Locking Down SharePoint Designer 2010

If you previously worked with Microsoft Office SharePoint Server 2007 you probably know a lot about SharePoint Designer already. Probably one big complaint, at least from the operational side for MOSS 2007 was that SharePoint Designer 2007 could be used so long down the road by the end user that It could break the site that it no longer worked. There was locking possibilities for SharePoint Designer 2007 but, for example, one option was to change the ONET.XML file which you probably not wanted to. The SharePoint Designer Team blogged about these locking possibilities a while back.

As for SharePoint Server 2010 a number of enhancements have helped this feature. 

All my SharePoint developer environments include SharePoint Designer. It was and is a quite powerful tool. When I started to work with the new version of SharePoint Designer it was really enjoying to see all the improvements that was done. A new tool in my eyes and a lot easier to use. And just to be clear, the 2007 edition is not compatible with SharePoint Server 2010, you have to use the new SharePoint Designer 2010. But as the 2007 edition, SharePoint Designer 2010 is downloadable for free;

One of the several improvements in SharePoint 2010 is the possibility to lock down SharePoint Designer usage. You can now prevent or set restriction on what users can do with the tool either at Site Collection level or at Web Application level.

 

Setting restrictions at Site Collection level

In the Site Settings page you will find the SharePoint Designer Settings menu. (Available for Site Collection administrators).

image

Selecting this will give you the following possibilities at the Site Collection level:

image

As shown in the image above, SharePoint Designer is enabled by default but has additional settings available.

Looking at the different settings the first one is quite ok, unselecting this will disable all usage of SharePoint Designer without the Site Collection administrators. This setting is enabled by default. The second setting is quite interesting, you can now control wherever your users should be allowed to detach pages from the Site Definition also known as unghosting. This is good, users are now prevented from creating unghosted pages which in the long run can be a pain. The third setting is about enabling users to customize master pages and page layouts which controls the default look and feel and the fourth and last setting is about if the users should see the hidden URL structure or not, such as the _catalogs folder.

Some quick testing;

If we enable management of the hidden URL structure this will be available from SharePoint Designer 2010 as shown below

image 

Allowing customization of Master Pages and Page Layouts, makes the page objects visible

image

Note: This setting only allow light changes to the pages. if you need to do advanced customizations you have to enable the setting ‘Enable detaching pages from the Site Definition’ as well.

Last, if we completely disallow all usage of SharePoint Designer and then try to open a site in the collection using SharePoint Designer 2010, users are presented the following message;

image

Note: Site Collection administrators will still be able to use SharePoint Designer 2010. They are not affected by the settings at this level.

 

Setting restrictions at Web Application level

If you open SharePoint 2010 Central Administration you will find a SharePoint Designer section in the General Application Settings menu.

image

Opening this you are presented the following settings;

image

As you can see from the image above, SharePoint Designer settings are enabled by default at Web Application level. Adjusting these settings will set the restrictions of SharePoint Designer 2010 on what you choose at a specified Web Application. Even the Site Collection administrators are affected by these settings.

Testing this, disabling all possible settings in SharePoint Central Administration and then turning back to our site, the available settings at site collection level are disabled as shown below.

image