• Like
SharePoint Permissions Worst Practices
Upcoming SlideShare
Loading in...5
×

SharePoint Permissions Worst Practices

  • 34,618 views
Uploaded on

Dug yourself into a SharePoint permissions hole? See how you can unearth yourself and avoid common mistakes from real life scenarios.

Dug yourself into a SharePoint permissions hole? See how you can unearth yourself and avoid common mistakes from real life scenarios.

More in: Technology , Design
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Mr. Chang, very nice presenation. Thank you for this!
    Are you sure you want to
    Your message goes here
  • a very nice presentation, thanks Bobby Great work..
    Are you sure you want to
    Your message goes here
  • Good and clear presentation, thanks a lot!
    Are you sure you want to
    Your message goes here
  • This was a terrific presentation, Bobby! Nicely done.
    Are you sure you want to
    Your message goes here
  • Good slides !
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
34,618
On Slideshare
0
From Embeds
0
Number of Embeds
7

Actions

Shares
Downloads
639
Comments
8
Likes
30

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1 | @bobbyschang | bobbyspworld.com Worst Practices Bobby Chang @bobbyschang
  • 2. 2 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Contact Info • slideshare.net/bobbyschang • linkedin.com/in/bchang • @bobbyschang • bobbyspworld.com Bobby Chang SharePoint Consultant at Planet Technologies
  • 3. Why Worst Practices? 3 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 4. Rather Than a List of To-Do’s
  • 5. At Times It’s More Effective (and Fun) to Share What NOT To Do 5 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 6. And Scare You Share With You Its Consequences
  • 7. Basic Overview SharePoint Permissions
  • 8. Permissions Fundamental To Provide or Restrict Users with Access to SharePoint Content 8 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 9. 9 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Site Collection Site Child Site List / Library Item
  • 10. 10 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Site Collection Site Child Site List / Library Item Break Inheritance
  • 11. 11 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Site Collection Site Child Site List / Library Item Break Inheritance
  • 12. Permission Level Determines how much access a user has 12 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 13. Read • View Content • Target Audience = Visitors, Clients, Extended Team Contribute • Create, Read, Update, Delete content • Target Audience = Team Members, Supervisors Full Control • “The Kitchen Sink” • Target Audience = Site Administrators, Site Managers 13 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 14. 14 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com “Edit” Team Members
  • 15. Edit Contribute 15 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 16. Edit Contribute Delete List/Library Edit is NOT recommended 16 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 17. Worst Practice No Planning
  • 18. 18 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Right?
  • 19. Planning Matters Planning Matters
  • 20. Do You Have a Permission Strategy? Photo Credit – Matthew Keagle & Creative Commons
  • 21. 21 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com - What is purpose of the site? - Gathering Info vs. Dissemination - Extranet vs. Intranet - Who’s the target audience? - Is there any restricted content? - Access for anyone outside org? - Are there different member roles? - Any group specific classified info? - Who’s the Site Manager? - What is documentation process? - How will you address training? - How will permissions be governed?
  • 22. • Consensus on processes and set expectations • Increased team awareness • Better understanding of SharePoint intricacies • More effectively managed platform • Compliance with rules and regulations 22 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 23. “A governance strategy is never static – it is a living, breathing process and a set of rules that you should live by, not die by!” --Christian Buckley, MVP @buckleyplanet 23 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 24. Governance Should Evolve as Your SharePoint Platform Matures 24 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 25. Worst Practice “Full Control” for Everyone
  • 26. 26 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Create & Delete Sites Create SharePoint Groups Manage Site & List/Library Permissions Activate & Deactivate SharePoint Features Create, Update, Delete List/Library Public View Generate Site Web Analytics Reports Create, Modify, Delete SharePoint workflow Create, Modify, Delete Site & List/Library Columns Delete Site & List Template Delete Master Page & Page Layout Add, Update, Delete a Wiki and Web Part Page Add, Update, Delete Web Parts Etc. etc. etc.
  • 27. 27 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 28. 28 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 29. Dear Site Managers, You play a pivotal role to SharePoint success (or failure)
  • 30. When asked to pleeasseee have access to EVERYTHING
  • 31. Let’s not rush to give Full Control Image Credit: © SheKnows LLC
  • 32. • What type of “access”? • What exactly is “everything”? • Majority of the time, you may find: – “Everything” may pertain only to Documents – “Access” could mean Read/Update/Delete Documents – Thus Contribute access may be sufficient 32 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 33. • Ensure user completed necessary training • Check or Refine governance policy • Consider other permission levels that may fulfill needs (e.g.: “Design”) 33 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 34. 34 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Thy requests must go through me … It’s not that you’re a control freak
  • 35. Simply can’t have everyone manage your site
  • 36. Worst Practice Assigning Permissions to Individual Users
  • 37. • Team Growth • Role Change for Existing Users: – Expanded Responsibilities – Rolling Off Project – Promotions • Onboarding New Employees • Employee Departures 38 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 38. Where in the World is Carmen Sandiego? 39 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 39. • Hard to decipher who has what level of access • Cumbersome to manage existing permissions • SharePoint Out-of-Box “Check Permissions” function is rather limited 40 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 40. Instead, Use … SharePoint Group
  • 41. First, Assign Permissions to SharePoint Group 42 | @bobbyschang | Then Add or Remove Users from the Grlinokedinu.comp/in/bchang | bobbyspworld.com
  • 42. For SP2013 Microsoft recommends … AD Group (Active Directory)
  • 43. 44 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com AD Group
  • 44. • Recommended by MSFT for performance • Use AD group in SharePoint only if – AD group definition is well defined – IT Team is proactive in updating membership • Membership should be up-to-date to ensure proper access in SharePoint 45 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 45. Worst Practice Default Settings for SharePoint Groups
  • 46. 47 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 47. 48 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 48. • Site Managers could be locked out • Be Mindful of Defaults Settings when creating new SharePoint groups 49 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 49. Default -> the user who created group ALWAYS assign a group as group owner Preferably Site Collection Owner or Site Owner group 50 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 50. Default -> only Group Members can view Instead open membership list to everyone 51 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 51. 52 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 52. • “Unique permissions” option is available 53 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • This option: – Breaks site permission inheritance – Allows you to create 3 new SharePoint groups
  • 53. 54 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 54. Reflect and Assess! Do I really need unique site permissions? Do I need all 3 new SharePoint Groups? Is there an existing group that I can use? 55 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 55. Worst Practice Item Level Permissions
  • 56. • Item = Document, List Item (e.g.: Calendar, Task, etc.) • You can set permissions at the Item Level 57 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 57. doesn’t mean you should Just because you can …
  • 58. • Library/List View doesn’t differentiate unique permissions 59 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Laborious admin • Manual process of checking broken permissions • Changing permissions require updates to each file • May lead to performance issue
  • 59. F A C T : Reduced performance after 5000 files break inheritance See Microsoft references: http://bit.ly/1iMmyiC 60 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 60. • Intuitive & Convenient • Embraces social • Great tie-in to other components 62 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 61. Sharing is Caring! Right?? 63 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 62. 64 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Available via File Preview The Gotchas • Convenient but hard to govern • UX is different than other share functions • Could break permission inheritance of file • Could grant permissions to individual users For more details, read this great resource by Sharon Richardson
  • 63. 65 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Contributor Note: It contradicts Contribute permissions level
  • 64. Item Level Permission (Worst Practice #5) Permissions for Ind. Users (Worst Practice #3) + ________________________________ 66 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Oh so easy “Share” File in sp2013
  • 65. *BONUS* Worst Practice Fun with Limited Access
  • 66. 68 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 67. Because Limited Access is The Devil
  • 68. If user is not declared in site permissions, Permissions given to a user at library or list level 70 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com leads to “Limited Access” creation for user at the site level Site List / Library Limited Access Contribute
  • 69. • Can’t easily identify where access was granted • Clutters site permission page • No easy clean-up process
  • 70. When You Delete User’s Limited Access at Site, SharePoint Automatically Removes User’s Permissions in Library/List/File Site List / Library 72 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Limited Access Contribute
  • 71. Limited Access can now be hidden 73 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 72. What if you’re already in a permission hole? 74 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 73. First Things First – Stop the Bleeding! e.g.: Change Full Control access for unqualified folks to Design 75 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 74. Assess the Damage and Document Findings 76 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 75. 77 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • SharePoint Out-of-Box – Unique access displayed in site permissions page – Manual process conducted per site • PowerShell script • Third Party Tools – Codeplex (v. 2010/2007): SP Permissions Manager – #SPYam Community Recommended: DeliverPoint by ControlPoint by
  • 76. Few Considerations During Permissions Clean-Up 78 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 77. One is the loneliest number • Requires commitment, time, and effort – Warning: You may not get it done in a day • Don’t do it yourself! – Gather requirements from business users – Leverage other team members Photo Credit - The Daily Journal
  • 78. For Worst Case Scenario, Consider Starting Over 80 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 79. • It may be more beneficial to start over 81 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Consider the following path: – Inheriting all permissions in site collection – Then manually reconfiguring permissions • This route could be high risk, high reward
  • 80. 82 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Get executive buy-in • Yield needs from business functions • Devise plan with Content/Site Managers • Communicate impact to user community
  • 81. Mitigate Survey the Field Clean Up Manage & Control Do NOT forget this step!! 83 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 82. 84 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Enforce permissions governance • Gain leadership support: – Illustrate level of effort to remedy issue – Quantify the business impact ($) • Form & engage Governance Committee • Provide continuous training for Site Managers
  • 83. • Define processes to periodically assess 85 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Determine monitoring tools – SharePoint Audit log reports (Manual process) – Automated Audit via Third Party tool
  • 84. 86 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 85. “The greatest accomplishment is not in never failing, but in rising again after you fall” --Vince Lombardi 87 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Photo Credit - Journal Communications, Inc.
  • 86. linkedin.com/in/bchang bobbyspworld.com @bobbyschang Questions? Feel Free to Contact Me Bobby Chang twitter.com/bobbyschang slideshare.net/bobbyschang