Frequently, an organization would like to be able to automatically assign extranet users to an Extranet Role as part of the ExCM invitation and self-service registration process. ExCM includes a feature named “Security Policies” that is designed to make this possible. Every user that gets added to your extranet will need at least read permissions. (or else there is no reason to invite them, right?) You can add them to the specific role or security group every time you invite a user (or manually add the user) but that will create extra work for you by adding an extra step. And, if that step is left off, the user will be presented with a "request permission to this page" error when attempting to log in... generating a call to support.
So to avoid the extra time and hassle, let's progress through the steps of configuring a security policy to automatically add a user to a security group, or role, when they are added to your extranet site. To begin, follow the steps below:
1. From Site Settings, click on Extranet Settings from the Extranet Management group:
2. Click on Security Policies under the General Settings heading:
3. Select the Security Policy Tab in the ribbon and click on New Policy:
4. In the New Security Policy dialog box, you have several options to set different types of Security Policies. The most common use is to set a Site Collection policy (or Site policy, if you use sub-sites rather than Site Collections) to ensure that new registrants are automatically added to a specific Extranet Role whenever they first register for the site. (Presumably, prior to this the administrator would have granted the Extranet Role specific SharePoint permissions.)
This screenshot shows an example of setting a policy that will automatically add all new registrants to the Acme Collaboration Site Collection to the Acme Users Extranet Role. Prior to this, the Acme Users Extranet Role had been granted read permission to the site:
5. The finished Security Policy looks like this:
Once the security policy is in place, any user that is added to your site will now be added to the role "Acme Users" without having to remember to do this step manually. If you want to save yourself some time, and possibly some unnecessary troubleshooting, make sure you set this policy up on every site collection you provision. If you are using our Site Provisioning and Governance Automation tool, make sure you set the activity to create the role, assign read permission, and Add Site Security Policy with every site provisioned, saving you from manually doing all those steps.