SharePoint Permissions:
One of the most powerful aspects of SharePoint is the ability to
manage permissions however, if this is done incorrectly and without structure
it can soon become your company’s worst nightmare. I have seen a number of
different company's SharePoint permissions and many of them have let the
permissions get out of control.
Much of the out of control permissions can be attributed to
provisioning user permissions on an individual basis, not creating customer
permission levels, not utilizing Active Directory Groups (AD), and not creating
meaningful SharePoint Groups.
Breaking inheritance on their libraries and lists is totally fine when
done correctly, but permissions by individual is almost never the answer. This
tactic is not only time consuming, but eventually will become unmanageable you
and will constantly be amending & provisioning permissions.
Create custom permission levels!!!!!! If you have a need to deviate
from the out of the box levels, you should create custom levels. For instance,
if you want to hand off the ability for a user to provide permissions for their
site, but not be able to manage site features, create sub sites, etc. a new
permission level should be created.
Create SharePoint groups that you can manage and determine a naming convention which works for your organization. An example of this would to create a new SharePoint group for every library & list which has unique permissions i.e. Site Name-Library Contribute. This way you know when you are adding users that this group is the contribute group for that library with broken inheritance. You will run into scenarios where the same group of individuals needs access to multiple libraries. For this I create a permission group such as Site Name-Libraries -LegalReviewTeam Contribute and then in the description of the group I list out all of the libraries/list that this team has contribute access to.
Utilizing Active Directory groups
AD groups should be used within your SharePoint Groups in order to better manage SharePoint permission and to reduce the overall overhead of your site. In SharePoint you are able to use Security Level Active Directory groups for permissions, which can save a ton of time. At the bottom of this article I provided a graphic I created which helps to visualize the impact. You can check to see if an AD group is a security group by downloading a set of Administrative Tools → Active Directory Users & Computers → Search the distribution group and there should be a radio button that is marked for Security Group. By adding AD groups you can provision permissions for an entire group such as "Tibco Integration" which might be a distribution group in your organization which would give anyone that is part of that group permission to the site, This means that rather than adding let’s say 100 members of this group individually, you can add the AD group once. This also reduces maintenance since anyone that is removed from that distribution group will also lose their permissions on your site.
Create SharePoint groups that you can manage and determine a naming convention which works for your organization. An example of this would to create a new SharePoint group for every library & list which has unique permissions i.e. Site Name-Library Contribute. This way you know when you are adding users that this group is the contribute group for that library with broken inheritance. You will run into scenarios where the same group of individuals needs access to multiple libraries. For this I create a permission group such as Site Name-Libraries -LegalReviewTeam Contribute and then in the description of the group I list out all of the libraries/list that this team has contribute access to.
Utilizing Active Directory groups
AD groups should be used within your SharePoint Groups in order to better manage SharePoint permission and to reduce the overall overhead of your site. In SharePoint you are able to use Security Level Active Directory groups for permissions, which can save a ton of time. At the bottom of this article I provided a graphic I created which helps to visualize the impact. You can check to see if an AD group is a security group by downloading a set of Administrative Tools → Active Directory Users & Computers → Search the distribution group and there should be a radio button that is marked for Security Group. By adding AD groups you can provision permissions for an entire group such as "Tibco Integration" which might be a distribution group in your organization which would give anyone that is part of that group permission to the site, This means that rather than adding let’s say 100 members of this group individually, you can add the AD group once. This also reduces maintenance since anyone that is removed from that distribution group will also lose their permissions on your site.
No comments:
Post a Comment