"Policy for web application" and Form Based Authentication (FBA)

The authentication scheme in SharePoint 2007 is very flexible. Out of the box SharePoint supports multiple authentication schemes and also lets you build a custom one. Now every flexible thing comes at a price, The over-flexibility also increases complexity, specially if you start mixing Intranet and Extranet applications with different authentication.

One of the features in SharePoint is called "Policy for Web Application" (Personally I think they could have chosen a better name). What this feature allows you to do is define the top level security for a "web application" in central admin. This is really neat if specially if you are creating a new application and what to give certain groups or users access to an application before creating an Site collection or login into the application. This comes very handy in case of an Form authentication. N

Now, you should be very careful when you add a group in the web application policy screen. The minimum (assertive) access you can give in this screen is "Read all" . Now this literally means "Read all". Any user or group given "Read All" permission will always have "Read" access to all site collections, lists and items in that Application, That's right, even if you break the inheritance model, and put Item level security. And the most annoying thing I found is those users/groups are not visible in the "All People" screen from the site.






So next time, when you planning to use "Policy for Web Application" remember that any user you add here ALWAYS has minimum access to the entire application regardless of your security policies within the site .