Security Trimming

DeliverPoint is security trimmed, which means if a user can complete a security-related operation with Microsoft® SharePoint® objects using the browser, the same user is allowed to complete the identical action using DeliverPoint. When a user is a site collection administrator, they will be able to perform all security-related operations on the particular site collection for which they are the site collection administrator. When a user has full control on two sites within a site collection and they perform a security-related operation at the site collection level, the operation will only modify the sites or the content within those two sites where the user has the required permission.

DeliverPoint uses SharePoint® to determine the effective permissions of the user, based on the current site context where the user has accessed DeliverPoint. When a user accesses DeliverPoint through a site in a specific zone, that same zone is used to determine effective permissions for the user on the other web applications listed in the DeliverPoint tree view.

DeliverPoint not only takes note of permissions that users may set at site collection, site, list / library, folder, item / file levels, but also uses user policies configured at the web application level. When a user policy is configured for a web application, SharePoint enforces permissions on all content within the web application, thereby enabling an organization to set security policies for users at the web application level. The permissions configured in a user policy override all other security settings that are configured for sites and content. You can configure a user policy based on users or user groups in Active Directory (AD), but not SharePoint groups. A user policy can be defined for any web application in general (all zones) or for a specific zone.

For example:

• Web Application 1
  • (A permission policy for Zone 2 does not exist)
• Web Application 2
  • (A permission policy for Zone 2 DOES exist)
• Web Application 3
  • (A permission policy for Zone 2 DOES exist)

When the user accesses a site via a URL bound to Zone 2 on Web Application 2 and then accesses DeliverPoint. If a request is made to view or manage permissions on the other two web applications, SharePoint uses the current user’s zone when resolving any DeliverPoint request made on behalf of the user. In this scenario, when a user accesses:

• Web Application 1, since a permission policy for Zone 2 does not exist, then SharePoint applies any All zones user policies or the Default zone user policy.
• Web Application 2, since a policy for Zone 2 DOES exist, then that policy is applied to the request.
  

*To restrict DeliverPoint access to site collection administrators only, see Restricting access to DeliverPoint.

References

• Plan for user authentication methods in SharePoint 2016
• Web applications management in SharePoint Server 2016
• Manage permission policies for a web application in SharePoint 2016

*To view the above references for previous versions of SharePoint, use the Other Versions drop down menu beneath the Technet article title, and select SharePoint 2013