1.14. Policies for Web Applications
After you create a Web application and then extend the Web applications, as discussed in the section titled Section 1.5
earlier in this article, URLs are created that are associated with a
specific zone. There are five zone types in SharePoint 2010.
Default
Intranet
Internet
Extranet
Custom
Note:
Zones in a Web application refer to the zones available in Internet Explorer that a user is using to access the site.
Using the User
Policy option on the Web Application Ribbon, you can specify that a
specific user or group of users that access SharePoint content from a
specific Web application using a specific zone will have a custom set of
rights applied. These rights will override the rights they would
normally have if accessing the Web application from the default zone.
For example, a user accesses the internal SharePoint projects site using http://portal.contoso.com and he has full control access. However, when the user is outside the company, he accesses the same site using http://internet.contoso.com,
and the Internet URL is an extended and mapped Web application in the
Internet zone. When the user accesses the content from outside the
office, using the Internet zone, then Internet policy—defined as deny
access to everything except full read—applies, and he can only read
content; he won’t be able to add or change anything on the projects
site.
There are four permission
levels provided by default; however, you can create additional custom
permission levels from within the Manage Permission Policy Levels dialog
box. The four default permission levels are
Full Control
Full Read
Deny Write
Deny All
Use the following steps to configure a policy for users on a Web application.
Select the Web application for which you want to configure a new policy and click User Policy on the Ribbon.
Select Add User and then choose the zone that will be using the new policy from the drop-down menu. For users accessing the Web application
using Windows authentication, you can select all zones. For remote
users who will require read-only access, select the Internet zone.
Enter the user, group name, or e-mail address you want to apply the policy to. In this case, it would be Remote Users.
Select
the specific permission you want to apply to the group that matches the
zone type. For example, you could select Full Read access.
The
final option is to have the user account masked as a system account.
This means that all actions carried out by the user would be registered
as a system account entry rather than the actual user account. Normally,
you would not select this option.
You can create as many
policies as you need to control the level of access for many different
groups of users accessing the Web application from multiple zones.
1.14.1. Anonymous Policy
The Anonymous Policy option on the Web Application Ribbon is used to set permission policies
for anonymous user access for the different zones (Internet, Extranet,
Intranet, Other), if your Web application is serving content in those
different zones. The following list describes the available options for
this policy.
None
No policy is defined; this is the default option. No additional
permission restrictions or additions are applied to a site’s anonymous
users.
Deny Write
Anonymous users cannot write content, even if the site administrator
specifically attempts to grant the anonymous user account that
permission.
Deny All
Anonymous users cannot have any access to content, even if the site
administrator specifically attempts to grant the anonymous user account
access to sites.
1.14.2. Permission Policy
The Permission
Policy option on the Web Application Ribbon allows you to edit the
specific permissions associated with one of the default permission
levels or create a new permission policy level. Additionally, you can
specify the particular permissions that are allowed or denied for site
collections and sites throughout the Web application. The following
permissions are available by default for this policy.
Full Control
Full Read
Deny Write
Deny All
You can create a new permission policy level by clicking the Add Permission Policy Level link and specifying a name for
the new permission policy. You can also provide a description, as well
as indicating whether site collection administrators and site collection
auditors will have their normal permissions, which are Full Control and
Full Read access respectively. Use the check boxes under the Grant and
Deny options to specify the list, site, and person permissions that will
be available when this policy is used. After creating a new permission
policy level, you can create a user policy that uses the new permission
policy.
1.15. Configuring Alternate Access Mappings
Alternate Access Mappings
(AAM) are available to help SharePoint determine how to map a request
that comes into a Web application to the correct URL and then serve the
correct URL back to the client that requested the content. This very
important role is useful for users who access their SharePoint Web
applications from both internal and external locations because it
ensures that the correct URL is served back to the user. This process
makes sure that the links work as expected when users are navigating,
browsing, and searching in SharePoint.
For example, if you have a Web application created with the URL http://constosoportal.com, this URL is the default Alternate Access Mapping entry because it was defined when the Web application was created.
However, when accessing it internally, you would prefer to have a more user-friendly name, such as http://portal, to provide a better user experience. You can do this easily by adding http://portal as an intranet AAM. After you do so, users who browse the portal using http://portal will see http://contosoportal.com displayed. Furthermore, all the URLs will follow the AAM mapping. For instance, if http://contosoportal.com/hr is a valid URL, then http://portal/hr would also be a valid URL when AAM is used.
Another example is when you
have an external group of users who need to access SharePoint using
https. You could extend and map a Web application to the portal Web
application using https://contosoportal.com. You could then publish this URL to the outside using a reverse
proxy product such as Microsoft’s ISA Server, and when people connect
to the content from the outside world, they will see the URLs returned
as https://, not just http://.