Spike on SharePoint
Controlling Access to the SharePoint Designer Tool
SharePoint's Designer tool can be customized to allow and block access to some of its more powerful features.
- By Spike Xavier
SharePoint Designer is a very powerful tool. It is used to do many different things inside of a SharePoint 2013 environment, including creating powerful workflows, setting up access to external data and adding SharePoint artifacts as well as being a go to tool in any branding project. (It must be mentioned that Web designers have more options than ever before in the Branding arena).
The biggest issue for farm administrators and site collection administrators is not that SharePoint Designer can't do something, but that it can do a lot.
Proper governance, including a training program that includes some type of organizational certification process for the use of SharePoint Designer is probably the best bet no matter what a farm administrator or site collection administrator does, but this article will focus on the options that a farm administrator, and site collection administrator have in configuring what SharePoint Designer can and cannot be used for in the farm.
The first place a farm administrator has in choosing to restrict or allow the use of SharePoint Designer 2013 and some or all of its functionality in their environment is at the SharePoint Web application level.
The settings applied at this level will affect every site collection it the Web application, but will not affect any site collections not in that particular Web application.
In order to work with the settings for managing SharePoint Designer at the Web application level, log onto the SharePoint box as a farm administrator and open up central administration by clicking on Manage Web applications:
Here you can choose the Web application you want to manage. Click somewhere in the blank space on the line of the SharePoint Web application you want to manage. For this example I will manage the use of SharePoint Designer in SharePointDotLocal Web Application:
Next, go to General Settings with SharePointDotLocal selected and select SharePoint Designer:
Here are the options for managing SharePoint Designer at the Web Application Level:
I am going to take a look at each of the four options at the Web application level. Notice that the U.I. presents checkboxes which indicates that any combination of none, one, two, three or all four settings can be enabled (by checking the box) or not enabled by leaving the box unchecked.
It is important to remember the scope of this set of options, which is for all site collections in this Web application.
Some of these settings can appear a little confusing. For example one might expect that if you clear (uncheck) the box to Enable SharePoint Designer that the other boxes would be cleared or grayed out -- but this is not the case. The other boxes remain however you configure them, but that configuration may not make sense.
Note, I will test everything as a site collection administrator in this article unless otherwise noted.
Enable SharePoint Designer
Enable SharePoint Designer is exactly what it says. Do you want to allow the use of SharePoint Designer on any site collection in this Web application? If you uncheck this than users will not be allowed to use SharePoint Designer regardless of the permissions at the site collection level.
Following is what site collection administrators will see if this checkbox is cleared (not checked) when they try to connect to a site in a site collection which is in the Web application SharePointDotLocal:
When Site Collection Administrators go to the site settings page in their site collections and the Enable SharePoint Designer checkbox is cleared, they see this:
The other options are still there at the site collection level as well, however they will not be able to use SharePoint Designer on the sites in these site collections.
Enable Detaching Pages from the Site Definition
This setting will allow site collection administrators (and anyone they see fit) to detach the pages from the Site Definition. This can have a great impact on the farm in a few ways.
First, if pages are detached from the Site Definition (often referred to as customized, or unghosted) than a copy of the page is stored in the content database as opposed to being called from a definition in the SharePoint root (15) folder. This can have a performance impact due to the way SharePoint manages its objects in memory. However this will depend on many factors (the size and activity of the farm, and the hardware it is using, for example) but no matter the performance impact, this can cause situations where updates that would normally have been applied to the file system are not applied to pages which are now being stored in the content database.
Second, when upgrading from one version of SharePoint to the next, this needs to be taken into consideration.
Enable Customizing Master Pages and Layout Pages
It may seem odd to allow SharePoint Designer to be used but not allow it to be used to customize master pages or layout pages. However one has to remember that SharePoint Designer is the go-to tool for creating no code workflows and for configuring external content types which have nothing to do with branding.
The customizing of master pages by those not familiar with SharePoint has proven to cause many headaches in the past. Even experience .NET developers who understand master pages, but haven't taken the time to look into SharePoint, can get themselves into situations they don't expect.
This setting is where organizations can keep this from happening.
If the setting is checked (as pictured above) than the Master Pages Link appears in the navigation bar of SharePoint Designer:
If this setting is unchecked, the master pages link disappears from the SharePoint Designer user interface:
Enable Managing of the Web Site URL Structure
If this box is checked than the All Files folder will appear in the SharePoint Designer user interface. The All Files folder allows for users to interact with the site contents via SharePoint Designer (pretty much like they would if working with other integrated development environments). There might be other things that are restricted but this is the obvious one:
When the checkbox is cleared, the All Files folder icon disappears:
Now take a look at the options for managing SharePoint Designer at the site collection level via the settings icon at the top-level site of the root site collection in the SharePointDotLocal Web application by going to Site Actions > Site Settings:
From the Site Settings page, click the SharePoint Designer settings link in the site collection administration section:
Here are the same four options that exist at the Web application level. The only difference is that these settings only affect sites within this site collection. Any settings changed here do not affect what the site collection administrators can or cannot do:
If, for example, I clear the checkbox to Enable SharePoint Designer at this level as a Site Collection Administrator I can still connect to the site:
But when I try to connect to the site using SharePoint Designer as a site owner, I get the following message:
As a farm administrator we can control the use of SharePoint Designer and allow or restrict different aspects of what it can do at the Web application level. We can then delegate what our site collection administrators can do and what they can allow others to do at the site collection level.
Training, governance, and testing are our friends when dealing with SharePoint Designer which is a very powerful tool.