Thursday, March 28, 2013

SharePoint Permissions

SharePoint Permissions:

One of the most powerful aspects of SharePoint is the ability to manage permissions however, if this is done incorrectly and without structure it can soon become your company’s worst nightmare. I have seen a number of different company's SharePoint permissions and many of them have let the permissions get out of control.

Much of the out of control permissions can be attributed to provisioning user permissions on an individual basis, not creating customer permission levels, not utilizing Active Directory Groups (AD), and not creating meaningful SharePoint Groups.

Breaking inheritance on their libraries and lists is totally fine when done correctly, but permissions by individual is almost never the answer. This tactic is not only time consuming, but eventually will become unmanageable you and will constantly be amending & provisioning permissions.

Create custom permission levels!!!!!! If you have a need to deviate from the out of the box levels, you should create custom levels. For instance, if you want to hand off the ability for a user to provide permissions for their site, but not be able to manage site features, create sub sites, etc. a new permission level should be created.

Create SharePoint groups that you can manage and determine a naming convention which works for your organization. An example of this would to create a new SharePoint group for every library & list which has unique permissions i.e. Site Name-Library Contribute. This way you know when you are adding users that this group is the contribute group for that library with broken inheritance. You will run into scenarios where the same group of individuals needs access to multiple libraries. For this I create a permission group such as Site Name-Libraries -LegalReviewTeam Contribute and then in the description of the group I list out all of the libraries/list that this team has contribute access to.

Utilizing Active Directory groups

AD groups should be used within your SharePoint Groups in order to better manage SharePoint permission and to reduce the overall overhead of your site. In SharePoint you are able to use Security Level Active Directory groups for permissions, which can save a ton of time. At the bottom of this article I provided a graphic I created which helps to visualize the impact. You can check to see if an AD group is a security group by downloading a set of Administrative Tools → Active Directory Users & Computers → Search the distribution group and there should be a radio button that is marked for Security Group. By adding AD groups you can provision permissions for an entire group such as "Tibco Integration" which might be a distribution group in your organization which would give anyone that is part of that group permission to the site, This means that rather than adding let’s say 100 members of this group individually, you can add the AD group once. This also reduces maintenance since anyone that is removed from that distribution group will also lose their permissions on your site.

No comments:

Post a Comment