
·a confirmation message displays at the top of the page, and
·a ControlPoint Task Audit is generated for the operation and displays in the Results section.
If you schedule the operation, a link to the Task Audit is included in the scheduled action notification email.
See also The ControlPoint Task Audit.