​I talked a bit in the last post about SharePoint Designer and the differing perceptions out there about its use in organisations. There are lots of blogs and forum answers out there, but for completeness on this topic, I’m revisiting them here. In this post I’m going to go into the specifics of what options you have available to you in your environment, beyond the “let’s just lock it down completely” approach some organisations choose to take.

End User

Generally, when we talk about an “end user” we mean someone who uses a SharePoint site either to consume or contribute information. They will likely be a member of one of the out-of-the-box groups (or a custom one) that provides them either Read access (the Visitors group) or Contribute access (the Members group). When an end user is logged in (and SharePoint Designer is enabled in the Site Collection), they do not see an option to open the site in SharePoint Designer.

SPD-EndUser-Browser

If they persist and download SharePoint Designer and install it on their computer (assuming the organisation’s network policies allow them to do that), they will be able to launch the application. However, when they go to open the site (which they must do in order to do anything with SharePoint Designer) they will be denied access.

 

 

Designer

There is a built-in permission level in SharePoint that gives you the ability to allow certain users to do more things with a site, but without giving them full control of it. From a SharePoint Designer perspective, it also allows them to open sites and manage them.

SPD-Designer-Browser

SPD-Designer-SPD

Owner

Like someone with a Design level of permissions, a member of the Site Owners group will be able to use SharePoint Designer, although there will be a few extra things they can do with the out-of-the-box full control permission level. These are the same things that they can manage from within the browser.

 

Site Collection Administrator

The Site Collection Administrator has access to all content within a site collection whether they are explicitly given access by being part of one of the groups outlined above, or not. This also applies to using SharePoint Designer.

So what are my other options for securing SharePoint Designer?

It is important to note that beyond thinking carefully about who should be part of which groups in SharePoint, you can still pick and choose what options those users will have. There are four options available that can be applied to either the entire web application or to a specific site collection.

The options are:

Option What happens?
Enable SharePoint Designer If this is un-checked, users who attempt to open a site in SharePoint Designer will be denied access.

SPD-DisableSPD

 

Enable Detaching Pages from the Site Definition  If this is un-checked, the option to Edit File in Advanced Mode is disabled.

SPD-Detach-Pages

 

Enable Customizing Master Pages and Page Layouts When this option is enabled, the Master Pages option is shown in the Navigation Pane. On a publishing site, the Page Layouts option is also enabled.

SPD-Master-Page-Editing-Enabled

 

When the option is disabled (unchecked), users will be denied access if they try to edit the master page using the All Files option (see Enable Managing of the Web Site URL Structure).

SPD-EndUser-SPD

 

Enable Managing of the Web Site URL Structure If this is checked, the All Files option is shown in the Navigation Pane. This allows the user to navigate the full file structure of the site, including hidden files such as the master page gallery. It is also the only way to see any lists and libraries that have been hidden from the browser.

SPD-All-Files

 

Note – if the Farm Administrator un-checks any of the options at the Web Application level, they will be unavailable at the Site Collection level.

The take home message for your company

As I mentioned in my last post on the perceptions of SharePoint Designer, it is a tool that can provide the bridge for users to solve everyday problems and improve the way people work.

Locking SharePoint Designer full-stop is certainly one option, but don’t just do it because you can. Educate your IT team about the more granular options available to control access to SharePoint Designer. Consider giving your power users the autonomy to use SharePoint Designer – then sit back and see what truly great solutions they come up with.