Roles in SharePoint Products
You can use default groups in SharePoint Products to manage the user permissions for site collections and team project portals. You can also create custom groups at the Web site or site collection level with specific permissions and assign users to those groups. By using default or custom groups, you do not have to control the file and folder permissions separately or keep your local groups synchronized with your list of Web users. You can use the administration tools for your version of SharePoint Products to give project members distinct permissions on each of your project Web sites.
In effect, you can delegate user management from Team Foundation administrators to the project leads, after the project lead has been made the administrator of the project site. Site administrators control site access and, by default, have rights to add, delete, or change site group membership for users. Inside an organization, site administrators can typically select users from the list of the organization's users and grant them access based on their roles and needs within a project. For example, if the Web site is the document and information portal for members of a particular project team, the site administrator adds members of that team to the Contributor site group, so that the team members can add documents and update lists.
Members of the Administrator site group for a top-level Web site or site collection control more options and features of the server that is running SharePoint Products than administrators of an individual project site. Administrators can perform actions such as enabling or disabling Web document discussions or alerts, viewing usage and quota data, and changing anonymous access settings.
Site administration is separate from Windows SharePoint Services Central Administration. Many configuration tasks at the SharePoint Web application level require that you belong to the Farm Administrators group. For more information, see Access Site Administration or Central Administration for SharePoint Products.
SharePoint Products has the following default site groups and permission levels:
Administrator (Full Control)
Web Designer (Design)
For more information, see the following page on the Microsoft Web site: SharePoint Products and Technologies Tech Center.
You should restrict group membership in SharePoint Products so that groups contain only those users who need that group's specific level of access and permissions. When you add a user or group in SharePoint Products, you should make sure that any groups to which the user or group belongs has only the minimum permissions required to complete their role within a team project. For example, if a user only needs to view the contents of a team project Web site, you should add the user to the Reader group, not the Contributor group.
To create a site Administrator, add that user to a group that has the Full Control permission in Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007.
If you installed Windows SharePoint Services 3.0 as part of installing Team Foundation Server, the user account that was used to install Team Foundation Server is automatically added as a member of the Administrator role for the top-level site. For more information, see the following page on the Microsoft Web site: Windows SharePoint Services Administrator's Guide.
A member of the Web Designer role can create lists and document libraries and customize pages in the Web site. To enable a user to customize a team project portal, add that user to a group that has the Design permission.
A member of the Contributor role can add content to existing document libraries and lists. To enable a user to contribute content to a team project portal, add that user to a group that has the Contribute permission.
A member of the Reader group has read-only access to the Web site. To enable a user to view a team project portal, add that user to a group that has the Read permission.