This is one of those things that had me beating my head against a wall for the last couple of hours and in the end its all in the doco you just need to find it.
I have a knowledge management sharepoint web app and I want to turn on self service site creation (SSSC) so that each ‘community of practice’ (CoP) site will be created as its own site collection. By default anyone who has read permission to the KM portal will be able to use the SSSC and create additional site collections. In my environment this would be bad and lead to lots of uncontrolled sites. What I need is the ability to lock this tool down so that only our knowledge managers can create additional CoP sites.
So I know from the default security model that the Read, Contribute, Design and Full Control ‘Permission Levels’ have the ability to ‘Use Self-Service Site Creation’. What I want to do is create a group that I can add users to who are allowed to create sites. This visio diagram is a great reference for all the permissions – ‘Model- Office SharePoint Server Application Security‘.
So the procedure from the start follows.
- Turn on Self Service site management. This is found in central admin / app mgmt. Make sure that you select the correct web app.
- My KM Portal root site collection is based on the Publishing / Collaboration Portal template, so to make the create site link from the ‘Sites’ subsite link to the scsignup.aspx page, we go to the ‘site collection administration / site directory settings’ page and turn on ‘Create new site collections from Site Directory’. This will change the create site link.
- Next we need to remove the ‘Use Self-Service Site Creation’ permission from the default permission levels. So to do this on the root site collection go to site settings / Advanced Permissions. From this page drop down the settings menu and select permission levels.
- Next I click on the ‘Read’ permission level and then scroll down to the ‘Site Permissions’ section and un-check the ‘Use Self-Service Site Creation’ permission. I then need to remove this from the other groups, in my case the groups are: contribute, approve, Manage Hierarchy, Design, and View Only. I’m leaving it on the Full Control permission level.
- Back on the permission page I create a new sharepoint group called ‘KM Portal Site Creators’ and assign the new permission level to this group.
Well thats it. I think this is another example of the default permissions being to open and a real world example of how to trim them back.
Also this is the doco on the technet site that descibes how to ‘Creating custom permission levels’. http://technet2.microsoft.com/Office/en-us/library/c5dd8b7e-202d-4d33-8535-5c03f88ea1ff1033.mspx?mfr=true