Guidelines for WPC - How to manage permissions on a Sharepoint sub-site
The CTA portal’s structure is divided into sub-sites, for example:
- Consortium Board
- Resource Board
- Project Office
- LST Working Group
- MST Working Group
- SITE Working Group
- … and so on
Every Work Package Coordinator is responsible for his/her sub-site. Therefore it is important that you get familiar with these instructions.
For each sub-site you can decide who can have access to it and you can define the access rights:
- User can only read (call the group XX Visitors or use the group CTA Members per default)
- User can contribute (call the group XX Members)
- User has full control (call the group XX Owners)
Sharepoint offers many other options, for simplicity we have decided to use only these three.
Please do not create groups that you do not need!
For example, do not create "XX visitors", if you can assume that "CTA Members" can be used for read-only access in a fully sufficient way.
By default all libraries and lists within the sub-site inherit permissions from its parent, but the inheritance can be broken.
Once you have created a new site, go to “Site Actions” and then to “Site Permissions” (fig.1):
You will see that the sub-site inherits the permissions from its parent (and eventually the parent's parent etc.). If they are OK for your purpose, just leave them as they are.
By clicking “stop inheriting permissions
” you can change them, delete some or add some others (fig 2).
If you stop inheriting the permissions, you can click on “Grant permissions
” in order to add existing groups or users (see fig.4).
You can also modify the existing permissions by clicking on the check box beside the existing group and then on “edit user permissions
” to make some changes or “remove user permissions
” to remove the user/group (see fig.5).
By clicking on “anonymous access
” you can define and check the permissions for "anonymous" users (also non-CTA members). At the moment this is only allowed for the homepage (general presentation of CTA) and the helpdesk.
Think carefully, before you give access to "anonymous" on any part of your sub-site.
Also check carefully, which parts inherit this anonymous access.
Remember that everything that is readable for "anonymous", will be referenced by Google & Co. sooner or later!
In the „select users
“ field you can add users or groups by typing their INDICO user name. You can find a list of all INDICO names on this page
, under “Account” see the user name after “ctaldapmember
”, i.e. i:0#.f|ctaldapmember|aaronm (in this case “aaronm”).
After that, you click on the kind of permissions you would like to grant to the user/group. As already said, we choose between “full control”, “contribute” or “read”.
We recommend granting permissions to groups rather than to single users. Once you have clicked on one of the existing groups (see fig.5), you can click on “groups” on the left bar, where you can view all existing groups. We do not recommend creating new groups, because the system will generate XX-members and XX-owners by default for each new XX-site. If you believe those groups are not sufficient for your needs, please ask for advice from cta-support.
You may also want to uncheck the box “send welcome e-mail to new users”. The system would send automatically generated (and not always understandable) e-mails to everyone who is mentioned in the above field. If you use it, better make the message individual and understandable by adding text in the field below!
If you want to add or remove members in a group, then click on the name of the group first. By clicking on “new” you can add new users, by clicking on “Actions” and then “Remove users from group” you would delete the selected users (that means, you have to select the item(s) first by checking the box beside the name).
Never remove yourself from the Owners group, otherwise you won’t be able to manage the site or its groups!
We recommend that you give read permissions throughout all CTA sites to the group "CTA members". Occasional visitors (reviewers, anonymous users from the web, agency members, ...) are not part of "CTA members" in general and can be granted access by special settings. Ask cta-support
if you are in doubt.