category
虽然SharePoint为网站提供了各种权限级别,但我们强烈建议对通信网站使用内置的SharePoint组,并通过关联的Microsoft 365组管理团队网站权限。这使得管理更容易。有关在SharePoint新式体验中管理权限的信息,请参阅SharePoint新式体验的共享和权限。
了解权限级别
使用权限的最简单方法是使用提供的默认组和权限级别,这些级别涵盖了最常见的场景。但是,如果需要,您可以在默认级别之外设置更细粒度的权限。本文介绍了不同的权限和权限级别、SharePoint组和权限如何协同工作,以及权限如何通过网站集级联。
注:
想直接转到更改或设置权限级别的步骤吗?请参阅如何创建和编辑权限级别。
概述和权限继承
如果你在一个网站上工作,你就是在一个网页集内工作。每个网站都存在于一个网站集中,网站集是单个顶级网站下的一组网站。顶级网站称为网站集的根网站。
以下网站集的图示显示了网站、列表和列表项的简单层次结构。权限范围是编号的,从可以设置权限的最宽级别开始,到最窄级别(列表中的单个项目)结束。
显示网站、子网站、列表和项目的SharePoint安全范围的图形。
继承
一个需要理解的重要概念是权限继承。根据设计,集合中的所有网站和网站内容都继承根网站或顶级网站的权限设置。当您为网站、库和项目分配唯一权限时,这些项目将不再继承其父网站的权限。以下是有关权限在层次结构中如何工作的更多信息:
- 网站集管理员为整个网站集配置顶级网站或根网站的权限。
- 如果您是网站所有者,则可以更改网站的权限设置,这将停止网站的权限继承。
- 列表和库继承其所属网站的权限。如果您是网站所有者,则可以停止权限继承并更改列表或库的权限设置。
- 列表项和库文件继承其父列表或库的权限。如果您可以控制列表或库,则可以停止权限继承并直接更改特定项目的权限设置。
重要的是要知道,用户可以通过与无权访问的人共享文档或项来中断列表或库项的默认权限继承。在这种情况下,SharePoint会自动停止对文档的继承。
默认权限级别
默认权限级别允许您快速轻松地为一个用户或一组用户提供通用权限级别。
您可以更改任何默认权限级别,但完全控制和有限访问除外,这两个级别在下表中有更详细的描述。
Permission Level | Description |
---|---|
Full Control |
Contains all available SharePoint permissions. By default, this permission level is assigned to the Owners group. It can't be customized or deleted. |
Design |
Create lists and document libraries, edit pages and apply themes, borders, and style sheets on the site. There is no SharePoint group that is assigned this permission level automatically. |
Edit |
Add, edit, and delete lists; view, add, update, and delete list items and documents. By default, this permission level is assigned to the Members group. |
Contribute |
View, add, update, and delete list items and documents. |
Read |
View pages and items in existing lists and document libraries and download documents. |
Limited Access |
Enables a user or group to browse to a site page or library to access a specific content item when they do not have permissions to open or edit any other items in the site or library. This level is automatically assigned by SharePoint when you provide access to one specific item. You cannot assign Limited Access permissions directly to a user or group yourself. Instead, when you assign edit or open permissions to the single item, SharePoint automatically assigns Limited Access to other required locations, such as the site or library in which the single item is located. This allows SharePoint to render the user interface correctly and show the user some context around their location in the site. Limited Access does not grant any additional permissions to the user, so they can't see or access any other content. |
Web-Only Limited Access |
Web-Only Limited access is a variant of the ‘Limited Access’ permission level which enables users’ access to the web object only. |
Approve |
Edit and approve pages, list items, and documents. By default, the Approvers group has this permission. |
Manage Hierarchy |
Create sites and edit pages, list items, and documents. By default, this permission level is assigned to the Hierarchy Managers group. |
Restricted Read |
View pages and documents, but not historical versions or user permissions. |
View Only |
View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded. File types that do not have a server-side file handler (cannot be opened in the browser), such as video files and .png files, can still be downloaded. |
注:
Microsoft 365订阅创建了一个名为“除外部用户外的所有人”的安全组,其中包含您添加到Microsoft 365目录中的每个人(您明确添加为外部用户的人除外)。此安全组在具有公共隐私设置的新式团队网站上自动添加到“成员”组,以便Microsoft 365中的用户可以访问和编辑SharePoint网站。此外,对于创建为“私有”的现代团队网站,“除外部用户外的所有人”都不能被授予任何权限,必须明确授予人员权限。此外,Microsoft 365订阅创建了一个名为“公司管理员”的安全组,其中包含Microsoft 365管理员(如全局和计费管理员)。此安全组已添加到“网站集管理员”组中。有关详细信息,请参阅默认SharePoint组。
默认情况下,网站所有者和成员可以向网站添加新用户。
要了解有关“除外部用户外的所有人”权限的详细信息,请参阅特殊SharePoint组
权限级别和SharePoint组
权限级别与SharePoint组协同工作。SharePoint组是一组具有相同权限级别的用户。
其工作方式是将相关权限放在一个权限级别中。然后将该权限级别分配给SharePoint组。
默认情况下,每种SharePoint网站都包含某些SharePoint组。例如,团队网站会自动包含“所有者”、“成员”和“访问者”组。发布门户网站包括这些组以及其他几个组,如审批人、设计器、层次结构管理器等。创建网站时,SharePoint会自动为该网站创建一组预定义的SharePoint组。此外,SharePoint管理员可以定义自定义组和权限级别。
要了解有关SharePoint组的更多信息,请参阅了解SharePoint组。
默认情况下,网站中包含的SharePoint组和权限级别可能不同,具体取决于:
- 您为网站选择的模板
- SharePoint管理员是否在网站上创建了具有特定目的(如搜索)的唯一权限集
下表描述了三个标准组的默认权限级别和相关权限:访问者、成员和所有者。
Group | Permission level |
---|---|
Visitors |
Read This level includes these permissions: Open View Items, Versions, pages, and Application pages Browse User Information Create Alerts Use Self-Service Site Creation Use Remote Interfaces Use Client Integration Features |
Members |
Edit This level includes all permissions in Read, plus: View, add, update and delete Items Add, Edit and Delete Lists Delete Versions Browse Directories Edit Personal User Information Manage Personal Views Add, Update, or Remove Personal Web Parts |
Owners |
Full Control This level includes all available SharePoint permissions. |
站点权限和权限级别
网站权限通常适用于SharePoint网站。下表描述了应用于站点的权限,并显示了使用这些权限的权限级别。
List permissions and permission levels
List permissions apply to content in lists and libraries. The following table describes the permissions that apply to lists and libraries, and show the permission levels that use them.
Personal permissions and permission levels
Personal permissions apply to content that belongs to a single user. The following table describes the permissions that apply to personal views and web parts, and show the permission levels that use them.
权限和依赖权限
SharePoint权限可以依赖于其他SharePoint权限。例如,您必须能够打开项目才能查看它。这样,“查看项目”权限取决于“打开”权限。
当您选择依赖于另一个SharePoint权限的SharePoint权限时,SharePoint会自动选择关联的权限。同样,清除SharePoint权限时,SharePoint会自动清除依赖于它的任何SharePoint权限。例如,清除“查看项目”时,SharePoint将自动清除“管理列表”(如果无法查看项目,则无法管理列表)。
小贴士
唯一没有依赖关系的SharePoint权限是“打开”。所有其他SharePoint权限都依赖于它。要测试自定义权限级别,您只需清除“打开”即可。这将自动清除所有其他权限。
以下部分包含描述每个权限类别的SharePoint权限的表。对于每个权限,该表显示了依赖权限。
- 站点权限和从属权限
- 列出权限和依赖权限
- 个人权限和从属权限
- 站点权限和从属权限
下表描述了应用于站点的权限,并显示了依赖于它们的权限。
Permission | Description | Dependent permissions |
---|---|---|
Manage Permissions |
Create and change permission levels on the website and assign permissions to users and groups. |
View Items, Open Items, View Versions, View Pages, Browse Directories, Enumerate Permissions, Browse User Information, Open |
View Web Analytics Data |
View reports on website usage. |
View Pages, Open |
Create Subsites |
Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites. |
View Pages, Browse User Information, Open |
Manage website |
Perform all administration tasks for the website, which includes managing content. |
View Pages, Add and Customize Pages, Browse Directories, Enumerate Permissions, Browse User Information, Open |
Add and Customize Pages |
Add, change, or delete HTML pages or Web Part pages, and edit the website by using a Windows SharePoint Services-compatible editor. |
View Items, Browse Directories, View Pages, Open |
Apply Themes and Borders |
Apply a theme or borders to the whole website. |
View Pages, Open |
Apply Style Sheets |
Apply a style sheet (.css file) to the website. |
View Pages, Open |
Create Groups |
Create a group of users who can be used anywhere within the site collection. |
View Pages, Browse User Information, Open |
Browse Directories |
Enumerate files and folders in a website, by using an interface such as SharePoint Designer or web-based Distributed Authoring and Versioning (Web DAV). |
View Pages, Open |
Use Self-Service Site Creation |
Create a website by using Self-Service Site Creation. |
View Pages, Browse User Information, Open |
View Pages |
View pages in a website. |
Open |
Enumerate Permissions |
Enumerate permissions on the website, list, folder, document, or list item. |
View Items, Open Items, View Versions, Browse Directories, View Pages, Browse User Information, Open |
Browse User Information |
View information about users of the website. |
Open |
Manage Alerts |
Manage alerts for all users of the website |
View Items, Create Alerts, View Pages, Open |
Use Remote Interfaces |
Use Simple Object Access Protocol (SOAP), Web DAV, or SharePoint Designer interfaces to access the website. |
Open |
Use Client Integration Features |
Use features which launch client applications. |
Use Remote Interfaces, Open |
Open* |
Open a website, list, or folder to access items inside that container. |
No dependent permissions |
Edit Personal User Information |
Allow a user to change personal information, such as adding a picture. |
Browse User Information, Open |
列出权限和依赖权限
下表描述了应用于列表和库的权限,并显示了依赖于它们的权限。
Permission | Description | Dependent permissions |
---|---|---|
Manage Lists |
Create and delete lists, add or remove columns in a list, and add or remove public views of a list. |
View Items, View Pages, Open, Manage Personal Views |
Override Check-Out |
Discard or check in a document that is checked out to another user. |
View Items, View Pages, Open |
Add Items |
Add items to lists, add documents to document libraries, and add web discussion comments. |
View Items, View Pages, Open |
Edit Items |
Edit items in lists, edit documents in document libraries, edit web discussion comments in documents, and customize Web Part Pages in document libraries. |
View Items, View Pages, Open |
Delete Items |
Delete items from a list, documents from a document library, and web discussion comments in documents. |
View Items, View Pages, Open |
View Items |
View items in lists, documents in document libraries, and web discussion comments. |
View Pages, Open |
Approve Items |
Approve a minor version of a list item or document. |
Edit Items, View Items, View Pages, Open |
Open Items |
View the source of documents that use server-side file handlers. |
View Items, View Pages, Open |
View Versions |
View past versions of a list item or document. |
View Items, View Pages, Open |
Delete Versions |
Delete past versions of a list item or document. |
View Items, View Versions, View Pages, Open |
Create Alerts |
Create e-mail alerts. |
View Items, View Pages, Open |
View Application Pages |
View documents and views in a list or document library. |
Open |
Personal permissions and dependent permissions
The following table describes the permissions that apply to personal views and web parts, and show the permissions that depend on them.
Permission | Description | Dependent permissions |
---|---|---|
Manage Personal Views |
Create, change, and delete personal views of lists. |
View Items, View Pages, Open |
Add/Remove Private Web Parts |
Add or remove private Web Parts on a Web Part Page. |
View Items, View Pages, Open, Update Personal Web Parts |
Update Personal Web Parts |
Update Web Parts to display personalized information. |
View Items, View Pages, Open |
锁定模式
限制访问用户权限锁定模式是一种网站集功能,可用于保护已发布的网站。当锁定模式打开时,有限访问权限级别的细粒度权限会减少。下表详细说明了打开锁定模式功能时受限访问权限级别的默认权限和减少的权限。
Permission | Limited access - default | Limited access - lockdown mode |
---|---|---|
List permissions: View Application Pages |
X |
|
Site permissions: Browse User Information |
X |
X |
Site permissions: Use Remote Interfaces |
X |
|
Site permissions: Use Client Integration Features |
X |
X |
Site permissions: Open |
X |
X |
默认情况下,所有发布网站都处于锁定模式,包括是否将旧版发布网站模板应用于网站集。如果您的站点需要更高的安全性,建议使用锁定模式。
如果禁用受限访问用户权限锁定模式网站集功能,则处于“受限访问”权限级别的用户(如匿名用户)可以访问您网站的某些区域。
规划您的权限策略
现在您已经了解了权限、继承和权限级别,您可能需要规划您的策略,以便为用户设置指导方针,最大限度地减少维护,并确保符合组织的数据治理策略。有关规划策略的提示,请参阅规划权限策略。
- 登录 发表评论
- 10 次浏览
Tags
最新内容
- 14 hours ago
- 14 hours ago
- 15 hours ago
- 16 hours ago
- 16 hours ago
- 6 days 14 hours ago
- 1 week ago
- 1 week 3 days ago
- 1 week 3 days ago
- 1 week 3 days ago