There are many different “angles” on SharePoint Governance, but when reading/listening to the Governance Experts in the field such as Richard Harbridge, RuvenGotz, Linc Williams, Paul Culmsee, Scott Jamieson, Susan Hanley, Christian Buckley all of their models and approaches fit into these three pieces.PeoplePolicyProcess
The “People” in SharePoint Governance are not just from IT but from people throughout the organization.Governance CommitteeExecutivesBusiness OwnersIT RepresentativesLegalRecords ManagementCorporate CommunicationsHuman ResourcesThey each have their own business requirements & agendas within the organization and are allocated roles and responsibilities to ensure that the SharePoint platform is aligned to these.
Ant Clay from 21Apps in the UK came out with a great set of pillars for Policy which I like to use.IT AssuranceArchitectureInfrastructureDisaster RecoverySLAsPerformanceProject GovernanceProject managementStakeholder managementInformation GovernanceInformation ArchitectureInformation ManagementTechnology & Business AlignmentAgreeing what the business drivers areEssentially it is a contract between IT and the Business to set expectations.Telling the users what they can and can’t doContinuous Improvement Continually improving the processes in place
Can’t create policies unless you can enforce themTechnical limitations SLAs Complexity of building Platform built in particular way
Systems to enforce Governance PlansManualRegular checks on randomSite content, Audit Logs, Managed Metadata Term Stores, My Site contentKeeping manual records of ownership of Sites and ContentBenefitsBetter than no enforcementProblemsHuge overhead on individualsSlow turn around timesBottlenecksLack of business agilitySemi-automatedHardening what Users can do through permissionsCustom Site Provisioning workflowsCustom Site TemplatesBenefitsIT outside of processBetter visibility and control for UsersProblemsNeeds more training and investment in processesBetter turnaround timesAutomatedMonitoring of SharePoint UsageFull blown Site ProvisioningTransferring of ownershipBenefitsIT outside of processBusiness agilityEnforces to policiesWorkflow, delegation and auditingAbility to reportProblemsNeed deep technology knowledge
Documentation no-one readsOften the “Governance Plan” is written up as a 3000 page Word Document which is poorly managed and not read by anybody after it is finally signed off.One size does not fit allUnfortunately, although there are Governance Plans out there, none of them are going to fit your organization immediately. There are some great skeleton Governance Plan templates that you can use to start discussion and ensure you aren’t missing any sections out.Hard to enforce manuallySharePoint is a large platform, and typically a Governance Plan will have significant policies that require enforcing. Don’t create any policies that cannot be enforced.Enforcement can be time consuming out of the box and requires automated systems in large scale enterprises.DelegationA lot of business requests require delegation of permissions to individuals, which increases their power within SharePoint, often it isn’t to a granular enough level so they get the ability to do things they should not be doing. This can dramatically impact the ability to control.Audit TrailUnless full automated process, extremely hard to audit all of the decisions that are occurring as part of this process. From a compliance perspective this can leave gaps in the processes.No MonitoringIt’s extremely hard to monitor all the processes and be able to make business decisions to continually improve.
Content OwnershipNot just on creation, but for the entire content lifecycle.People come and go in organizations and also transfer roles and therefore are no longer accountable for content in their current role.
AccuracyAlong with accountability, accuracy is also an important factor throughout the content lifecycle.Often content is created, never ever published to version 1.0 or sits at a minor version forever.Regularly content reviews.
RestrictionsNot all content is created with the expectation it will be visible by everyone in the organization. This is typical for Human Resources department content or Financial data on the company. Having the correct restrictions in place for content is very important.
AppropriatenessAlong with ownership and accuracy comes appropriateness. It is an extremely common concern on what content “should” be in SharePoint. Big concerns I hear frequently now are personal documents in users My Sites, Personal Information such as social security numbers in documents, personal photos, boozy Christmas photos…How much trouble would your organization get into if someone posted that on SharePoint? Does everyone have the moral compass in the right place?
SearchContent needs to be discoverable within the system and technical decisions should not reduce this discoverability.
ComplianceCompliance is a “big” area to cover when it comes to the content lifecycle. Some of the biggest concerns within organizations is social content at the moment. The ability to add status messages to your profile, post comments on profile note boards (facebook walls) or update your user profile without content approval or auditing is a major risk.
AdoptionSo with all these requirements, organizations still expect adoption. There is a fine line between how open or closed to make this system. Keeping an system open will technically raise adoption as people don’t feel trapped, but o the other side of the coin it means you cannot enforce your requirements.
StorageStorage costs are a big concern to organizations who do not wish to pay for large amounts of expensive SQL specialized SAN storage. The ability to treat content with different priorities of cost is important.
Site Collection Owner and Site Owner essentially are “god mode” within SharePoint Site Collection or Site respectively with no change management or workflow approval.http://en.wikiquote.org/wiki/Stan_Lee 1962 Spiderman
TrainingAdoption is heavily linked to Training. If you want to empower your people, train them first then unlock the keys to the kingdom.
ProliferationBeing too open can often lead to madness within SharePoint and you’ll end up with Sites upon Sites where the content could have been placed in existing areas.SharePoint URLs are long and hard to remember, everyone has their own naming standard for site URLs.NavigationBuild in some basic pillars for people to create content in and make it obvious where sub sites should be created.
Geeks are usually the custodian of content. More strategic planning is required up front and locking down areas of SharePoint helps keep this under control. Typically done by Records Managers.Being too open with metadata can cause havoc depending on the culture of the organization. In most cases, there are different types of content creation that apply to different policies e.g. Team project collabartion may not need Content Types but may requireManaged MetadataSome thrive on the Folksonomy approach. More conservative organizations will want to stick to a predefined taxonomy instead.Content TypesCan reduce discoverability but also encourage innovation within content.
Lifecycle ManagementProliferation of Sites is obviously a key issue, but on top of this Ownership, Accuracy and Retention of content is important.Questions such as:Are you still using this site?Do you still own the site?Are there regulated users using this site?
Group ManagementSharePoint Groups can also be controlled by Site Collection Owners and all Site Owners by default. This allows Users to create all sorts of mess and without standards in place potentially thousands of sites with different naming standards and memberships that need to be maintained. SharePoint Group permissions will dictate what members with in these can see and often can lead to users getting access to restricted content.
GalleriesSite Collection Owners or Root Site Owners will have access to uploading artifacts to the Galleries in the Root Site. This can give Users the ability to customize SharePoint a little too much.Site Template GalleryOften Users create one site and them make a template from it and then create more based on this. This is fine until they want to make a change across 500 already existing sites based on the template. Changing that template does not reflect the instances. Expectations are better set up front on these types of things to ensure these templates are 95% there before provisioning 500 of them.Web Part GalleryList Template GallerySandboxed Solutions GallerySite Collection Owners can upload Sandboxed Solutions in the gallery. These aren’t as powerful as Farm Solutions, but can have significant impact on the customizations that users can perform in SharePoint. Be wary of unlocking this floodgate in your organization without clear vision here.
SharePoint DesignerBy default, SharePoint Designer is available to all Users if they have appropriate permissions. SPD potentially allows you to do a lot of collateral damage to Page Layouts and Master Pages.
My Site PhotosStatus messagesProfile Note boards
HardwareSome business critical systems would require extremely high performance sites that maybe unnecessary for all content. In this instance, maybe a separate SharePoint Farm is configured as the “Gold” service farm that is billed internally higher than the “Standard” farm. This may have better uptime SLA’s and a full hot disaster recovery farm. This could potentially even include a Office 365 Farm.Farm SolutionsSandboxed SolutionsYou can turn off Sandboxed Solutions at the Farm level by simply turning off the Windows Service process. This will block any execution of code that a sandboxed solution would be able to do normally.
Web Application PoliciesThese policies allow you to grant or deny access to individuals or groups at a given url level and below. This is such an underused way of keeping granting permissions clean. This is mainly due to this only being accessible to Farm Administrators. A scenario may be from a restrictions perspective that anyone that is not in the “Sales” AD Group would be denied access to the R&D ManagedPath and below. This would mean no matter if that person was granted access they would not be able to access that content.Alternate Access MappingsThe ability to map multiple URLs to the same Web Application can be useful for a variety of reasons. In most circumstances it is used to provide different mechanisms of authentication for external users to internal users. One thing to note here is that if an “internal” URL is used and sent to an “external” person they won’t be able to view the content. It would be typical for “external” URLs to have SSL/https configured.ZonesEach Alternate Access Mapping can have a predefined zone, and these zones can have specific scoped settings as below:User PolicyAnonymous accessPermission Policy
AuthenticationEach Web Application or Zone can have it’s own Authentication type such as Windows Classic (Active Directory) or Claims Based Authentication. Claims Based Authentication can support any number of authentication sources such as Live ID, ASP.NET SQL Membership Provider or any ADFS2.0 supported type.Service Application ConnectionsEach Web Application has the ability to configure what Service Applications are available for its consumption, for instance maybe there are multiple Managed Metadata Services across multiple farms. There could be a corporate taxonomy and folksonomy services.SharePoint DesignerMost organizations have a love hate relationship with SharePoint Designer. In 2010 the flexibility on who can use SPD has improved to a granular level on security groups.I would prescribe that this be blocked to all and given on request rather than being open by default.Blocked File TypesIn Governance Plans, often there is an agreed list of file types. This can be set at this level, it is uncommon for this to be different per use in SharePoint, but I have seen cases where in open collaboration environments all types can be uploaded but in the closed document management system files such as .mp3s are blocked.Deployed SolutionsAlthough the farm can have Solution Packages added, at a Web Application level you can “deploy” Solutions which will make Site Collection and Site Features available to ALL Site Collections in it. One thing to be wary of is that files deployed via a Solution to the layouts folder will be available to all web applications.Sandboxed Solutions
Web Application can have zero or many Content Databases and a DB can have zero or many Site Collections inside it. This is often a great way to define different Service Level Agreements for content within the same Web Application.Backup RTOs & RPOsEach Content Database can have its own configured RTOS and RPOs by configuring the Backup technology. For instance a “Gold” SLA’d Site Collection may have a RTO of 1hr whereas a “Silver” SLA’d Site Collection may have an RTO of 1 day. There would be a series of “Gold” and “Silver” Content Databases configured in this way to achieve this. So the business critical content would have a RPO of 3 hours and the lower critical content may be 24 hours.Remote BLOB StorageEach Content Databaase can have different Remote BLOB Storage configuration. In this instance maybe the Gold SLA’d Site Collections have their BLOBs extended to performant and expensive SAN storage whereas the Silver SLA’d Site Collections have the BLOBs extended to slower and cheaper NAS storage.PowerShell delegationPowerShell command line access for SharePointCMDLets is granted at a Content Database level also. This can often be a way to restrict who can remote into the servers in the Farm and execute commands which can be extremely powerful.LimitationsNumber of content databases300 CDBs per Web applicationx CDBs per SQL server (dependent on RAM)Size of content databases200 GB per content database is supported100 GB per site collectionIf a site collection > 100GB, make it the only site collection in the CDBNote: Manage Version retention and Recycle Bin settingsNumber of web sites per site collection250,000 Web sites per site collection2,000 under any one Web siteThese are guidelines not limitsThe real answer: “It depends”
OwnershipDon’t use Primary and Secondary Site Collection Ownership to dictate the Content Owner/Contact. This gives them “god mode” of the whole Site Collection regardless of permissions granted on Sites, Libraries/Lists and List Items. Have they been trained? Do they need what this gives them? Should they just be a Site Owner instead?QuotasQuotas are a huge part of SLA’s. For instance a “Gold” SLA could be configured to 50Gb whereas a “Silver” SLA could be 5Gb. One thing to note here is that if quotas are reaching their limits it does notify the Primary and Secondary Site Collection owners and as discussed before these owners may need to reach out to the content owners/contacts.LocksGroupsSharePoint Groups are scoped at Site Collection level, so if you have 50,000 Site Collections and you have a “Management Group” there, you’re going to have to maintain this in 50,000 Site Collections. Security Groups should not be underestimated. Active Directory is overlooked a lot as the “active directory team” are unresponsive and take too long to add/remove people from Groups. Also, SharePoint doesn’t do a great job of showing who is a member of the Active Directory Group and things such as Alerts, Membership Web Parts don’t work. PowerShell is your friend here and really needs to be managed centrally by Farm Administrators in large environments.NavigationNavigation has always been one of the big limitations of going the multiple site collection route, much like SharePoint Groups they are not shared. There are a few approaches to managing this:Manually-configured Quick Launch and top link bar (global navigation)Custom link lists (advantage: security trimmed)Custom or third-party navigation controlsSPXmlContentMapProvider
Content TypesContent Types are also not shared across Site Collections, 2010 introduced Content Type Hubs which allow a hub and spoke push ability. There are some “teething problems” as this is a v1.0 feature. In an open approach, Site Collection Owners and Site Owners can create these, there is no way to specifically block Content Type creation without taking away a lot more with it.FeaturesAs mentioned at the Web Application level, Features will be available to be activated at the Site Collection level scope. This is often a way to deploy branding or predefine Content Types etc.Sandboxed SolutionsSite Collection Admins and Site Owners have access to deploy Sandboxed Solutions. As with any Gallery you can actually manage permissions to grant/deny access. Obviously this doesn’t stop admins and owners.AuditAuditing is a key aspect of SharePoint for a compliance perspective that is configured at a Site Collection level. It is extremely intensive data operation and typically “Gold” would capture all events whereas “Silver” may only capture “views”. The out of the box auditing reaches scaling limits pretty early and you have to start shipping the data to a secondary source outside of Content Databases to keep this operational.Search
Site FeaturesSite Features are the lowest scoped Feature and activation generally will provision pages, lists or web parts to pages. Site Collection Admins and Owners will be able to activate/deactivate these. Training is required here as switching on the wrong features can cause issues especially in an environment where each division has its own Site Features in the one web application which will be visible to all!PermissionsSite Owners have the ability to create SharePoint Groups and grant/deny permissions here. In a closed environment, some organizations actually lock these down so that they are managed by Active Directory groups. In an open environment, these can obviously get out of hand and maintaining standard naming conventions and group membership becomes a challenge.Site Access RequestsWhen Users who do not have access to the Site reach any page within it, Sites can be configured to show a “Access Request” page. This will notify the Site Owners who can then approve and SharePoint will grant them access. This can often make things worse as it adds them directly with the permission level rather than adding them to a SharePoint Group if not configured properly. By default this is switched off and they just get an access denied message.
Transcript of "Governance enforcement with out of the box SharePoint"
Governance Enforcement with out of the box SharePoint<br />Jeremy Thake<br />
Jeremy Thake <br />Enterprise Architect since April ’11 at AvePoint<br />SharePoint MVP since July ’10<br />Co-Founder of NothingButSharePoint.com<br />Speaker at MS TechEd 2009/10, SPC 11<br /> Gplus.to/jthake<br /> @jthake<br />