在 SharePoint Server 中管理 Web 應用程式的權限原則Manage permission policies for a web application in SharePoint Server

摘要: 了解如何管理 SharePoint Server 2013 和 SharePoint Server 2016 Web 應用程式的權限原則等級。Summary: Learn how to manage SharePoint Server 2013 and SharePoint Server 2016 web application permission policy levels.

權限原則等級提供了一種集中的方式,供您設定與管理適用於 Web 應用程式所有網站集合中使用者或群組子集的一組權限。Permission policy levels provide a centralized way to configure and manage a set of permissions that applies to a subset of users or groups across all the site collections in a web application.

例如,您可能會想針對將會新增、編輯或刪除清單項目、開啟清單,以及檢視項目、清單和頁面的使用者建立權限原則等級。不過,您也可能會想讓相同的使用者無法建立或刪除清單。若要這麼做,您可以為那些使用者建立權限原則等級。For example, you might want to create a permission policy level for users who will add, edit, or delete items from a list, open a list, and view items, lists, and pages. However, you might want to prevent the same users from creating or deleting lists. You can do this by creating a permission policy level for those users.

雖然您可以在網站或網站集合層級設定同樣的權限,但管理多個集合的權限會相當耗時。權限原則等級可讓您在 Web 應用程式層級管理權限。While you can configure these same permissions at the site or site collection level, managing permissions for multiple collections can be time-consuming. Permission policy levels enable you to manage permissions at the web application level.

完全控制、完整讀取、拒絕寫入和拒絕全部權限有預設的原則等級,或者,您也可以建立自訂原則等級,並指定您所需要的權限。There are default policy levels of Full Control, Full Read, Deny Write, and Deny All permissions, or you can create a custom policy level and specify the permissions that you need.

本文中的程序說明如何設定和使用權限原則等級,並將使用者指派給這些等級。您必須是伺服器陣列管理員群組的成員,才能遵循這些程序。The procedures in this article cover how to set up and use permission policy levels and assign users to them. You need to be a member of the Farm Administrators group to follow these procedures.

建立、編輯或刪除自訂權限原則等級Create, edit, or delete a custom permission policy level

權限原則等級包含套用至 Web 應用程式層級之特定使用者或群組的權限。您可以指定清單權限、網站權限或個人權限的組合。還可以指定下列的網站集合權限層級之一:Permission policy levels contain permissions that apply to specific users or groups at the web application level. You can specify a combination of List, Site, or Personal permissions. You can also specify one of the following levels of site collection permissions:

  • 網站集合管理員: 具備整個網站集合的完全控制權限,可以針對任何物件執行任何動作。Site Collection Administrator: Has Full Control permission on the whole site collection and can perform any action on any object.

  • 網站集合稽核者: 具備整個網站集合及關聯資料 (例如權限和設定資訊) 的完全讀取權限。Site Collection Auditor: Has Full Read permission on the whole site collection and associated data, such as permissions and configuration information.

如果指定這兩種權限的其中一種,或同時指定這兩種權限,就不能指定個別的權限。If you specify either or both of those permission levels, you cannot specify individual permissions.

權限清單包含 [授與]**** 欄與 [拒絕]**** 欄。您可以授與或拒絕屬於權限原則等級一部分的任何 (或所有) 權限。根據預設,系統不會授與任何權限。如果您既未授與也未拒絕某單一權限,則在網站或網站集合層級所設定的權限就會生效。The permissions list contains a Grant column and a Deny column. You can either grant or deny any permission (or all permissions) as part of a permission policy level. By default, no permissions are granted. If a single permission is neither granted nor denied, the permissions set at the site or site collection level will be in effect.

新增權限原則等級Add a permission policy level

使用下列程序來建立權限原則等級。Use the following procedure to create a permission policy level.

新增權限原則等級To add a permission policy level

  1. 啟動 SharePoint 2016 管理中心。Start SharePoint 2016 Central Administration.

  2. 在 SharePoint 管理中心網站上,按一下 [管理 web 應用程式]**** 區段中的 [管理服務應用程式]*On the SharePoint Central Administration website, in the *Application Management section, click Manage service applications.

  3. 按一下以反白顯示要管理其權限原則等級之 Web 應用程式所在的行。Click to highlight the line for the web application whose permission policy level that you want to manage.

  4. 在功能區的 [原則]**** 群組中,按一下 [權限原則]*In the *Policy group of the ribbon, click Permission Policy.

  5. 在 [管理權限原則等級] 對話方塊中,按一下 [新增權限原則等級]*In the Manage permission policy levels dialog box, click *Add Permission Policy Level.

  6. 在 [新增權限原則等級] 對話方塊中的 [名稱與描述]**** 區段中,輸入您要建立原則的名稱與描述。In the Add permission policy level dialog box, in the Name and Description section, type the name and description for the policy that you want to create.

  7. 在 [網站集合權限]**** 區段中,選取此原則的網站集合權限。In the Site Collection Permissions section, select the site collection permissions for this policy.

  8. 在 [權限]**** 區段中,選取授與或拒絕此權限層級的權限。In the Permissions section, select the permissions to grant or deny for this permission level.

    • 選取 [授與全部]**** 核取方塊,在此原則中包括所有可用權限。Select the Grant All check box to include all available permissions in this policy.

    • 選取 [拒絕全部]**** 核取方塊,在此原則中拒絕所有可用權限。Select the Deny All check box to deny all available permissions in this policy.

    • 選取 [授與]**** 或 [拒絕]**** 核取方塊,可在該原則中包括或排除個別清單、網站和個人權限。Select either the Grant or Deny check boxes to include or exclude individual List, Site, and Personal permissions from this policy.

      如果您想透過一般網站或網站集合的權限來控制存取,則請勿按下 [授與]**** 或 [拒絕]*Do not click either *Grant or Deny if you want access to be controlled through regular site or site collection permissions.

  9. 按一下 [儲存]*Click *Save.

編輯權限原則等級Edit a permission policy level

使用下列程序來編輯權限原則等級。Use the following procedure to edit a permission policy level.

編輯權限原則等級To edit a permission policy level

  1. 啟動 SharePoint 2016 管理中心。Start SharePoint 2016 Central Administration.

  2. 在 SharePoint 管理中心網站上,按一下 [管理 web 應用程式]**** 區段中的 [管理服務應用程式]*On the SharePoint Central Administration website, in the *Application Management section, click Manage service applications.

  3. 按一下以反白顯示要管理其權限原則等級的 Web 應用程式。Click to highlight the web application whose permission policy level that you want to manage.

  4. 在功能區的 [原則]**** 群組中,按一下 [權限原則]*In the *Policy group of the ribbon, click Permission Policy.

  5. 在 [管理權限原則等級] 對話方塊中,按一下您要編輯權限原則等級的連結。In the Manage permission policy levels dialog box, click the link for the permission policy level that you want to edit.

  6. 在 [編輯權限原則等級] 頁面上,編輯設定,然後按一下 [儲存]*On the Edit permission policy level page, edit the settings, and then click *Save.

刪除權限原則等級Delete a permission policy level

如果為其建立權限原則等級的使用者或群組不再需要使用權限原則等級,您可能會機望將該權限原則刪除。檢閱所有現有的權限原則等級以確保其仍然為必需,是一個很好的作法。You might want to delete a permission policy level if the users or groups for which you created it are no longer required to use it. It is a good practice to review all existing permission policy levels to ensure that they are still required.

刪除權限原則等級To delete a permission policy level

  1. 啟動 SharePoint 2016 管理中心。Start SharePoint 2016 Central Administration.

  2. 在 SharePoint 管理中心網站上,按一下 [管理 web 應用程式]**** 區段中的 [管理服務應用程式]*On the SharePoint Central Administration website, in the *Application Management section, click Manage service applications.

  3. 按一下以反白顯示要管理其權限原則等級的 Web 應用程式。Click to highlight the web application whose permission policy level that you want to manage.

  4. 在功能區的 [原則]**** 群組中,按一下 [權限原則]*In the *Policy group of the ribbon, click Permission Policy.

  5. 在 [管理權限原則等級] 對話方塊中,選取您要刪除之權限原則等級的核取方塊,然後按一下 [刪除選取的權限原則等級]*In the Manage permission policy levels dialog box, select the check box of the permission policy level that you want to delete, and then click *Delete Selected Permission Policy Levels.

  6. 按一下 [確定] 確認刪除。Click OK to confirm the deletion.

在權限原則等級中新增或移除使用者Add users to or remove users from a permission policy level

您可以新增使用者至權限原則等級、編輯原則等級設定,以及刪除權限原則等級的使用者。下列設定可以進行指定或變更:You can add users to a permission policy level, edit the policy level settings, and delete users from a permission policy level. The following settings can be specified or changed:

  • 區域: 若網站有多個區域,則可以選擇要套用權限原則等級的區域。預設為所有區域,只能針對 Windows 使用者指定。Zone: If a website has multiple zones, you can choose the zone that you want the permission policy level to apply to. The default is all zones, which can be specified for Windows users only.

  • 權限:您可以指定 [完全控制]、[完整讀取]、[拒絕寫入] 及 [拒絕全部] 權限的預設原則等級,也可以指定您所建立的自訂權限等級。Permissions: You can specify a default policy level of Full Control, Full Read, Deny Write, and Deny All permissions, or you can specify a custom permission level that you created.

  • 系統:此設定使 SharePoint 能夠針對與系統相關的活動顯示 SHAREPOINT\System ,不論是否為已設定用於主控應用程式集區的 Windows 使用者帳戶,或是 SharePoint 伺服器陣列服務帳戶。可指定此設定以避免向一般使用者或有意了解企業中 SharePoint 部署詳細資訊的惡意使用者洩露不必要的資訊。System: This setting enables SharePoint to display SHAREPOINT\System for system-related activity regardless of the Windows user accounts that have been configured for the hosting application pool and the SharePoint farm service account. You might want to specify this setting to prevent unnecessary information disclosure to end-users and potential malicious users who would be interested in knowing more about the SharePoint deployment in the enterprise.

新增使用者至權限原則等級Add users to a permission policy level

使用下列程序來將使用者新增至權限原則等級。Use the following procedure to add users to a permission policy level.

新增使用者至權限原則等級To add users to a permission policy level

  1. 啟動 SharePoint 2016 管理中心。Start SharePoint 2016 Central Administration.

  2. 在 SharePoint 管理中心網站上,按一下 [管理 web 應用程式]**** 區段中的 [管理服務應用程式]*On the SharePoint Central Administration website, in the *Application Management section, click Manage service applications.

  3. 按一下以反白顯示要管理其權限原則等級的 Web 應用程式。Click to highlight the web application whose permission policy level that you want to manage.

  4. 在功能區的 [原則]**** 群組中,按一下 [使用者原則]。In the Policy group of the ribbon, click User Policy.

  5. 在 [Web 應用程式原則] 對話方塊中按一下 [新增使用者]*In the Policy for Web Application dialog box, click *Add Users.

  6. 在 [新增使用者] 對話方塊的 [區域]**** 清單中,按一下要套用權限原則等級的區域,然後按 [下一步]*In the Add Users dialog box, in the *Zone list, click the zone to which you want the permission policy level to apply and then click Next.

  7. 在 [新增使用者] 對話方塊的 [選擇使用者]**** 區段中,輸入要新增到權限原則等級的使用者名稱、群組名稱或電子郵件地址。In the Add Users dialog box, in the Choose Users section, type the user names, group names, or e-mail addresses that you want to add to the permission policy level.

  8. 在 [選擇權限]**** 區段中,選取您要使用者所具備的權限。In the Choose Permissions section, select the permissions that you want the users to have.

  9. 在 [選擇系統設定]**** 區段中,若要指定某個使用者帳戶是否應顯示為「SHAREPOINT\System」而不是在 SharePoint 環境中執行特定工作的實際帳戶,請選取 [帳戶以系統身分作業]*In the *Choose System Settings section, check Account operates as System if you want to specify whether a user account should be displayed as SHAREPOINT\System instead of the actual accounts that perform specific tasks within the SharePoint environment.

  10. 按一下 [完成]*Click *Finish.

編輯權限原則Edit a permissions policy

使用下列程序來編輯權限原則等級所會授與的權限。Use the following procedure to edit the permissions granted by a permission policy level.

編輯使用者權限原則To edit a user permissions policy

  1. 啟動 SharePoint 2016 管理中心。Start SharePoint 2016 Central Administration.

  2. 在 SharePoint 管理中心網站上,按一下 [管理 web 應用程式]**** 區段中的 [管理服務應用程式]*On the SharePoint Central Administration website, in the *Application Management section, click Manage service applications.

  3. 按一下以反白顯示要編輯其權限原則等級的 Web 應用程式。Click to highlight the web application whose permission policy level that you want to edit.

  4. 在功能區的 [原則]**** 群組中,按一下 [使用者原則]*In the *Policy group of the ribbon, click User Policy.

  5. 在 [Web 應用程式的原則] 對話方塊中,選取要管理使用者或群組旁的核取方塊,然後按一下 [編輯選取使用者的權限]*In the Policy for Web Application dialog box, select the check box next to the user or group that you want to manage, and then click *Edit Permissions of Selected Users.

  6. 在 [編輯使用者] 頁面上的 [權限原則等級]**** 區段中,選取使用者所要具備的權限。On the Edit Users page, in the Permission Policy Levels section, select the permissions that you want the users to have.

  7. 在 [選擇系統設定]**** 區段中,按一下 [帳戶以系統身份作業]*,指定使用者帳戶是否顯示為 SHAREPOINT\System,而不是在 SharePoint 環境內執行特定工作的實際帳戶。In the *Choose System Settings section, click Account operates as System to specify whether a user account should be displayed as SHAREPOINT\System instead of the actual accounts that perform specific tasks within the SharePoint environment.

  8. 按一下 [儲存]*Click *Save.

從權限原則等級中刪除使用者Delete users from a permission policy level

使用下列程序來從權限原則等級中刪除使用者。Use the following procedure to delete a user from a permission policy level.

刪除權限原則等級中的使用者To delete users from a permission policy level

  1. 啟動 SharePoint 2016 管理中心。Start SharePoint 2016 Central Administration.

  2. 在 SharePoint 管理中心網站上,按一下 [管理 web 應用程式]**** 區段中的 [管理服務應用程式]*On the SharePoint Central Administration website, in the *Application Management section, click Manage service applications.

  3. 按一下以反白顯示要管理其權限原則等級的 Web 應用程式。Click to highlight the web application whose permission policy level that you want to manage.

  4. 在功能區的 [原則]**** 群組中,按一下 [使用者原則]*In the *Policy group of the ribbon, click User Policy.

  5. 在 [Web 應用程式的原則] 對話方塊中,選取要刪除之使用者或群組旁的核取方塊,然後按一下 [刪除選取的使用者]*,然後再按一下 [確定]In the Policy for Web Application dialog box, select the check box next to the user or group that you want to delete, click **Delete Selected Users, and then click **OK*.

另請參閱See also

概念Concepts

SharePoint Server 系統管理Administration of SharePoint Server

在 SharePoint 中管理 Web 應用程式的權限Manage permissions for a web application in SharePoint Server