Chat now with support
Chat with Support

ControlPoint 8.9 - User Guide

Preface Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Searching for SharePoint Sites Managing SharePoint Objects Using ControlPoint Policies to Control Your SharePoint Environment Managing SharePoint User Permissions Data Analysis and Reporting
Specifying Parameters for Your Analysis Analysis Results Display Generating a SharePoint Summary Report Analyzing Activity Analyzing Object Properties Analyzing Storage Analyzing Content Generating a SharePoint Hierarchy Report Analyzing Trends Auditing Activities and Changes in Your SharePoint Environment Analyzing SharePoint Alerts Analyzing ControlPoint Policies Analyzing Users and Permissions The ControlPoint Task Audit Viewing Logged Errors
Scheduling a ControlPoint Operation Saving, Modifying and Running Instructions for a ControlPoint Operation Using the ControlPoint Governance Policy Manager Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity Provisioning SharePoint Site Collections and Sites Default Menu Options for ControlPoint Users About Us

Cleaning Up User Permissions

The Clean-up Permissions action lets you analyze the permissions of individual users within site collections and identify SharePoint Groups and/or Active Directory groups with matching permissions.

If you have chosen to include SharePoint groups in the action, you then have the option of moving users with direct permissions into SharePoint groups with matching permissions in accordance with SharePoint best practices.  (Because Active Directory groups are managed independent of SharePoint, you cannot use this action to add users to Active Directory groups.)

Before cleaning up permissions, it is recommended that you run a User to Group Analysis for more detailed information about a user's direct permissions and the permissions of comparable SharePoint groups.

NOTE:  You can initiate a Clean-Up Permissions action from the site collection level of the SharePoint Hierarchy only.  However, you can include multiple site collections in your selection.

To clean up user permissions:

1Select the site collection(s) for which you want to clean up permissions.

2Choose Automation > Clean-up User Permissions.

Clean Up Permissions

3Select the user(s) whose permissions you want to clean up.

4If different from the default (Include SharePoint Groups only), check/uncheck the appropriate option(s) to Include Active Directory Groups only or both Include SharePoint  and Include Active Directory Groups.

NOTE:  At least one of these options must be checked.

5Click [Get Permissions].

NOTE:  Retrieving permissions is a resource-intensive process.  Depending on the scope and number of users you have selected, the operation may take a long time to complete.  If you want to cancel the operation, click [Cancel Get Permissions].

The following information is returned for each site collection and user within the scope of your analysis:

·the user's login name and the number of unique (non-inherited) Direct Permissions they currently have, and

·a list of SharePoint and/or Active Directory groups that are candidates for adding the user to—that is, they have the same permissions or fewer

·the number of Matching Permissions between the user and group.

Note that, if the user is already a member of a group with matching permissions, a check mark will display in the Group Member column.

Clean Up Permissions ALREADY MEMBER

To replace a user's direct permissions with membership in a SharePoint group with comparable permissions:

Check the Add to Group box to the left of the SharePoint group to which you want to add the user.

NOTES:  

·If the user is already a member of the selected group, the action will delete the direct permissions and retain his/her membership in that group.  Otherwise, the action will add the user to the selected group and delete his/her direct permissions.

· If you chose to include Active Directory groups, the action identifies—but does not allow you to add to—matching groups.  (If matching Active Directory groups are found, the Add to Group checkbox will be absent.)

Note that when you check an Add to Group box, the Direct Perms Left count is decreased by the number of matching permissions, and those permissions are added to the Selected Permissions column.

NOTE:  If the number of direct permissions that a user has is greater than the number of permissions for the matching group, you may want to create a new SharePoint group for the remaining permissions after completing the cleanup operation.  The ControlPoint User to Group Analysis.

Now you can:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be run at a later time.

If you chose the Run Now, option, after the operation has been processed:

·a confirmation message displays at the top of the page, and

·a ControlPoint Task Audit is generated for the operation and displays in the Results section.

If you schedule the operation, a link to the Task Audit is included in the scheduled action notification email.

See also The ControlPoint Task Audit.

 

Duplicating a Permissions Level

The Duplicate Permissions Levels action lets you copy a SharePoint permissions level as it is defined for a selected site collection or site to one or more other site collections and/or sites.  For  target sites that inherit permissions levels, you can choose whether to copy the permissions level to the root site, skip any sites whose permissions level are inherited, or break inheritance and apply the permissions level from the source site.  You can also choose whether or not to override a permissions level of the same name on a target site.

To duplicate a permissions level:

1Select the site collection or site whose permissions level you want to duplicate.

NOTE:  Unlike many other ControlPoint operations—which are initiated for target objects (that is, objects that you want to act on)—you initiate the Duplicate List Properties operation by selecting the source list (that is, the list you want to copy from).

2Choose Users and Security > Duplicate Permission Levels.

3From the Selection panel, select the site collection(s) and/or sites to which you want to copy the permissions level, then click [Apply].

Duplicate Permissions Level SELECT

4From the Select Permissions Level drop-down, select the permissions level you want to duplicate.

Duplicate Permissions Level LIST

If you want to open the SharePoint Permissions Level Page, where you can view and edit permissions level for the source site, click the View Permissions Levels link.

5Use the information in the following table to determine the appropriate If target is inheriting permissions levels: selection.

If you want to ...

Select ...

add the permissions level to the root site of each site collection within the selected scope (and by extension, to all subsites that inherit from it )

Add Permission Level to Root Site.

break permissions level inheritance of all sites within the selected scope that have inherited permissions and add the permissions level to each of those sites

Break Inheritance (of permissions and levels).

skip the action for any sites that inherit permissions

Do Not Break Inheritance (Skip Action).

6If you want to skip sites for which a permissions level with the same name already exists, uncheck the Override Permissions Level Definition box.

If you leave this box checked and ControlPoint encounters a permissions level with the same name, it will be overwritten with the permissions level definition from the source site.

TIP:  If you leave the Override Permission Level Definition box checked, you may also want to schedule the action to run on a recurring basis to ensure that any changes to the permissions level definition on the source site will be applied to the target site(s).

Now you can:

·run the operation immediately (by clicking the [Run Now] button)

OR

·complete the Enforce Policy section and schedule the operation to run at a later time.

OR

·save the operation as XML Instructions that can be run at a later time.

If you chose the Run Now, option, after the operation has been processed:

·a confirmation message displays at the top of the page, and

·a ControlPoint Task Audit is generated for the operation and displays in the Results section.

If you schedule the operation, a link to the Task Audit is included in the scheduled action notification email.

See also The ControlPoint Task Audit.

Adding Users to SharePoint Groups

Add Users to SharePoint Groups is a ControlPoint action that enables you to add one or more users to existing SharePoint groups.

In a multi-farm environment, users can be added to SharePoint groups on a single farm; either the home farm or a remote farm.

Adding Multiple Users to SharePoint Groups Using a Wildcard

If a wildcard is used to select users, at the time you attempt to run, schedule, or save the operation a pop-up dialog will display, warning that you may be running the operation on a large number of Active Directory users and groups.  

Wildcard BACKUP SITE PERMS

If you want to back up all permissions for the selected site(s) before running, saving, or scheduling the operation and have not already elected to do so, click [Cancel] to cancel the operation and check the Backup site permissions before operation box.  To dismiss the dialog and run, schedule, or save the operation, click [OK].

Because the action requires an Active Directory lookup, a full domain name must be specified in the People Picker (that is, a wildcard cannot be used in place of the domain name or any part of it).  For example, axcelertest\* is supported, but *\marktwain is not.  It also means that alternate authentication methods (that is, other than Active Directory) are not supported.

To add users to SharePoint groups:

1Select the object(s) for which you want to add users to groups.

2Choose Users and Security > Add User to SharePoint Group.

3Select the SharePoint group(s) to which you want to add users as follows:

a)From the Available Items list, select the group(s) to which you want users and move them to the Selected Items list.

Note that all groups defined for the entire site collection display beneath the root site. Groups with unique permissions also display beneath the site granting those permissions. By default, groups will display in this list if they have been assigned at least one permissions level.  ControlPoint Application Administrators can, however, configure ControlPoint to display groups that do not have an associated permissions level.  Details can be found in the ControlPoint Administration Guide.

Add User to Groups CUSTOMIZE

b)When you have finished adding groups to the Selected Items list, click [Apply].

4In the Parameters section Choose User(s) field, select the user(s) that you want to add to the group(s).

Select Users

5If you want to remove any user direct permissions from objects for which the selected group has permissions, check the Remove matching direct permissions box.

NOTE:  Direct permissions for any objects within the scope of the action for which the selected SharePoint group does not have permissions will be retained.

Now you can:

·run the operation immediately (by clicking the [Run Now] button)

OR

·complete the Enforce Policy section and schedule the operation to run at a later time.

OR

·save the operation as XML Instructions that can be run at a later time.

If you chose the Run Now, option, after the operation has been processed:

·a confirmation message displays at the top of the page, and

·a ControlPoint Task Audit is generated for the operation and displays in the Results section.

If you schedule the operation, a link to the Task Audit is included in the scheduled action notification email.

See also The ControlPoint Task Audit.

 

Setting SharePoint Group Permissions

The Set SharePoint Group Permissions action lets you assign a permissions level to one or more SharePoint groups within a single site collection or site.

By default, only groups that have existing permissions within the site collection can be selected.  In that case, the action adds to the existing permissions (it does not replace them).  ControlPoint Application Administrators can, however, choose to display―and allow the selection of―groups that exist in the site collection but do not have permissions to the object.  See the ControlPoint Administration Guide for details on changing the ControlPoint Setting “Show SharePoint Groups with No Permissions in Hierarchy.”

In a multi-farm environment, SharePoint group permissions can be set on a single farm; either the home farm or a remote farm.

This feature is not available at the farm scope.

To set SharePoint Group Permissions

1Select the site collection or site whose SharePoint group permissions you want to set.

2Choose Users and Security > Set SharePoint Group Permissions.

Set SP Group Permissions

3Select the group(s) to which you want to add permissions as follows:

a)From the Available Items list, select the group(s) to which you want to set permissions and move them to the Selected Items list.

Note that all groups defined for the entire site collection that have at least one associated permissions level display beneath the root site.  Groups with unique permissions also display beneath the site granting those permissions.  Any group that does not have at least one associated permissions level for the site collection or site will not display in the list.

TIP:  If your Available Items list is particularly long, you may find it useful to narrow the scope by searching based on Group name, site Name, and/or site URL) and searching for the group.  For example, if you want to narrow your scope to all group owners, enter "owner" in the Group field.

b)Click [Apply].

4From the Permission Level drop-down, select the permissions level you want to add to the group.

REMINDER:  This action will add to, but will not replace, an existing permissions level.

Set SP Group Permissions

NOTE:  All custom permissions levels that are currently assigned to at least one user within the scope of your selection display in the drop-down.  (In a multi-farm environment, this list is populated from the permissions of the home farm.)  If you want to assign a custom permissions level that has been defined for a site collection but either is not currently in use or exists only on a remote farm, you can type it into the drop-down.

5If your selection includes one or more sites and you want the permissions to be applied to all lists within the site(s) that have unique permissions, check the Propagate to All Lists with Unique Permissions box.

6If you have checked the Propagate to All Lists with Unique Permissions box and want the permissions to be applied to all items within the list(s) that have unique permissions, check the Propagate to List Items box.

NOTE:  The "Propagate" options do not apply to lists that you selected explicitly.  If you want to include items within explicitly-selected lists, use the Include Children or Choose option in the Selection panel.  See also Selecting List Items on Which to Perform a ControlPoint Operation.

Now you can:

·run the operation immediately (by clicking the [Run Now] button)

OR

·complete the Enforce Policy section and schedule the operation to run at a later time.

OR

·save the operation as XML Instructions that can be run at a later time.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating