Tony Rockwell – Info

sharepoinTony@info – Cloud Computing adventures

Archive for May, 2009

“User Manager” Custom Permission Level

Posted by sharepoinTony on May 17, 2009

We needed to set up a group that would be allowed to add users to their SharePoint site, but not allowed to make changes to the site.  The default SharePoint “Owners” group provides for Full Control, and the existing Permission Levels provide for Designers etc. to allow you to control who is modifying the look and functionality of the sites.  Nothing exists to let you give people the permissions to add users to their site or to specific SharePoint groups.   Fear Not, SharePoint does provide the means for you to create this functionality…through the creation of a Custom Permission Level.

This is my story of creating such a permission level, shortened  to save your sanity and to save you time.  Follow along if you want to create a new permission level like the one described herein.


Our requirements sound simple:  provides the ability for designated users to manage users (specifically, add and remove users from specific SharePoint groups) for specific sites within a large site collection.

  • The users should not be able to grant permissions beyond their own permission set.
  • The users should not be able to modify or create lists, add web parts, or do any other modifications to the site.
  • The users should not be able to create new SharePoint groups.
  • The users should be limited to adding and removing users from designated groups.

Note that this article is focused on creating this permission level for a MOSS 2007 site collection.

Solution Concepts

The initial concept was to create a custom permission level, assign the user that permission level and taadaa task complete.  Not so fast. When we assign the permission level directly to the user we get some additional administration maintenance.  So, our solution consists of a few components.  We will need a Custom Permission Level, and a new SharePoint Group.

The concept is that our Permission Level will limit the user to the tasks we designate and by assigning the permission level to a new Group we make it easy to manage and maintain these users.  We also gain the ability to segregate this privilege by site because we can create groups for each site and provide grant these permissions to that site only.  Additionally, we want to control which groups the user can add or remove people and that is fairly easily done with a  group as you will see.

In our situation, we realized that the folks who would be getting this new permission level would also have Contribute rights to the site.  That being the case, I wanted my custom permission level to contain the permissions associated with standard Contribute and just add the ability to add/remove users.

Creating the Custom Permission Level

There is plenty of help out there that walks you through creating a custom permission level.  The tough part of this assignment is figuring out what permissions you give to this customized permission level.  The pitfall is that you DO NOT want to give “Manage Permissions” or else you will be enabling those folks to hand out Full Control permissions to themselves and their buddies.  The key to this is providing Enumerate Permissions.

I suggest the following steps to create this new Permission Level:

  1. Go to Site Settings > Advanced Permissions > Settings > Permission Levels
  2. Select Contribute, scroll to the bottom
  3. Click on the “Copy Permission Level” button
  4. Name your Custom Permission Level – I will call it “User Manager” for this article
  5. I suggest filling out the Description with something like “Contribute and Enumerate Permissions” or whatever will make sense for your environment
  6. Scroll down to the Site Permissions section, find and check the check box for Enumerate Permissions
  7. In our environment we removed the check from the Use Self-Service Site Creation check box because we didn’t want that for our users.  Make any other permissions adjustments that make sense for your scenario and environment
  8. Click on the “Create” button
Custom Permission Level

Custom Permission Level

As you can see I added View Usage Data and Manage Alerts because we wanted our User Managers to have those abilities.  Notice that Browse User Information and Browse Directories is also checked.  Your User Managers will need those two items as well.

Now you should see this new Permission Level on the Permission Levels screen.  Hurray, part one done.

Creating a new SharePoint Group

In our scenario we want to assign the new User Manager Permission Level to a SharePoint Group.  Since I want to be able to segregate which users will have these permissions for which sites I actually created a SharePoint Group for each site in our site collection where this would be used.  You will have to map out how you need to use this and go forward based on that.  For the sake of this article, I will only walk through adding one group, this stuff should be pretty familiar to you if you have done any security administration for your SharePoint sites.

  1. Navigate to your Site Settings > Advanced Permissions > Settings
  2. This time select New Group from the New menu in the Site Permissions screen
  3. Name your group – I named mine “site-name User Managers” where site is the name of the site where this group will have authority
  4. For About Me, I suggest a description something like “This group has User Manager permissions to add and remove users on the site-name site”
  5. Scroll down and select your new custom permission level “User Manager” in the Give Group Permissions to this Site section
  6. Click Create

You can choose to add users now to this group or do it later.  By default you will be added as a member of this group.  I like to remove myself from the SharePoint groups that I create simply because I don’t need to be in all of these groups and I feel it is a “clean” way to manage groups.  Part two done.

Adjusting Group Ownership

Now that we have a SharePoint Group with the User Manager Permission Level, we can use it to control what Groups can be “managed” by that group.  Sound confusing?  Hopefully that won’t be the case as we walk through these steps.  First, take a look at the Groups in your site and decide which groups you want your User Managers to be able to add and remove users.  I didn’t want them adding users to the “Owners” Group, but I do want them to add/remove users in the “Visitors” and “Members” Groups for example.  Here are the steps you should take, repeating them for each Group that you want the User Managers to manage.

  1. Click on Groups in the Quick Launch
  2. Click on the Edit icon next to a Group you want the User Managers to manage (“Site Members” for example)
  3. In the Change Group Settings screen, go to the Owner section and delete the owner that is listed
  4. Enter the SharePoint Group you created for this site in the previous steps.  in this example it is site-name User Managers
  5. Scroll down and click on the OK button
  6. Repeat for each site Group you want managed by the site-name User Managers

By making this Group the owner of the Members group SharePoint will allow the members of the site-name User Managers group to add and remove users to that group.  Part three done.

Grand Finale

When you have completed the above steps in all three parts, and have added users to your new SharePoint Group(s) then your work is done.  Almost.  I suggest getting together with one of your users that has been placed into a User Managers group and testing it out.  Have them go to the site they should have permissions to and have them go into Site Actions, Site Settings (or Site Actions, Site Settings, Modify All Site Settings).  They should now see Advanced Permissions under the Users and Permissions section of the page.  When they click Advanced Permissions they will see the Site Permissions page and should have the New menu item above the list.  Have them add a user and remove a user…it is good for you to see them do it and good practice for them to learn how to do that task. Now you are done.


Posted in Permissions, SharePoint 2007 | Tagged: | 7 Comments »

SharePoint maybe it is Jerk

Posted by sharepoinTony on May 5, 2009

After reading about the SharePoint Knights today I felt that I didn’t want to get in the fray. I still don’t, but being the way I am I had to have fun with it all.

So it got me thinking.

Folks like me who are just chugging along working with SharePoint day in and day out have no moniker. I figure things out and try to share before rushing on to the next fire or urgent task. I find all kinds of “undocumented features” which cause problems for our environment…and some kind of work-around that will “do for now” for us.
Where do we fit in?
What is the SharePoint community for the average SharePointer?

We must be SharePoint Jack’s, all of us average SharePointers. Remember Simple Jack from the movie Tropic Thunder? That character seems to fit our persona, from the MVP’s and guru’s perspective. OK so I am Exaggerating (with the capital E)…hey I said I was having fun! But hey, we don’t get kudos for the valiant effort we do daily. We rarely get recognition for anything. We just work and get as much done as we can…and try really hard to improve things in our little world.

I won’t lump everyone else into this, I am the SharePoint Jack and probably a Jerk for blabbering on about this silly topic that has no real purpose. I guess I just had the thought pop into my head…and had to belch it out. You read it here first.

Posted in Commentary | Tagged: , | Leave a Comment »