sharepoint permissions worst practices

1 | @bobbyschang | bobbyspworld.com

SharePoint

Permissions Worst

PracticesBobby Chang@bobbyschang

http://www.twitter.com/bobbyschang

2 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com

About Me

Contact Info

• slideshare.net/bobbyschang

• linkedin.com/in/bchang

• @bobbyschang

• bobbyspworld.com

Bobby Chang

SharePoint Consultant at Planet Technologies

http://linkedin.com/in/bchang

http://twitter.com/bobbyschang

http://bobbyspworld.com/

http://slideshare.net/bobbyschang


Why Worst Practices?

Rather Than a List of To-Do’s


At Times It’s More Effective (and Fun) to Share

What NOT To Do

And Scare You Share With You Its Consequences

SharePoint Permissions

Basic Overview


Permissions Fundamental

To Provide or Restrict Users

with Access to SharePoint Content


Inherited Permissions by Default

Site Collection

Site

List / Library

Item

Child Site


Site Collection

Site

List / Library

Item

Child SiteBreak Inheritance

Inheritance Can Be Broken


Permission Level• Determines how much access a user has

• Most Commonly Used Permission Levels:

1. Contributeo Target Audience = Team Members, Supervisorso Create, Read, Update, Delete content

2. Reado Target Audience = Visitors, Clients, Extended Team Memberso Read content

3. Full Controlo Target Audience = Site Administrators, Site Managerso Create, Read, Update, Delete contento “The Kitchen Sink”

No Planning

Worst Practice


Right?

Planning

Matters

Planning Matters

Photo Credit – Matthew Keagle & Creative Commons

Do You Have a Permission Strategy?


- What is purpose of the site?- Gathering Info vs. Dissemination- Extranet vs. Intranet

- Who’s the target audience?- Is there any restricted content?- Access for anyone outside org?

- Are there different member roles?- Any group specific classified info?- Who’s the Site Manager?

- What is documentation process?- How will you address training?- How will permissions be governed?


What Governance Can Do

• Consensus on processes and set expectations

• Increased team awareness

• Better understanding of SharePoint intricacies

• More effectively managed platform

• Compliance with rules and regulations


“A governance strategy is never static

– it is

a living, breathing process and a set of

rules

that you should live by, not die by!”

--Christian Buckley, SharePoint MVP


SharePoint Platform Matures

Governance Should Evolve as Your

“Full Control” for Everyone

Worst Practice


What You Can Do w/ Full ControlCreate & Delete Sites

Create SharePoint Groups

Manage Site & List/Library Permissions

Activate & Deactivate SharePoint Features

Create, Update, Delete List/Library Public View

Generate Site Web Analytics Reports

Create, Modify, Delete SharePoint workflow

Create, Modify, Delete Site & List/Library Columns

Delete Site & List Template

Delete Master Page & Page Layout

Add, Update, Delete a Wiki and Web Part Page

Add, Update, Delete Web Parts

Etc. etc. etc.

TOO MUCH !

! !


Full Control Pyramid Scheme


Don’t Take Site Manager Delegation Lightly!

Dear Site Managers,

You play a pivotal role to SharePoint success (or failure)

When asked to pleeasseee have access to EVERYTHING

Image Credit: © SheKnows LLC

Let’s not rush to give Full Control


First Ask Follow-Up Questions

• What type of “access”?

• What exactly is “everything”?

• Majority of the time, you may find:

– “Everything” may pertain only to Documents

– “Access” could mean Read/Update/Delete Documents

– Thus Contribute access may be sufficient

?


Before Providing Full Control

• Ensure user completed necessary training

• Check or Refine governance policy

• Consider other permission levels that may fulfill needs (e.g.: “Design”)


Thy requests must go through me …

It’s not that

you’re a control

freak

Simply can’t have everyonemanage your site

Assigning Permissions to Individual Users

Worst Practice


• Team Growth

• Role Change for Existing Users:

– Expanded Responsibilities

– Rolling Off Project

– Promotions

• Onboarding New Employees

• Employee Departures

How Will You Handle


Real World Example

Where in the World is Carmen

Sandiego?


Challenges

• Hard to decipher who has what level of access

• Cumbersome to manage, control, and update existing permissions

• SharePoint Out-of-Box “Check Permissions” function is rather limited

Instead, Use …

SharePoint Group


Then Add or Remove Users from the Group

First, Assign Permissions to SharePoint Group

AD Group (Active Directory)

For SP2013 Microsoft recommends …


AD Group


AD Group – Why & When• Recommended by MSFT for performance

• Use AD group in SharePoint only if

– AD group definition is well defined

– IT Team is proactive in updating membership

• Group info should be up-to-date to ensure proper access setup in SharePoint

Default Settings for SharePoint Groups

Worst Practice


Have You Seen This Error?


How About This?


SharePoint Group Challenges• Site Managers could be locked out

• Be Mindful of Default Settings when creating new


ALWAYS assign a group as group owner

Preferably Site Collection Owner or Site Owner group

Group Owner SettingsDefault -> the user who created group


Instead open membership list to everyone

Membership Visibility Settings

Default -> only Group Members can view


What to Look Out For in Site Creation


When Creating a New Site

• “Unique permissions” option is available

• This option: – Breaks site permission inheritance

– Allows you to create 3 new SharePoint groups


Before Creating 3 New Groups

Reflect and Assess!

Do I really need unique site permissions?

Do I need all 3 new SharePoint Groups?

Is there an existing group that I can use?

Item Level Permissions

Worst Practice


Item Level Permission

• Item = Document, List Item (e.g.: Calendar, Task, etc.)

• You can set permissions at the Item Level

doesn’t mean you should

Just because you can …


Challenges

• Library/List View doesn’t differentiate unique permissions

• Laborious admin• Manual process of checking broken permissions

• Changing permissions require updates to each file

• May lead to performance issue


F A C T : Reduced performance after 5000 files break inheritance

See Microsoft references: http://

bit.ly/1iMmyiC

http://bit.ly/1iMmyiC

http://bit.ly/1iMmyiC

What changed in 2013?


“Share” in SharePoint 2013• Intuitive & Convenient• Embraces social• Great tie-in to other components


Sharing is Caring! Right??


“Sharing” a File in 2013

The Gotchas

• Convenient but hard to govern• UX is different than sharing a site• Breaks permission inheritance of the file• Grants permissions to individual users

For more details, read this great resource by Sharon Richardson

Available via File Preview

http://www.slideshare.net/JoiningDots/share-point-governance-site-permissions


Who can “Share” a File?Contributor

Note: It contradicts Contribute permissions level


Let’s Recap!

Item Level Permission (Worst Practice #5)

Permissions for Ind. Users (Worst Practice #3)

Oh so easy

“Share” File in sp2013

+ ______________________________

__

Fun with Limited Access

*BONUS* Worst Practice


Ever Seen This and Wondered Why?

Because Limited Access is The Devil


If user is not declared in site permissions,

Permissions given to a user at library or list level

leads to

“Limited Access” creation for user at the site level

Site

List / Library

Limited Access

Contribute


Challenges with Limited Access

• Clutters site permission page• Can’t easily identify where access was

granted• Important Note

!

When You Delete User’s Limited Access at Site,

SharePoint Automatically

Removes User’s Permissions in Library/List/File


Good news …

Limited Access can now be hidden


What if you’re already in a permission hole?


First Things First – Stop the Bleeding!

e.g.: Change Full Control access

for unqualified folks to Design


Assess the Damage and Document Findings


Gathering Permissions Info• SharePoint Out-of-Box

– Unique access displayed in site permissions page

– Manual process conducted per site

• PowerShell script

• Third Party Tools– Codeplex (v. 2010/2007):

SP Permissions Manager

– #SPYam Community Recommended:ControlPoint byDeliverPoint by

http://permissionsmanager.codeplex.com/


Few Considerations During Permissions Clean-Up


Remember that it’s a process• Requires time commitment & effort

– Warning: You may not get it done in a day

• Don’t do it yourself– Gather requirements from business users– Leverage other team members

Photo Credit - The Daily Journal

One is the loneliest number


For Worst Case Scenario, Consider Starting Over


For those in very bad shape• It may be more beneficial to start over by:

– Inheriting all permissions– Then reconfiguring permissions appropriately

• This route could be high risk, high reward

• Before exploring this, be sure to:– Get executive buy-in– Devise a plan with Content/Site Managers and

relevant business functions– Communicate impact to user community


Last and Certainly NOT Least

Mitigate Survey the Field Clean Up Manage & Control

Do NOT forget this step!!


Manage & Govern• Enforce permissions governance

• Gain leadership support:– Illustrate level of effort to remedy issue– Quantify the business impact ($)

• Form & engage Governance Committee

• Provide continuous training for Site Managers


Monitor & Control• Define processes to periodically assess

• Determine monitoring tools– SharePoint Audit log reports (Manual

process)

– Automated Audit via Third Party tool


Whatever you do, just remember this…


“The greatest accomplishment is not in never failing,

but in rising again after you fall” --Vince Lombardi

Photo Credit - Journal Communications, Inc.

linkedin.com/in/bchang bobbyspworld.com

@bobbyschang

© LoveToKnow Charity

Questions? Feel Free to Contact Me

Bobby Changtwitter.com/bobbyschangslideshare.net/bobbyschang

http://www.twitter.com/bobbyschang

http://www.slideshare.net/bobbyschang

sharepoint permissions worst practices

Technology

permission

ad group

sharepoint

default settings

break inheritance

site

permissions

group