Your SlideShare is downloading. ×
SharePoint Permissions Worst Practices
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SharePoint Permissions Worst Practices

48,570
views

Published on

Dug yourself into a SharePoint permissions hole? See how you can unearth yourself and avoid common mistakes from real life scenarios.

Dug yourself into a SharePoint permissions hole? See how you can unearth yourself and avoid common mistakes from real life scenarios.

Published in: Technology, Design

9 Comments
47 Likes
Statistics
Notes
No Downloads
Views
Total Views
48,570
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
1,052
Comments
9
Likes
47
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1 | @bobbyschang | bobbyspworld.com Worst Practices Bobby Chang @bobbyschang
  • 2. 2 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Contact Info • slideshare.net/bobbyschang • linkedin.com/in/bobbyschang • @bobbyschang • bobbyschang.com Bobby Chang SharePoint Consultant at Planet Technologies
  • 3. 3 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Why Worst Practices?
  • 4. Rather Than a List of To-Do’s
  • 5. 5 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com At Times It’s More Effective (and Fun) to Share What NOT To Do
  • 6. And Scare You Share With You Its Consequences
  • 7. SharePoint Permissions Basic Overview
  • 8. 8 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Permissions Fundamental To Provide or Restrict Users with Access to SharePoint Content
  • 9. 9 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Site Collection Site List / Library Item Child Site
  • 10. 10 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Site Collection Site List / Library Item Child Site Break Inheritance
  • 11. 11 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Site Collection Site List / Library Item Child Site Break Inheritance
  • 12. 12 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Permission Level Determines how much access a user has
  • 13. 13 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Contribute • Create, Read, Update, Delete content • Target Audience = Team Members, Supervisors Read • View Content • Target Audience = Visitors, Clients, Extended Team Full Control • “The Kitchen Sink” • Target Audience = Site Administrators, Site Managers
  • 14. 14 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com “Edit” Team Members
  • 15. 15 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Edit Contribute
  • 16. 16 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Edit Contribute Delete List/Library Edit is NOT recommended
  • 17. No Planning Worst Practice
  • 18. 18 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Right?
  • 19. Planning Matters Planning Matters
  • 20. Photo Credit – Matthew Keagle & Creative Commons Do You Have a Permission Strategy?
  • 21. 21 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com - What is purpose of the site? - Gathering Info vs. Dissemination - Extranet vs. Intranet - Who’s the target audience? - Is there any restricted content? - Access for anyone outside org? - Are there different member roles? - Any group specific classified info? - Who’s the Site Manager? - What is documentation process? - How will you address training? - How will permissions be governed?
  • 22. 22 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Consensus on processes and set expectations • Increased team awareness • Better understanding of SharePoint intricacies • More effectively managed platform • Compliance with rules and regulations
  • 23. 23 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com “A governance strategy is never static – it is a living, breathing process and a set of rules that you should live by, not die by!” --Christian Buckley, MVP @buckleyplanet
  • 24. 24 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com SharePoint Platform Matures Governance Should Evolve as Your
  • 25. “Full Control” for Everyone Worst Practice
  • 26. 26 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Create & Delete Sites Create SharePoint Groups Manage Site & List/Library Permissions Activate & Deactivate SharePoint Features Create, Update, Delete List/Library Public View Generate Site Web Analytics Reports Create, Modify, Delete SharePoint workflow Create, Modify, Delete Site & List/Library Columns Delete Site & List Template Delete Master Page & Page Layout Add, Update, Delete a Wiki and Web Part Page Add, Update, Delete Web Parts Etc. etc. etc.
  • 27. 27 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 28. 28 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 29. Dear Site Managers, You play a pivotal role to SharePoint success (or failure)
  • 30. When asked to pleeasseee have access to EVERYTHING
  • 31. Image Credit: © SheKnows LLC Let’s not rush to give Full Control
  • 32. 32 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • What type of “access”? • What exactly is “everything”? • Majority of the time, you may find: – “Everything” may pertain only to Documents – “Access” could mean Read/Update/Delete Documents – Thus Contribute access may be sufficient
  • 33. 33 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Ensure user completed necessary training • Check or Refine governance policy • Consider other permission levels that may fulfill needs (e.g.: “Design”)
  • 34. 34 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Thy requests must go through me … It’s not that you’re a control freak
  • 35. Simply can’t have everyone manage your site
  • 36. Assigning Permissions to Individual Users Worst Practice
  • 37. 38 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Team Growth • Role Change for Existing Users: – Expanded Responsibilities – Rolling Off Project – Promotions • Onboarding New Employees • Employee Departures
  • 38. 39 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Where in the World is Carmen Sandiego?
  • 39. 40 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Hard to decipher who has what level of access • Cumbersome to manage existing permissions • SharePoint Out-of-Box “Check Permissions” function is rather limited
  • 40. Instead, Use … SharePoint Group
  • 41. 42 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.comThen Add or Remove Users from the Group First, Assign Permissions to SharePoint Group
  • 42. AD Group (Active Directory) For SP2013 Microsoft recommends …
  • 43. 44 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com AD Group
  • 44. 45 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Recommended by MSFT for performance • Use AD group in SharePoint only if – AD group definition is well defined – IT Team is proactive in updating membership • Membership should be up-to-date to ensure proper access in SharePoint
  • 45. Default Settings for SharePoint Groups Worst Practice
  • 46. 47 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 47. 48 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 48. 49 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Site Managers could be locked out • Be Mindful of Defaults Settings when creating new SharePoint groups
  • 49. 50 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com ALWAYS assign a group as group owner Preferably Site Collection Owner or Site Owner group Default -> the user who created group
  • 50. 51 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Instead open membership list to everyone Default -> only Group Members can view
  • 51. 52 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 52. 53 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • “Unique permissions” option is available • This option: – Breaks site permission inheritance – Allows you to create 3 new SharePoint groups
  • 53. 54 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 54. 55 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Reflect and Assess! Do I really need unique site permissions? Do I need all 3 new SharePoint Groups? Is there an existing group that I can use?
  • 55. Item Level Permissions Worst Practice
  • 56. 57 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Item = Document, List Item (e.g.: Calendar, Task, etc.) • You can set permissions at the Item Level
  • 57. doesn’t mean you should Just because you can …
  • 58. 59 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Library/List View doesn’t differentiate unique permissions • Laborious admin • Manual process of checking broken permissions • Changing permissions require updates to each file • May lead to performance issue
  • 59. 60 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com F A C T : Reduced performance after 5000 files break inheritance See Microsoft references: http://bit.ly/1iMmyiC
  • 60. 62 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Intuitive & Convenient • Embraces social • Great tie-in to other components
  • 61. 63 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Sharing is Caring! Right??
  • 62. 64 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com The Gotchas • Convenient but hard to govern • UX is different than other share functions • Could break permission inheritance of file • Could grant permissions to individual users For more details, read this great resource by Sharon Richardson Available via File Preview
  • 63. 65 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Contributor Note: It contradicts Contribute permissions level
  • 64. 66 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Item Level Permission (Worst Practice #5) Permissions for Ind. Users (Worst Practice #3) Oh so easy “Share” File in sp2013 + ________________________________
  • 65. Fun with Limited Access *BONUS* Worst Practice
  • 66. 68 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 67. Because Limited Access is The Devil
  • 68. 70 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com If user is not declared in site permissions, Permissions given to a user at library or list level leads to “Limited Access” creation for user at the site level Site List / Library Limited Access Contribute
  • 69. • Can’t easily identify where access was granted • Clutters site permission page • No easy clean-up process
  • 70. 72 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com When You Delete User’s Limited Access at Site, SharePoint Automatically Removes User’s Permissions in Library/List/File Site List / Library Limited Access Contribute
  • 71. 73 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Limited Access can now be hidden
  • 72. 74 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com What if you’re already in a permission hole?
  • 73. 75 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com First Things First – Stop the Bleeding! e.g.: Change Full Control access for unqualified folks to Design
  • 74. 76 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Assess the Damage and Document Findings
  • 75. 77 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • SharePoint Out-of-Box – Unique access displayed in site permissions page – Manual process conducted per site • PowerShell script • Third Party Tools – Codeplex (v. 2010/2007): SP Permissions Manager – #SPYam Community Recommended: ControlPoint byDeliverPoint by
  • 76. 78 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Few Considerations During Permissions Clean-Up
  • 77. One is the loneliest number • Requires commitment, time, and effort – Warning: • Don’t do it yourself! – Gather requirements from business users – Leverage other team members You may not get it done in a day Photo Credit - The Daily Journal
  • 78. 80 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com For Worst Case Scenario, Consider Starting Over
  • 79. 81 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • It may be more beneficial to start over • Consider the following path: – Inheriting all permissions in site collection – Then manually reconfiguring permissions • This route could be high risk, high reward
  • 80. 82 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Get executive buy-in • Yield needs from business functions • Devise plan with Content/Site Managers • Communicate impact to user community
  • 81. 83 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com Mitigate Survey the Field Clean Up Manage & Control Do NOT forget this step!!
  • 82. 84 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Enforce permissions governance • Gain leadership support: – Illustrate level of effort to remedy issue – Quantify the business impact ($) • Form & engage Governance Committee • Provide continuous training for Site Managers
  • 83. 85 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com • Define processes to periodically assess • Determine monitoring tools – SharePoint Audit log reports (Manual process) – Automated Audit via Third Party tool
  • 84. 86 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com
  • 85. 87 | @bobbyschang | linkedin.com/in/bchang | bobbyspworld.com “The greatest accomplishment is not in never failing, but in rising again after you fall” --Vince Lombardi Photo Credit - Journal Communications, Inc.
  • 86. linkedin.com/in/bchang bobbyspworld.com @bobbyschang Questions? Feel Free to Contact Me Bobby Chang twitter.com/bobbyschang slideshare.net/bobbyschang