sharepoint permissions nightmare · users imported from ad 33 permissions site, list, doclib,...
TRANSCRIPT
P R E S E N T E R : M A Y A N K M A L I K
H T T P : / / L A T E N I G H T S P . W O R D P R E S S . C O M
SHAREPOINT PERMISSIONS NIGHTMARE
AGENDA
• What’s the OOB story of permissions ?
• The right way to manage permissions is …
• Is 2010 better?
Contribute
Full
Control
Visitor
Owner
Read Only
Member
Designer Hierarchy Manager
AD Group
SharePoint Groups
Membership
Site Owner
Site Admin
Securable Object
WHAT IS THE OOB STORY OF PERMISSIONS?
MOSS 2007
SP 2010
I DON’T HAVE ACCESS TO THIS SITE
I DON’T HAVE ACCESS TO THIS SITE
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Object Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Object Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Sites
Lists
Personal
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Object Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Object Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to are assigned
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Object Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to are assigned
Permission Levels Groups Top-level site /
Inheritance
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Objects Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to are assigned
Permission Levels Groups Top-level site are assigned are applied to
be
lon
g t
o /
are
me
mb
ers
of
are
gro
up
ed
to
ge
the
r in
to
inh
erit
fro
m
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Objects Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to are assigned
Permission Levels Groups Top-level site are assigned are applied to
be
lon
g t
o /
are
me
mb
ers
of
are
gro
up
ed
to
ge
the
r in
to
inh
erit
fro
m
Inheritance by design
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Objects Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to are assigned
Permission Levels Groups Top-level site are assigned are applied to
be
lon
g t
o /
are
me
mb
ers
of
are
gro
up
ed
to
ge
the
r in
to
inh
erit
fro
m
Inheritance by design OOTB Permission Levels
- Full Control
- Design
- Contribute
- Read
- Limited Access
- Restricted Read
- Approve
- Manage Hierarchy
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Objects Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to are assigned
Permission Levels Groups Top-level site are assigned are applied to
be
lon
g t
o /
are
me
mb
ers
of
are
gro
up
ed
to
ge
the
r in
to
inh
erit
fro
m
Inheritance by design OOTB Permission Levels OOTB Groups
- Full Control
- Design
- Contribute
- Read
- Limited Access
- Restricted Read
- Approve
- Manage Hierarchy
- Site name Owners
- Site name Members
- Site name Visitors
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Objects Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to are assigned
Permission Levels Groups Top-level site are assigned are applied to
be
lon
g t
o /
are
me
mb
ers
of
are
gro
up
ed
to
ge
the
r in
to
inh
erit
fro
m
Inheritance by design OOTB Permission Levels OOTB Groups
- Full Control
- Design
- Contribute
- Read
- Limited Access
- Restricted Read
- Approve
- Manage Hierarchy
- Site name Owners
- Site name Members
- Site name Visitors
I DON’T HAVE ACCESS TO THIS SITE
Where ? What ? Who ?
Securable Objects Permissions People
Users imported from AD 33 permissions Site, List, DocLib, Item…
Site Permissions (18)
List Permissions (12)
Personal Permissions ( 3)
Sites
Lists
Personal
are applied to are assigned
Permission Levels Groups – AD / SP Top-level site are assigned are applied to
be
lon
g t
o /
are
me
mb
ers
of
are
gro
up
ed
to
ge
the
r in
to
inh
erit
fro
m
Inheritance by design OOTB Permission Levels OOTB Groups
- Full Control
- Design
- Contribute
- Read
- Limited Access
- Restricted Read
- Approve
- Manage Hierarchy
- Site name Owners
- Site name Members
- Site name Visitors
I DON’T HAVE ACCESS TO THIS SITE
Decisions:
1. Should they have access to
everything or just this site (securable
object)? Do I need to break
inheritance?
2. Is there an existing permission level
that would suffice? Should I create a
new permission level? What
permissions would be sufficient?
3. Is there a group to which I can add
this user? Should I create a new
group?
SharePoint Site Owner
Who ? What ? Where ?
“I don’t know how to
grant user access to
SharePoint. I have done
it before, but I always
get lost in the UI” - SharePoint Site Owner
1. Where ? 2. What ? 3. Who ?
Securable Object Permissions /
Permission Levels People / Groups
1. Where ? 2. What ? 3. Who ?
Securable Object Permissions /
Permission Levels People / Groups
“What in the world is
limited access? ” - SharePoint Site Owner
Company Intranet Top level site
HR Site
HR Onboarding HR Training Site
Finance Site
Payroll
G
P
Limited Access?
Limited Access?
Company Intranet Top level site
HR Site
HR Onboarding HR Training Site
Finance Site
Payroll
G
P
P
Limited Access?
Company Intranet Top level site
HR Site
HR Onboarding HR Training Site
Finance Site
Payroll
P Read
G
P
Company Intranet Top level site
HR Site
HR Onboarding HR Training Site
Finance Site
Payroll
G
P
Limited Access?
P Read
Limited Access
1. View Application Pages 2. Browser User Information 3. Use Remote Interfaces 4. Use Client Integration Features 5. Open
Company Intranet Top level site
HR Site
HR Onboarding HR Training Site
Finance Site
Payroll
G
P
Limited Access?
P Read
Limited Access
1. View Application Pages 2. Browser User Information 3. Use Remote Interfaces 4. Use Client Integration Features 5. Open
Effective Permissions: Read, Limited Access
THE RIGHT WAY TO MANAGE PERMISSIONS
The right way to do anything in SharePoint is – “it depends”
The right way to manage SharePoint permissions
• Inheritance is your friend. Inherit whenever you can.
• When breaking inheritance, try to use Groups as much as possible
in order to decrease the complexity of permissions design.
• Use built in roles – Crafted v/s Manufactured
• Use SP groups if your group membership is volatile.
• + one more …
The right way to do anything in SharePoint is – “it depends”
The right way to manage SharePoint permissions
• Inheritance is your friend. Inherit whenever you can.
• When breaking inheritance, try to use Groups as much as possible
in order to decrease the complexity of permissions design.
• Use built in roles – Crafted v/s Manufactured
• Use SP groups if your group membership is volatile.
• Define your Access strategy before you setup your site.
Define your access strategy
Project Management
Project
Team Sponsors
Stakeholders
Everyone
Else
Define your access strategy
Project Management
Project
Team Sponsors
Stakeholders
Everyone
Else
Task List Announcements Shared Documents
Define your access strategy
Project Management
Project
Team Sponsors
Stakeholders
Everyone
Else
Task List Announcements Shared Documents
List Documentation List
List
Publications Documentation
Documentation Documentation Publications
Define your access strategy
Project Management
Project
Team Sponsors
Stakeholders
Everyone
Else
Task List Announcements Shared Documents
List Documentation List
List
Publications Documentation
Documentation Documentation Publications
P
P
Define your access strategy
Project Management
Project
Team Sponsors
Stakeholders
Everyone
Else
Task List Announcements Shared Documents
List Documentation List
List
Publications Documentation
Documentation Documentation Publications
P
P
P
P
Define your access strategy
Project Management
Project
Team Sponsors
Stakeholders
Everyone
Else
Define your access strategy
Project Management
Project
Team Sponsors
Stakeholders
Everyone
Else
Everyone
Team
Stakeholders
Define your access strategy
Project Management
Project
Team Sponsors
Stakeholders
Everyone
Else
Everyone
Team
Stakeholders
P
P P
Site for
Everyone Else
Site for Team
Members Site for
Stakeholders
The right way to do anything in SharePoint is – “it depends”
The right way to manage SharePoint permissions
• Inheritance is your friend. Inherit whenever you can.
• When breaking inheritance, try to use Groups as much as possible
in order to decrease the complexity of permissions design.
• Use built in roles – Crafted v/s Manufactured
• Use SP groups if your group membership is volatile.
• Define your Access strategy before you setup your site.
IS 2010 BETTER?
New Permissions Management tools in SP 2010
• View permissions associated with a group at Site Collection Level.
• Show uniquely secured content.
• Check effective permissions for a user / group at a list level.
Questions ?