Subscribe for more SharePoint E-books SharePoint Permissions Guide

TekReach.com | Share this eBook

Guide to SharePoint Permissions

Brought to you by

SharePoint Permissions Guide Subscribe for more SharePoint E-books

TekReach.com | Share this eBook

Before SharePoint’s time company files and informa-tion were dispersed and hard to access. Files were in emails attachments, file shares and print documents. Enterprises

and information technologists have been fighting a battles to make this information consolidated and easier to find and ac-cess. SharePoint was the perfect tool to house this data and make it accessible at people’s finger tips.

Ironically, this solution has created new challenges: The information was too easily accessible and could get to the wrong hands.

Information is the enterprise’s most valuable

assets. In the wrong hands, leaked informa-tion can literally lead to the demise of an organization.

As an administrator of SharePoint, security administrator, or even CIO or CTO of your organization, it is critical that you verse yourself with how SharePoint handles se-curity. In fact you should give this guide to any site administrator that will be handling security as well.

This guide will help you in understanding the inner workings of SharePoint permissions, how they are applied, and will therefore help you plan the architecture of the infor-mation in SharePoint in alignment with best practices.

Who Should use this GuideThis Guide is for anybody from the CIO to the developer that may be required apply permis-sions or plan permissions in SharePoint. This guide ensures a common baseline of awareness as to what is involved in SharePoint permissions.

Audience:- SharePoint Administrators- Site Owners- CIOs CTOs- Governance Team- Security Team

“[Users with access to permissions] should have a thorough understanding

of how permissions work, as well as they should be trained on and follow

best practices around permissions management. -Wendy Neal

Why SharePoint Permissions are a big deal?

-Karim Roumani

Subscribe for more SharePoint E-books SharePoint Permissions Guide

TekReach.com | Share this eBook

SharePoint Site ArchitectureWe assume you have some familiarity with SharePoint, however this is the very basic knowledge we need to ensure you have before moving forward.

SharePoint sites start with a site collection and the content of the site collection can be depicted in the diagram below.

Site Collection

Site

Site

Doc Library

Document

Item

List

A site collection is the top level of object that holds all the sites content. The objects under a site collec-tion are stored hierarchically.

Many sites can be created under the site collection. Sites can hold other sites, libraries and lists.

A document library is a type of list that hold documents. No sites can go under a list.

A document resides under a document library. It is also an “item” of that doc-ument library. Nothing can go under a item.

Just like document libraries lists are a content holder for data items. For exam-ple announcements are a type of list that holds announcements. Contacts is anoth-er type of list that can hold contacts.

An item is a record or data item contained under a list such as the announcement itself or the contact.

Let’s Start with the SharePoint Fundamentals

SharePoint Permissions Guide Subscribe for more SharePoint E-books

TekReach.com | Share this eBook

Some basic Definitions

Objects Subjects Permission Levels Permissions

Defi

nitio

n

A SharePoint object that can be secure by permissions. Site, List Folder, Item

A subject is a user or group that can be given rights to an object

Permission levels are a collec-tion of rights and permissions that can be applied to an entity on an object.

Permissions are the gran-ular actions a user can perform in SharePoint that can be policed. A collection of permissions define a permission level.

Exam

ples

SitesLists/LibrariesFoldersItems/documents

A UserA Active Directory GroupA SharePoint Group

ReadContributeWriteDesignerFull Control

See Permission Levels for a description of all the permissions.

Impo

rtant

Not

es

Objects inherit permis-sions from their parent object.

To Assign an object dif-ferent permissions than the parent, you must break inheritance.

A SharePoint Group cannot exist inside another SharePoint Group.

An AD group CAN ex-ist inside a SharePoint Group.

It is possible to create custom permission levels.

There is a mysterious “Limit-ed Access” permission that you may find. This is not a permission level that you can assign.

It is not possible to create custom permissions.

Limited Access means the user may have access to some child objects but not others.

Now to Permission Fundamentals

Fact 1 Fact 2 Fact 3

SharePoint is made of different objects such as files and folders that can be secured by permis-sions.

An Object naturally inherits permissions from the parent. A file is the child of a parent folder for instance.

It is possible to make a child hold different permissions than its parent. This is called breaking inheritance.

How Permissions are Applied

Every object in SharePoint can be secured by granting subjects Permission Levels to that object.

Object

Subject Permission Level

Subject Permission Level

Subject Permission Level{

Subscribe for more SharePoint E-books SharePoint Permissions Guide

TekReach.com | Share this eBook

Identify the subject and object

Add user to existing group that already has access

Grant an existing group permissions to the object

Give the user direct permissionson the object

Break inheritance at the level needed.

Determine the highest level in theSharePoint tree that permissions need to be added.

Before you grant any permissions, you must make sure that you apply those permissions to the right object. For instance, if a user asked for access to a document, you may be tempted to grant them direct access to that object. You should first consider if it is suitable to grant the user access to the whole library (the parent), and possibly even those whole site (the grand parent). Don’t jump into granting a user access directly to an object unless you consider the top most object that would be suitable.

Identify who needs access and to what?

Identify what level of access needs to be ranted.

Thought process to granting permissions

Keep in mind that if that document has unique permissions, then adding the user to the parent object will not grant the user permission to the document because by definition, the permission of the parent don’t apply to children with unique permissions.

It is often the case that the object that needs permission, may cur-rently be inheriting from the par-ent. You may have to break this inheritance to grant the permis-sions needed on the object.

Before granting the user permis-sions, consider if there is already similar users with the same access and how those users are granted permissions. Is there a group that the user belongs in that already has access, consider adding the user to the group. Make sure you leverage existing groups rath-er than adding users directly. If this group doesn’t exist consider adding one and placing users that need access there.

Before granting the user permis-sions, think if there is a group in AD or in SharePoint that the user is a member of that may also need access to the object. Con-sider granting that group access instead of giving the user direct access.

Try avoiding this option, but some-times it is necessary. Use this to grant a user permission directly to an object and not through a group. This option should be used if you find that the first two options are not good options. Applying too many direct permissions will make management of permissions more difficult.

Decide how access should be granted.

Method 1 Method 2 Method 3

SharePoint Permissions Guide Subscribe for more SharePoint E-books

TekReach.com | Share this eBook

Be Aware..What is Limited Access Permission level? Limited Access is not a permission level you can assign manually; It is assigned by the system. It appears when a user has access to child librar-ies or lists but not the parent. The parent will show “Limited Access”. If User A has no Access to Site A, but has contribute permission to a library under site A, then Site A permissions will show limited Access.

Site Collection Administrator? A site collection administrator is the highest site collection permission that can be given. A site collection does not need any permissions on items. They will have FULL CONTROL on all con-tent under that site collection.

Is there a way to audit permission on a whole site collection?There is no way to audit permission on a whole site collection. Consider 3rd party plug ins for that or writing a PowerShell script.

How is sharing and permissions related in SharePoint?When you share files in SharePoint 2013 or Office 365, the permissions of what you’re sharing is broken and permissions are granted to the group or user.

Tip Consider creating a custom permission level called “Contribute without Delete”. By default Contribute permission level allows users to de-lete content. Sometimes, you want the users to edit content but not be able to delete.

Be Careful Keep in mind that when you have unique permissions on an object such as a document and then at a later point you decide to grant access to the whole document library, that object will not be affected by the new permissions. Groups can help manage unique

permissions better. For instance assigning a user to a group can automatically grant that unique object access as well.

Be Aware If a user does not have access to an item, they will not see it.

Caution Using SharePoint views to hide content from users is a BAD practice if the information needs to be restricted. Instead use permissions. The user can circumvent the view and still ac-cess items. However with Permissions, the user can never access the object.

Management TipIf you wish to update many permissions site wide or do an audit, you may also write scripts via SharePoint PowerShell to do this. Explore the RoleDefinitions and RoleAssignment objects.

When to use AD Groups and When Share-Point Groups?If a group is well managed in AD you may want to use that. If you want more flexibility adding users to the group without having to go through IT, then use SharePoint groups. Consider also creating a SharePoint group and putting an AD group in it. If you wish to add new members you can add it through the SharePoint group.

Limitation SharePoint list and library columns cannot be locked by permissions. At least not out of the box.

Note If a user or group is given two different permissions on a site such as read and contrib-ute, the user will have contribute.

Resources Permissions planning for sites and content in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc262939(v=office.15).aspx

Subscribe for more SharePoint E-books SharePoint Permissions Guide

TekReach.com | Share this eBook

How to navigate to the permissions pageSP Ver-sion

Site List/Library Item/Document

2013 1. Navigate to the site you wish to change permission for.

2. From the top right corner,

click 3. From the menu select “site

settings”4. Under Users and Permis-

sions, select “Site Permis-sions”

1. Navigate to the library you wish to change permission for. 2. Click on the “Library” tab on the top right.

3. Click on library settings

4. Click on “Permissions for this document library” or “Permissions for this list”

1. Select the document or item

2. Click on File Tab on top left

3. Click on “Share with”

4. Click on “ADVANCED”

2010 1. Navigate to the site you wish to change permission for.2. From the top left corner select “Site Actions”3. From the menu select “site settings”4. Under Users and Permis-sions, select “Site Permis-sions”

1. Select the document or item

2. Click Documents Tab

3. Click on “Document Permissions”

The Anatomy of a SharePoint Permissions Page

The subjects

The Object

The Controls

Important no-ti�cations

Permission Levels

SharePoint Permissions Guide Subscribe for more SharePoint E-books

TekReach.com | Share this eBook

How To: (prerequisite: make sure you have full control on the object or are site collection administrator)

Break inheritance Remove permissions Grant permissions Check permissions

Act

ions

Pre-

reqs

None. Know that once you break inheritance the permissions of the parent are copied to the object, then you can modify those permissions.

To be able to remove permissions, you must first stop inheriting per-missions.

To be able to remove permissions, you must first stop inheriting permis-sions.

None.

Step

s

1. Click on Stop inheriting Permissions2. Click OK when given the warning.3. The next page may ask you to create groups associated for this site. This is for easier management. You may go with the de-fault option.--At this point you will see check boxes next to the permissions on the permis-sions page.

1. Check the users the permissions as-signments you wish to remove by selecting the check boxes next to them. Ex:

2. Click Remove User Permissions3. Confirm

1. Click Grant Permissions2. Start typing in the name of the person or email.3. You may include an invitation message4. Check Send an email invitation if you wish for the user to receive emails.5. Under Select a group or permission level,

1. Click Check Permissions2. Type in the name of a group or user.3. Click check now

None. Means the user has no access.

Or you may see the per-mission level they have and if this permission is given through a group or a directly.

Spec

ial c

onsid

erat

ions

Make sure you are break-ing inheritance at the right location.

Breaking permission inher-itance of many objects will make management of those objects more difficult. You are advised to use groups for better management.

Note that after re-moving permissions, the user may still have access to the object if the user is in a group that has access to the object. Make sure you use the Check Permis-sions button to verify.

Notes:If you select a group, make sure that the group has access to the object you want to give the user access to.

Confirm user’s access by using the Check Permis-sions option.

This tool is extremely im-portant in auditing per-missions. It is not enough to look at the permissions on a permission page. If a user is inside of nested AD groups, it may be verify difficult to audit without this tool.

More actions

Edit User Permissions Create Group Inherit permissions Anonymous Access

Not

es

Allows you to edit an exist-ing permission

Allows you to create groups. Note that SharePoint groups cannot be nested.

This option will re-inherit permissions from the par-ent. Any custom permis-sions will be lost.

To see this option your web application must have this turned on. See Anonymous section be-low.

Subscribe for more SharePoint E-books SharePoint Permissions Guide

TekReach.com | Share this eBook

How To.. ContinuedGrant Anonymous Access Enable Anonymous From Cen-

tral AdministrationCreating a Custom Permis-

sion Level

Act

ions

Pre-

reqs Your web application needs to be

configured to support anonymous access. You need central administra-tion to do this.

You must have access to the cen-tral administration site.

You must have Manage permissions rights or be a site collection administrator.

Step

s

1. Click on Anonymous Access2. Select one of the choices:Entire Web Site

If you wish to grant complete access to everyone to the entire website.

Lists and Libraries

If you wish to grant access to specific libraries only. Grant-ing this will require you then to go to the library you wish to share and grant Anonymous access there.

Nothing Completely disable even the option of anonymous access.

1. Navigate to the central adminis-tration site2. Click on Central Administration on the left menu.3. Click on Manage Web applica-tions4. Select the web application you need. 5. Under the Web Applications Tab in the ribbon, click Authentication Providers6. Click on the Default Authentica-tion Providers7. Check “Enable anonymous access”8. Click OK9. Make sure the web application is selected and click Anonymous Access in the Ribbon.10. Select “None” the click Save

1. Navigate to the permis-sions page of a site2. Click on Permission levels3. You can click on Add Permission Level, however it is probably best to start off with an existing permission level template. So click on the permission level you want to start with instead of “Add Permission Level”4. At the very bottom of the permission level, the “Copy Permission Level” button.

5. In the next page, you can now type the name of the new permission level you want.6. Edit the permissions 7. Click Save.

Only use this if this a public website. Public SharePoint sites may need special licensing.

This option does not grant your site anonymous access yet. You will need to Grant Anonymous access at the site level. See “Grant Anony-mous Access”

Assigning Site Collection Administrators

You must be a site collection administrator first.

Step

s

1. Navigate to the top level or your site collection. Usually http://[site] without any trailing “/”2. Navigate to the permission page.3. Click on “Site Collection Administrators” in the ribbon4. Find the user5. Click OK

The “Access Re-quest” Feature in SharePoint is anoth-er way of granting access to content in SharePoint. This feature is available in 2013 and Office365. Watch Asif Rehamani’s Video on how that is done. WATCH

SharePoint Permissions Guide Subscribe for more SharePoint E-books

TekReach.com | Share this eBook

Permission Levels DefinitionsDefault Permission Levels

Permission

Full C

ontro

l

Des

ign

Con

tribu

te

Read

Ltd

. Acc

ess Description

Manage Lists X X Create and delete lists, add or remove columns in a list, and add or re-move public views of a list.

Override Check-Out X X Discard or check in a document which is checked out to another user.

Add Items X X X Add items to lists, add documents to document libraries, and add Web discussion comments.

Edit Items X X X Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.

Delete Items X X X Delete items from a list, documents from a document library, and Web discussion comments in documents.

View Items X X X X View items in lists, documents in document libraries, and Web discussion comments.

Approve Items X X Approve a minor version of a list item or document.

Open Items X X X X View the source of documents with server-side file handlers.

View Versions X X X X View past versions of a list item or document.

Delete Versions X X X Delete past versions of a list item or document.

Create Alerts X X X X Create e-mail alerts.

View Application Pages X X X X X View documents and views in a list or document library.

Manage Permissions X Create and change permission levels on the Web site and assign permis-sions to users and groups.

View Usage Data X View reports on Web site usage.

Create Subsites X Create subsites such as team sites, Meeting Workspace sites, and Docu-ment Workspace sites.

Manage Web Site X Perform all administration tasks for the Web site as well as manage con-tent.

Add and Customize Pages X X Add, change, or delete HTML pages or Web Part pages, and edit the Web site using a Windows SharePoint Services-compatible editor.

Apply Themes and Borders X X Apply a theme or borders to the entire Web site.

Apply Style Sheets X X

Create Groups X Create a group of users that can be used anywhere within the site collec-tion.

Browse Directories X X X Enumerate files and folders in a Web site using an interface such as Share-Point Designer or Web-based Distributed Authoring and Versioning (Web DAV).

Use Self-Service Site Creation X X X X Create a Web site using Self-Service Site Creation.

View Pages X X X X View pages in a Web site.

Enumerate Permissions X Enumerate permissions on the Web site, list, folder, document, or list item.

Browse User Information X X X X X View information about users of the Web site.

Manage Alerts X Manage alerts for all users of the Web site

Use Remote Interfaces X X X X X

Use Client Integration Features X X X X X Use Simple Object Access Protocol (SOAP), Web DAV, or SharePoint De-signer interfaces to access the Web site.

Open X X X X X Open a Web site, list, or folder to access items inside that container.

Edit Personal User Information X X X Allow a user to change his or her own user information, such as adding a picture.

Manage Personal Views X X X Create, change, and delete personal views of lists.

Add/Remove Private Web Parts X X X Add or remove private Web Parts on a Web Part Page.

Update Personal Web Parts X X X Update Web Parts to display personalized information.

Subscribe for more SharePoint E-books SharePoint Permissions Guide

TekReach.com | Share this eBook

On Going MaintenanceData is like a virus, it can spread fast, silently, and can cause damage. Just like your computer needs an anti-virus, your SharePoint environment needs a scheduled maintenance of data and permissions to keep it healthy.

Perform Quarterly Audits:Site Collection Administrators Audit Verify to see who the site collection administrators are on your site collections. Often times users are granted that permission and are forgotten. Make sure only a small number or administrator group is there. This is also important to check because other site collection ad-ministrators may grant control to others without your knowledge. Make sure your whole team is in sync on who should have this permission. Also make sure that those users are well acquainted with SharePoint since the power of such user can cause irreversible dam-age or possibly data loss.

Audit Sensitive Areas Some areas will be more sensitive than others in your portal. Once again the users with access to those areas can get out of hand. Make sure you audit exactly who has access by checking permissions and group memberships regu-larly on sensitive content. Document those sensitive areas and review with your team. Use the “Check Permissions” option to test permissions on those sensi-tive areas.

Perform Bi-Annual Audits on:Complete Site Collection Complete a full audit on your site collection to identify the overall permis-sion structure. Users will be adding content such as sites and library constantly and this content will grow virally. Make sure you are aware of this content and who should have access to it. Work with site owners and content creators to ensure they are adding con-tent in alignment with your governance and security policies. It is often the case that site owners are not aware that the content they are creating is not suffi-ciently secured.

Manageability tipsTrain Site Owners and Power Users The benefits of SharePoint is that sites and contents can be delegated to different users to manage on their own and take away some of the management off your plate. You may, for example, grant the Marketing team owners a site to manage their content. Along with that you may give them the option to manage who has access. Those users must be very familiar with Sharepoint permissions especially if they will be administering access on sensitive data. Make sure any site owners you grant full control to are well trained and aware of how SharePoint permissions work.

- Provide Hands on Training to site owners- Providing Videos Tutorials- Share this guide

Granular Permissions Often times there is a need to have granular permissions at the item level. Keep in mind that the more granular per-missions you have the harder they become to manage. Imagine having 30 document each with its unique permissions. How do you know who has access to what? How do you update permissions on those items?

-Consider grouping items that require similar per-missions into folders or other lists or libraries and granting permission to that folder library.-Consider using groups to grant permissions on those unique documents. If for instance you assign a “Board of Directors” group read permis-sion on those items and decide later you want to grant additional user access, you simply add the user to the group.-In more sophisticated scenarios, you may consid-er using permission automations using workflows or event receivers to better administer item level permissions (granular permissions).

User Account Expirations Always make sure that any contractor or consultant that is granted ac-cess has an expiration date on their account. This is important otherwise they may continue to have eternal access to your content after they stop working for you. Even better disable their account manually when they are done.

SharePoint Permissions Guide Subscribe for more SharePoint E-books

TekReach.com | Share this eBook

One common mistake I see regarding permissions is placing users directly in the site, list, or library level rather than utilizing SharePoint groups. Using Share-Point groups is much more versatile and easier to manage. And if you want to take the management

of users completely out of SharePoint, you can place Active Di-rectory security groups directly inside a SharePoint group, and then the management of that group of users is done in Active Directory, which many IT departments prefer. - Wendy Neal

One last thing I’d like to mention about permissions is not to get too caught up in locking everything down permissions-wise, just because you don’t think others outside of your audience would be interested in seeing it. SharePoint is collaborative in nature, therefore to have the best experience users should be able to discover data and documents from other departments or areas of the site. This is not to say that you shouldn’t lock anything down; obviously if something is sensitive or confiden-tial, the appropriate permissions should be applied. However, I believe the discovery of non-confidential information can oftentimes help users find some great information to help them do their jobs better. - Wendy Neal

What is the most common bad practice you’ve seen on the field?

Final Thoughts from an expert..

Information openness vs tight control.

Subscribe for more SharePoint E-books SharePoint Permissions Guide

TekReach.com | Share this eBook

ResourcesHere are some resources that will help you get more infor-mation about permissions and tools that could help you better manage and maintain permissions in SharePoint:

Learn More on PermissionsGrant Permissions for a Site

Understanding Permission Levels

Fine Grained Permissions Best Practices

Videos Lynda.com on Permissions

ToolsSharePoint Permissions manager - Free Permission Manager

Datavantage for SharePoint - Security Auditing

DeliverPoint 2013 by lightining tools - Security Auditing

ChangeAuditor for SharePoint - Change Auditing

Tru Permissions - Fine Grained Permissions Automation