A Windows SharePoint Services Site is a set of web sites on a virtual server that have the same owner and share administration settings. Each site collection contains a top-level Web site and can contain one or more subsites. There are several ‘roles’ that have different levels of control over sites at different levels. They are, in ascending level of control, the Site Administrator, the Site Collection Administrator, the Site Collection Owner, and the Server Administrator. This can become confusing especially when trying to determine who has access to the site.
Site Administrators
Have control over a site and its subsites and can:
- delete the site
- add or delete subsites
- change the settings
- view, add, delete, or change all content within the site or subsites
- add and remove users
- send invitations
Site Collection Administrators
Have full administrative rights to all sites and content within a site collection. In addition to having all the rights of the Site Administrator they can:
- add and remove users from the Site Collection Users
- modify User Information throughout the site collection. For instance, can change the e-mail or display name of a user throughout the site collection
Site Collection Owners (and Secondary Owners)
When you create a site collection, Windows SharePoint Services automatically lists you as the site collection owner. You can change the site collection owner via the Manage Site Collection Owners page in Central Administration or by using the site owner operation with Stsadm.exe. Site collection owners and secondary owners are also site collection administrators. In addition to those permissions they also:
- receive e-mail notifications for events, such as the pending automatic deletion of inactive sites
- receive requests for access from users who have been denied access
Server Administrators
By default any user who is a member of the Administrators group on the SharePoint server can manipulate any SharePoint site. This is not always desirable. Assuming you have install the SharePoint Portal Server 2003 Hotfix Package 898547 you can remove the Sever Administrators’ permission by running the following stsadm command:
stsadm -o setproperty -propertyname denymachineadminaccess -propertyvalue 1
References
Windows SharePoint Services Security Model
http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsb03.mspx
Users who are members of the local Administrators group have access to all the content in your Windows SharePoint Services Web sites
http://support.microsoft.com/kb/892295/
Members of a local administrators group can access all portals and pages of a SharePoint Portal Server 2003 site, even if they do not have permissions for the portal areas