This is one of those things that had me beating my head against a wall for the last couple of hours and in the end its all in the doco you just need to find it.
I have a knowledge management sharepoint web app and I want to turn on self service site creation (SSSC) so that each ‘community of practice’ (CoP) site will be created as its own site collection. By default anyone who has read permission to the KM portal will be able to use the SSSC and create additional site collections. In my environment this would be bad and lead to lots of uncontrolled sites. What I need is the ability to lock this tool down so that only our knowledge managers can create additional CoP sites.
So I know from the default security model that the Read, Contribute, Design and Full Control ‘Permission Levels’ have the ability to ‘Use Self-Service Site Creation’. What I want to do is create a group that I can add users to who are allowed to create sites. This visio diagram is a great reference for all the permissions – ‘Model- Office SharePoint Server Application Security‘.
So the procedure from the start follows.
- Turn on Self Service site management. This is found in central admin / app mgmt. Make sure that you select the correct web app.
- My KM Portal root site collection is based on the Publishing / Collaboration Portal template, so to make the create site link from the ‘Sites’ subsite link to the scsignup.aspx page, we go to the ‘site collection administration / site directory settings’ page and turn on ‘Create new site collections from Site Directory’. This will change the create site link.
- Next we need to remove the ‘Use Self-Service Site Creation’ permission from the default permission levels. So to do this on the root site collection go to site settings / Advanced Permissions. From this page drop down the settings menu and select permission levels.
- Next I click on the ‘Read’ permission level and then scroll down to the ‘Site Permissions’ section and un-check the ‘Use Self-Service Site Creation’ permission. I then need to remove this from the other groups, in my case the groups are: contribute, approve, Manage Hierarchy, Design, and View Only. I’m leaving it on the Full Control permission level.
- Back on the permission page I create a new sharepoint group called ‘KM Portal Site Creators’ and assign the new permission level to this group.
Well thats it. I think this is another example of the default permissions being to open and a real world example of how to trim them back.
Also this is the doco on the technet site that descibes how to ‘Creating custom permission levels’. http://technet2.microsoft.com/Office/en-us/library/c5dd8b7e-202d-4d33-8535-5c03f88ea1ff1033.mspx?mfr=true
[…] Gavin Adams describes how to manage permissions for Self-service site creation. […]
very interesting, but I don’t agree with you
Would it therefore be possibile to create a MySites alike template in WSS?
Is it possible to limit site creation to only some predefined templates?
А если посмотреть на это с другой точки зрения то не все так гладко получается
Не подскажете, как ссылки в футере убрать, если он закодирован. С интересом читал ваш блог и тоже решил завести себе на подобную тему. Заранее спасибо.
[…] A lot of people that are using SharePoint 2007 (WSS or MOSS) for collaboration have either enabled self service site creation in which they allow their end-users to create a page using the scsignup.aspx page or they have some process in place in which an IT administrator creates site collections for their users. Usually companies go the later route due to limitations with the self service site creation process; specifically, you cannot have the site created in a specific database, there’s no way to filter the templates available, and there’s no obvious way to lock the functionality down to a specific group of users though once you figure it out it’s pretty easy (see Gavin’s post on the subject: https://blog.gavin-adams.com/2007/09/13/restricting-self-service-site-creation/). […]