sharepoint uploaded docs

I am new to sharepoint, but if you have a document that you want to allow a user to upload to a SP site - but once uploaded only offer the document as a read-only to everyone except the original "uploader" (who can modify if they want).

1) Can you elaborate where you set the files access control list, and can this type of setup be achieved? And can anyone show a screenshot of how the access control list to the file looks, i.e. where you can demonstrate who can access, edit, modify etc, to satisfy auditors?

2) And also how can you see revision history of that document, i.e. any amendments made, can you show a screenshot of how and where you can see the actual audit logs for amendments made to the document, to also satisfy auditors.

3) where do sharepoint documents "go", i.e. are they sat on say a file share on the sharepoint server, or do they go into an actual MSSQL DB? If they go on a file share, would the NTFS permissions mirror the sharepoint permissions for the file?

I am doing this blind, as I don't currently have access  to a sharepoint site to demonstrate this, but I am pretty sure it can be done.
Who is Participating?
vaderjConnect With a Mentor Commented:
First off, SharePoint is designed upon a hierarchy :

1.) SharePoint Farm : Holds multiple Web Applications (among many many more things)

2.) Web Application : Holds multiple site collection (among other things) (not directly accessible)  - no permissions editing

3.) Site collection : (not directly accessible) Holds multiple Subsites / webs - only a single permission (Site collection administrator)

4.) Subsite / web : This is the "SharePoint site" (or this is the "SharePoints") that users access.  It contains, among many other things, lists (which include libraries).  This is also the first line of true permissions - you can add / remove groups and people who have access at this level

5.) Lists / Libraries : Must be contained within a subsite.  They contain list items (a file is simply an attachment of a list item)  These can also have their security inheritance broken and can be assigned unique permissions relative to its' parrent

6.) List Item / file : Must be contained within a list / library.  Can also have its security inheritance broken from its parent list

To answer your questions:
1.)  Site collection administrators (or anyone with "Full Control" (and other roles)) can modify permissions - there are multiple ways of doing this - elaboration on your specific circumstances would help, else there is google

2.) File versioning must be enabled for the specific library you are referring for this to work.  If you want to see the specific file version history, you can click the dropdown menu for a particular list item and select its version history

3.)  By default, all SharePoint content resides on the site collections given content database which lives in MS SQL Server.  Best practices say that the SQL server should be a separate server(s)
pma111Author Commented:

1) I was just wondering where you can see the access control list for a site/file - ie where you can actually see the ACL for a document uploaded to sharepoint (can you show an example), and what kind of permissions are available for the file, i.e. so I can get it in my head how it is similar to NTFS permissions
Site Settings => Site Permissions

If you do not see the "Site Settings" menu in the upper (left if SP2010, right if SP2007 / 2013) then you do not have proper permissions
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

pma111Author Commented:
What if you have documents on the same site with different ACL requirements, can this be done? Or do files uploaded in a site typically inherit permissions set at site level, as would a document added to a directory on an NTFS directory on windows.
pma111Author Commented:
and can you recommend a link that discusses the various types of permission you can apply to a site/document, i.e. similar to ntfs
Is there a particular issue that you are attempting to resolve?

SharePoint, despite its unfortunate common perception as such, is not a file share and really should not be treated as a file share.

For instance - Every object in a file share has three permissions : R, W, and X for both of its objects (files and directories)

Since SharePoint is a collaboration, CMS/publishing, and general application toolset, it has many more permissions.  It also contains Permission Levels which have a number of permissions rolled up into it.

For instance, the Contribute Permission Level contains 21 permissions (such as utilizing SOAP features, viewing user information, creating alerts, working with versions, etc).  This is one of many (many, many) reasons that SharePoint should not be thought of as a file share.

Does that help at all?
pma111Author Commented:
>Is there a particular issue that you are attempting to resolve?

just to establish a baseline knowledge of what kind of access control you can enforce on files in sharepoint, and how to check what they currently are.

Although I appreciate  its not like a file share per se, the same concepts apply, i.e. if you need to be able demonstrate only the right/approved people can access a file, be that in sharepoint, file share, inside a RDBMS  etc - you need to know where to look and how to prove the current access that file.
Permissions auditing in SharePoint is infamously lacking - you can check if a single user has permissions at a particular level, but there are basically no security auditing tools OOB - when we are requested to provide some form of audit report, I have to write a PoSH script that interacts with the server object model to pull that info but there are also 3rd party tools that do the same.
pma111Author Commented:
Thanks for the heads up
All Courses

From novice to tech pro — start learning today.