SharePoint Permissions Worst Practices

83,003 views
82,039 views

Published on

Dug yourself into a SharePoint permissions hole? See how you can unearth yourself and avoid common mistakes from real life scenarios.

View a recording of the session here: https://www.youtube.com/watch?v=Poh4zxHTNvw

Published in: Technology, Design
15 Comments
96 Likes
Statistics
Notes
No Downloads
Views
Total views
83,003
On SlideShare
0
From Embeds
0
Number of Embeds
867
Actions
Shares
0
Downloads
1,809
Comments
15
Likes
96
Embeds 0
No embeds

No notes for slide

SharePoint Permissions Worst Practices

  1. 1. 1 | @bobbyschang | bobbyschang.com Worst Practices Bobby Chang @bobbyschang
  2. 2. 2 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Contact Info • slideshare.net/bobbyschang • linkedin.com/in/bobbyschang • @bobbyschang • bobbyschang.com Bobby Chang SharePoint Consultant at Planet Technologies
  3. 3. 3 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Why Worst Practices?
  4. 4. Rather Than a List of To-Do’s
  5. 5. 5 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com At Times It’s More Effective (and Fun) to Share What NOT To Do
  6. 6. And Scare You Share With You Its Consequences
  7. 7. SharePoint Permissions Basic Overview
  8. 8. 8 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Permissions Fundamental To Provide or Restrict Users with Access to SharePoint Content
  9. 9. 9 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Site Collection Site List / Library Item Child Site
  10. 10. 10 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Site Collection Site List / Library Item Child Site Break Inheritance
  11. 11. 11 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Site Collection Site List / Library Item Child Site Break Inheritance
  12. 12. 12 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Permission Level Determines how much access a user has
  13. 13. 13 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Contribute • Create, Read, Update, Delete content • Target Audience = Team Members, Supervisors Read • View Content • Target Audience = Visitors, Clients, Extended Team Full Control • “The Kitchen Sink” • Target Audience = Site Administrators, Site Managers
  14. 14. 14 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com “Edit”
  15. 15. 15 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Edit Contribute
  16. 16. 16 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Edit Contribute Delete List/Library In other word, Edit is NOT recommended!
  17. 17. No Planning Worst Practice
  18. 18. 18 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Right?
  19. 19. Planning Matters Planning Matters
  20. 20. Photo Credit – Matthew Keagle & Creative Commons Do You Have a Permissions Strategy?
  21. 21. 21 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com - What is purpose of the site? - Gathering Info vs. Dissemination - Extranet vs. Intranet - Who’s the target audience? - Is there any confidential info? - Access for anyone outside org? - Who’s the Site Manager? - Is there more than 1 team involved? - Any group confidential info? - How will you document? - What is your training plan? - How will permissions be governed?
  22. 22. 22 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Consensus on processes and set expectations • Increased team awareness • Better understanding of SharePoint intricacies • More effectively managed platform • Compliance with rules and regulations
  23. 23. 23 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com “A governance strategy is never static – it is a living, breathing process and a set of rules that you should live by, not die by!” --Christian Buckley, MVP @buckleyplanet
  24. 24. 24 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com SharePoint Platform Matures Governance Should Evolve as Your
  25. 25. “Full Control” for Everyone Worst Practice
  26. 26. 26 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Create & Delete Sites Create SharePoint Groups Manage Site & List/Library Permissions Activate & Deactivate SharePoint Features Create, Update, Delete List/Library Public View Generate Site Web Analytics Reports Create, Modify, Delete SharePoint workflow Create, Modify, Delete Site & List/Library Columns Delete Site & List Template Delete Master Page & Page Layout Add, Update, Delete a Wiki and Web Part Page Add, Update, Delete Web Parts Etc. etc. etc.
  27. 27. 27 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  28. 28. 28 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  29. 29. Dear Site Managers, You play a pivotal role to SharePoint success (or failure)
  30. 30. When asked to pleeasseee have access to EVERYTHING
  31. 31. Image Credit: © SheKnows LLC Let’s not rush to give Full Control
  32. 32. 32 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  33. 33. 33 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • “Everything” may pertain only to Documents • “Access” could mean Read, Update, Delete Files • Thus, Contribute is sufficient
  34. 34. 34 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Check or Refine governance policy Ensure required training completion Consider other permission level • Admin privilege without site provision or security control • e.g.: Design
  35. 35. 35 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Thy requests must go through me … It’s not that you’re a control freak
  36. 36. Simply can’t have everyone manage your site
  37. 37. Assigning Permissions to Individual Users Worst Practice
  38. 38. 39 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Team Growth • Role Change for Existing Users: – Expanded Responsibilities – Rolling Off Project – Promotions • Onboarding New Employees • Employee Departures
  39. 39. 40 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Where in the World is Carmen Sandiego?
  40. 40. 41 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Hard to decipher who has what level of access • Cumbersome to manage existing permissions • SharePoint Out-of-Box “Check Permissions” function is rather limited
  41. 41. Instead, Use … SharePoint Group
  42. 42. 43 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.comThen Add or Remove Users from the Group First, Assign Permissions to SharePoint Group
  43. 43. 44 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com For SP2013 Microsoft recommends AD (Active Directory) Group SharePoint On-Prem Office 365 Security Group SharePoint Online
  44. 44. 45 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com AD Group
  45. 45. 46 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Recommended by MSFT for performance • Use AD group in SharePoint only if – AD group definition is well defined – IT Team is proactive in updating membership • AD Membership should be up-to-date to ensure proper access in SharePoint
  46. 46. Default Settings for SharePoint Groups Worst Practice
  47. 47. 48 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  48. 48. 49 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  49. 49. 50 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Site Managers could be locked out • Be Mindful of Default Settings when creating new
  50. 50. 51 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com ALWAYS assign a group as group owner Preferably Site Collection Owner or Site Owner group Default -> the user who created group
  51. 51. 52 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Instead open membership list to everyone Default -> only Group Members can view
  52. 52. 53 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com What to Look For When Breaking Site Inheritance
  53. 53. 54 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  54. 54. 55 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Reflect and Assess! Do I really need unique site permissions? Do I need all 3 new SharePoint Groups? Is there an existing group that I can use?
  55. 55. Item Level Permissions Worst Practice
  56. 56. 57 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Item = Document or List Item • You can set permissions at the Item Level
  57. 57. doesn’t mean you should Just because you can …
  58. 58. 59 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • SharePoint View doesn’t differentiate unique permissions • Laborious administration • Manual process of checking broken permissions • Updating permissions requires a change to each file • May lead to performance issue
  59. 59. 60 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com F A C T : Reduced performance after 5000 files break inheritance See Microsoft reference: http://bit.ly/1iMmyiC
  60. 60. 62 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Embraces Social Intuitive and Convenient Great Tie-in with other components
  61. 61. 63 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Sharing is Caring! Right??
  62. 62. 64 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  63. 63. 65 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  64. 64. 66 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com The Gotchas • Convenient but hard to govern • UX is different than other share functions • Could break permission inheritance of file • Could grant permissions to individual users For more details, click to read this great resource by Sharon Richardson
  65. 65. 67 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Contributor Note: It contradicts Contribute permissions level
  66. 66. 68 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com But wait… In Office 365, you have options
  67. 67. 69 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com (Under Site Permissions > Access Request Settings)
  68. 68. 70 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Item Level Permission (Worst Practice #5) Permissions for Ind. Users (Worst Practice #3) Oh so easy “Share” File in sp2013 + ________________________________
  69. 69. Fun with Limited Access *BONUS* Worst Practice
  70. 70. 72 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  71. 71. Because Limited Access is The Devil
  72. 72. 74 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com If user is not declared in site permissions, Permissions given to a user at library or list level leads to “Limited Access” creation for user at the site level Site List / Library Limited Access Contribute
  73. 73. • Can’t easily identify where access was granted • Clutters site permission • No easy clean-up process
  74. 74. 76 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com When You Delete User’s Limited Access at Site, SharePoint Automatically Removes User’s Permissions in Library/List/File Site List / Library Limited Access Contribute
  75. 75. 77 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Limited Access can now be hidden
  76. 76. 78 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Already in a Permissions Hole?
  77. 77. 79 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com First Things First – Stop the Bleeding! e.g.: Change Full Control access for unqualified folks to Design
  78. 78. 80 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Assess the Damage and Document Findings
  79. 79. 81 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Out of Box PowerShell Third-Party Product
  80. 80. 82 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Review of site permissions page • Unique access are displayed in yellow Pro: Free (with SharePoint) Con: Manual Process and needs to be done per site
  81. 81. 83 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • PoSh Script is your friend for reporting • Don’t reinvent the wheel! e.g.: Check out this script - http://bit.ly/1bH9f1v Pro: Highly Customizable, Repeatable, Powerful Con: (1) Require proper access and knowledge (2) SharePoint Online functions are currently limited
  82. 82. 84 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Complexity of SharePoint permissions warrants a third-party tool investment • List below is recommended by community Note: this is NOT a personal endorsement
  83. 83. 85 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Few Considerations During Permissions Clean-Up
  84. 84. One is the loneliest number • Requires commitment, time, and effort – Warning: • Don’t do it yourself! – Gather requirements – Talk to the business users – Leverage other team members You may not get it done in 1 day Photo Credit - The Daily Journal
  85. 85. 87 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com For Worst Case Scenario, Consider Starting Over
  86. 86. 88 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Might be more beneficial to start over • Consider the following path: – Inherit all permissions in site collection – Manually reconfigure permissions • This route could be high risk, high reward
  87. 87. 89 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Get executive buy-in • Yield needs from business functions • Devise plan with Content/Site Managers • Communicate impact to user community
  88. 88. 90 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com Mitigate Survey the Field Clean Up Manage & Control Do NOT forget this step!!
  89. 89. 91 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Enforce permissions governance • Gain leadership support: – Illustrate level of effort to remedy issue – Quantify the business impact ($) • Form & engage Governance Committee • Provide continuous training for Site Managers
  90. 90. 92 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com • Define processes to periodically assess • Determine monitoring tools – SharePoint Audit log reports – Compliance functions (e.g.: eDiscovery) – Automated Audit via Third Party tool
  91. 91. 93 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
  92. 92. 94 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com “The greatest accomplishment is not in never failing, but in rising again after you fall” --Vince Lombardi Photo Credit - Journal Communications, Inc.
  93. 93. linkedin.com/in/bobbyschang bobbyschang.com @bobbyschang Questions? Feel Free to Contact Me Bobby Chang twitter.com/bobbyschang slideshare.net/bobbyschang

×