Enterprise portals are an important part of today's enterprise IT infrastructure. Portals are used as an entry point for a specific topic, organization, project, or team. Many enterprises have an enterprise portal, opened by default when an employee opens a browser, that shows general information about the enterprise, its strategy, its departments, and so forth. From this top-level enterprise portal, you find links to departmental or project and team specific portals. Departmental portals focus on information about the department itself, such as Marketing, Sales, Engineering, Professional Services, and so on. Project and team portals focus on an ongoing project or virtual team created for a specific objective. You also can find portals for specific topics, such as a learning portal or a management portal that provides information geared towards that topic. Each portal has relevant information, links to other Web sites, documents or resources, and the like. It is the starting point for a user to find information about a specific topic.
Microsoft provides two portal solutions—Windows SharePoint Services (WSS) and SharePoint Portal Server 2003 (SPS). The first article of this series explained the difference between WSS and SPS as well as how to install and administrate each. This second article focuses on how to use and customize portals provided by WSS and SPS. The third article in this series explains how to create your own Web parts that you then can place on WSS and SPS portals. This article assumes that you are familiar with the first article, especially the described administration features.
Users Used Throughout This Article
Portals by default allow only authorized users access. A virtual server enabled for WSS or SPS gets configured for integrated Windows authentication ("enable anonymous access" is disabled and "Integrated Windows authentication" is enabled). With integrated Windows authentication enabled, IIS requests from the browser the user name and password that the browser provides in hash format. This allows the browser to provide the user name and password it is running under in a secure format and it enables IIS to verify the user accessing the site. The browser shows a logon dialog box if the user it is running under has not been granted access to the portal. The user then can enter another user credential to use. After the third authentication attempt, the user is shown an error page that allows him to request access to the portal. This sends an e-mail by default to the site owner who can then add the user to the portal. You can change the recipient of the "request access" e-mail through the "Site Settings" of the portal (top menu bar). Under the "Administration" section, click the "Go to Site Administration" link. This brings up the portal site administration and under the "Users and Permissions" section you have an entry called "Manage access requests." This allows you to enter the e-mail address of the recipient of the "request access" e-mail.
Are there any browser settings neccessary for integrated Windows security to work?
For integrated Windows authentication to work, you need to enable the "Enable Integrated Windows Authentication" option in your browser (go to the "Tools | Internet Options" menu and then to the Advanced tab). The zone to which the site belongs needs to have the "Automatic logon with current username and password" or "Automatic logon only in Intranet zone" (only for the "Local intranet" zone) option enabled (go to the "Tools | Internet Options" menu, choose the "Security" tab, select the zone the site belongs to, for example "Trusted sites", and then click the "Custom Level" button).
Which site groups are availible in SharePoint and what are the default permissions?
When creating a portal, you enter the name of the primary and secondary site owner (in the format of "machine name\user name" or "domain name\user name"). These two users are added automatically as administrators to the portal. WSS and SPS have four different site groups that define which access users have to the portal:
- Reader—Can access the portal and read information. Is not allowed to make any modifications to the information.
- Contributor—Has read and write access and can modify the information and documents on the portal.
- Web Designer—Has read and write access to the portal and is also allowed to modify the portal structure itself.
- Administrator—Has full access, including administrative access to the portal.
Adding new users to your SharePoint site
Create the following four Windows users on the machine where you run WSS (go to "Computer Management" and then "Local users and Groups"): Reader, Contributor, WebDesigner, and Administrator. Each user will be added by default to the "Users" windows group. Open the portal you created in a browser running under the user credentials of the primary or secondary owner so you can add new users. In the top menu bar, select "Site Settings;" this shows the site settings. Under the "Administration" section, select the "Manage users" item. You already see the primary and secondary site owner added as administrators. Now, add the four users you created and make the user member of the site group with the same name. For example, you add the user "Reader" and make it part of the "Reader" site group. These four users are used throughout the article to demonstrate the differences among the different access rights.
Running your browser under a differnet user credential
You can run a browser or any other application under different user credentials by using the "runas" command. Open the command line and run the following command: runas /profile /user:machine name\user name "c:\program files\internet explorer\iexplorer.exe". You also can achieve this by right-clicking the browser icon in the "quick launch" Windows toolbar (in Windows 2000, you also need to press the SHIFT key) and selecting "Run as" from the popup menu. In the following dialog box, you select "the following user" and enter the user name and password. This works only for users which have already once logged on to the machine and have already a profile created. Without that, the browser will show you a logon dialog as soon as you hit a portal. It appears this happens when no Windows profile has been created yet for that user.