SharePoint Permissions Worst Practices
-
date post
13-Sep-2014 -
Category
Technology
-
view
25.013 -
download
3
description
Transcript of SharePoint Permissions Worst Practices
1 | @bobbyschang | bobbyspworld.com
SharePoint
Permissions Worst
PracticesBobby Chang@bobbyschang
2 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
About Me
Contact Info
• slideshare.net/bobbyschang
• linkedin.com/in/bchang
• @bobbyschang
• bobbyspworld.com
Bobby Chang
SharePoint Consultant at Planet Technologies
3 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Why Worst Practices?
Rather Than a List of To-Do’s
5 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
At Times It’s More Effective (and Fun) to Share
What NOT To Do
And Scare You Share With You Its Consequences
SharePoint Permissions
Basic Overview
8 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Permissions Fundamental
To Provide or Restrict Users
with Access to SharePoint Content
9 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Inherited Permissions by Default
Site Collection
Site
List / Library
Item
Child Site
10 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Site Collection
Site
List / Library
Item
Child SiteBreak Inheritance
Inheritance Can Be Broken
11 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Site Collection
Site
List / Library
Item
Child SiteBreak Inheritance
Inheritance Can Be Broken
12 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Permission Level• Determines how much access a user has
• Most Commonly Used Permission Levels:
1. Contributeo Target Audience = Team Members, Supervisorso Create, Read, Update, Delete content
2. Reado Target Audience = Visitors, Clients, Extended Team Memberso Read content
3. Full Controlo Target Audience = Site Administrators, Site Managerso Create, Read, Update, Delete contento “The Kitchen Sink”
No Planning
Worst Practice
14 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Right?
Planning
Matters
Planning Matters
Photo Credit – Matthew Keagle & Creative Commons
Do You Have a Permission Strategy?
17 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
- What is purpose of the site?- Gathering Info vs. Dissemination- Extranet vs. Intranet
- Who’s the target audience?- Is there any restricted content?- Access for anyone outside org?
- Are there different member roles?- Any group specific classified info?- Who’s the Site Manager?
- What is documentation process?- How will you address training?- How will permissions be governed?
18 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
What Governance Can Do
• Consensus on processes and set expectations
• Increased team awareness
• Better understanding of SharePoint intricacies
• More effectively managed platform
• Compliance with rules and regulations
19 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
“A governance strategy is never static
– it is
a living, breathing process and a set of
rules
that you should live by, not die by!”
--Christian Buckley, SharePoint MVP
20 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
SharePoint Platform Matures
Governance Should Evolve as Your
“Full Control” for Everyone
Worst Practice
22 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
What You Can Do w/ Full ControlCreate & Delete Sites
Create SharePoint Groups
Manage Site & List/Library Permissions
Activate & Deactivate SharePoint Features
Create, Update, Delete List/Library Public View
Generate Site Web Analytics Reports
Create, Modify, Delete SharePoint workflow
Create, Modify, Delete Site & List/Library Columns
Delete Site & List Template
Delete Master Page & Page Layout
Add, Update, Delete a Wiki and Web Part Page
Add, Update, Delete Web Parts
Etc. etc. etc.
TOO MUCH !
! !
23 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Full Control Pyramid Scheme
24 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Don’t Take Site Manager Delegation Lightly!
Dear Site Managers,
You play a pivotal role to SharePoint success (or failure)
When asked to pleeasseee have access to EVERYTHING
Image Credit: © SheKnows LLC
Let’s not rush to give Full Control
28 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
First Ask Follow-Up Questions
• What type of “access”?
• What exactly is “everything”?
• Majority of the time, you may find:
– “Everything” may pertain only to Documents
– “Access” could mean Read/Update/Delete Documents
– Thus Contribute access may be sufficient
?
29 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Before Providing Full Control
• Ensure user completed necessary training
• Check or Refine governance policy
• Consider other permission levels that may fulfill needs (e.g.: “Design”)
30 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Thy requests must go through me …
It’s not that
you’re a control
freak
Simply can’t have everyonemanage your site
Assigning Permissions to Individual Users
Worst Practice
34 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
• Team Growth
• Role Change for Existing Users:
– Expanded Responsibilities
– Rolling Off Project
– Promotions
• Onboarding New Employees
• Employee Departures
How Will You Handle
35 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Real World Example
Where in the World is Carmen
Sandiego?
36 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Challenges
• Hard to decipher who has what level of access
• Cumbersome to manage, control, and update existing permissions
• SharePoint Out-of-Box “Check Permissions” function is rather limited
Instead, Use …
SharePoint Group
38 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Then Add or Remove Users from the Group
First, Assign Permissions to SharePoint Group
AD Group (Active Directory)
For SP2013 Microsoft recommends …
40 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
AD Group
41 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
AD Group – Why & When• Recommended by MSFT for performance
• Use AD group in SharePoint only if
– AD group definition is well defined
– IT Team is proactive in updating membership
• Group info should be up-to-date to ensure proper access setup in SharePoint
Default Settings for SharePoint Groups
Worst Practice
43 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Have You Seen This Error?
44 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
How About This?
45 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
SharePoint Group Challenges• Site Managers could be locked out
• Be Mindful of Default Settings when creating new
46 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
ALWAYS assign a group as group owner
Preferably Site Collection Owner or Site Owner group
Group Owner SettingsDefault -> the user who created group
47 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Instead open membership list to everyone
Membership Visibility Settings
Default -> only Group Members can view
48 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
What to Look Out For in Site Creation
49 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
When Creating a New Site
• “Unique permissions” option is available
• This option: – Breaks site permission inheritance
– Allows you to create 3 new SharePoint groups
50 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
51 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Before Creating 3 New Groups
Reflect and Assess!
Do I really need unique site permissions?
Do I need all 3 new SharePoint Groups?
Is there an existing group that I can use?
Item Level Permissions
Worst Practice
53 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Item Level Permission
• Item = Document, List Item (e.g.: Calendar, Task, etc.)
• You can set permissions at the Item Level
doesn’t mean you should
Just because you can …
55 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Challenges
• Library/List View doesn’t differentiate unique permissions
• Laborious admin• Manual process of checking broken permissions
• Changing permissions require updates to each file
• May lead to performance issue
56 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
F A C T : Reduced performance after 5000 files break inheritance
See Microsoft references: http://
bit.ly/1iMmyiC
What changed in 2013?
58 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
“Share” in SharePoint 2013• Intuitive & Convenient• Embraces social• Great tie-in to other components
59 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Sharing is Caring! Right??
60 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
“Sharing” a File in 2013
The Gotchas
• Convenient but hard to govern• UX is different than sharing a site• Breaks permission inheritance of the file• Grants permissions to individual users
For more details, read this great resource by Sharon Richardson
Available via File Preview
61 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Who can “Share” a File?Contributor
Note: It contradicts Contribute permissions level
62 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Let’s Recap!
Item Level Permission (Worst Practice #5)
Permissions for Ind. Users (Worst Practice #3)
Oh so easy
“Share” File in sp2013
+ ______________________________
__
Fun with Limited Access
*BONUS* Worst Practice
64 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Ever Seen This and Wondered Why?
Because Limited Access is The Devil
66 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
If user is not declared in site permissions,
Permissions given to a user at library or list level
leads to
“Limited Access” creation for user at the site level
Site
List / Library
Limited Access
Contribute
67 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Challenges with Limited Access
• Clutters site permission page• Can’t easily identify where access was
granted• Important Note
!
When You Delete User’s Limited Access at Site,
SharePoint Automatically
Removes User’s Permissions in Library/List/File
68 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Good news …
Limited Access can now be hidden
69 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
What if you’re already in a permission hole?
70 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
First Things First – Stop the Bleeding!
e.g.: Change Full Control access
for unqualified folks to Design
71 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Assess the Damage and Document Findings
72 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Gathering Permissions Info• SharePoint Out-of-Box
– Unique access displayed in site permissions page
– Manual process conducted per site
• PowerShell script
• Third Party Tools– Codeplex (v. 2010/2007):
SP Permissions Manager
– #SPYam Community Recommended:ControlPoint byDeliverPoint by
73 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Few Considerations During Permissions Clean-Up
74 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Remember that it’s a process• Requires time commitment & effort
– Warning: You may not get it done in a day
• Don’t do it yourself– Gather requirements from business users– Leverage other team members
Photo Credit - The Daily Journal
One is the loneliest number
75 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
For Worst Case Scenario, Consider Starting Over
76 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
For those in very bad shape• It may be more beneficial to start over by:
– Inheriting all permissions– Then reconfiguring permissions appropriately
• This route could be high risk, high reward
• Before exploring this, be sure to:– Get executive buy-in– Devise a plan with Content/Site Managers and
relevant business functions– Communicate impact to user community
77 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Last and Certainly NOT Least
Mitigate Survey the Field Clean Up Manage & Control
Do NOT forget this step!!
78 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Manage & Govern• Enforce permissions governance
• Gain leadership support:– Illustrate level of effort to remedy issue– Quantify the business impact ($)
• Form & engage Governance Committee
• Provide continuous training for Site Managers
79 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Monitor & Control• Define processes to periodically assess
• Determine monitoring tools– SharePoint Audit log reports (Manual
process)
– Automated Audit via Third Party tool
80 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
Whatever you do, just remember this…
81 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
“The greatest accomplishment is not in never failing,
but in rising again after you fall” --Vince Lombardi
Photo Credit - Journal Communications, Inc.
linkedin.com/in/bchang bobbyspworld.com
@bobbyschang
© LoveToKnow Charity
Questions? Feel Free to Contact Me
Bobby Changtwitter.com/bobbyschangslideshare.net/bobbyschang