Who has one? Not a checklist…it’s constantly changing every day and needs to be managed in the long term
Currently, is SharePoint a document repository? Is it critical to day to day business?Just internal users? Are there ways you can expand the use of SharePoint to offer more benefits to your organization? To partners? To the outside world?
Who do you trust to manage all the different parts of your SharePoint farm?
- Kerberos: Less traffic between servers, clients, and domain controllers- uses tickets instead of tokens so it doesn’t have to do a double hop to AD with each requestMuch more planning needed Anonymous: Instead, add the all Authenticated users security instead. This way actions can be traced to users.
CB lead, MG color
Break the inheritance and customize the Read permission level for a subsite to define what “read” really means to your organization
Permissions designed to scale
Permissions: Designed to Scale Jamie Aliperti firstname.lastname@example.org @jaliperti SharePoint Saturday Portland May 19th, 2012
About Me Sales Engineering Manager Axceler based out of the Los Angeles office, and spend most of my time providing consultancy, training and support to current and future customers. I have over 7 years experience with Microsoft technologies, and lead the Los Angeles Sales Engineering team. Email: Jamie.Aliperti@axceler.com Twitter: @jaliperti
About AxcelerImproving SharePoint Collaboration Since 2007 Mission: To enable enterprises to simplify, optimize, and secure their collaborative platforms Delivered award-winning administration and migration software since 1994 Over 2,000 global customersDramatically improve the managementof SharePoint Innovative products that improve security, scalability, reliability, “deployability” Making IT more effective and efficient and lower the total cost of ownershipFocus on solving specific SharePoint problems(Administration & Migration) Coach enterprises on SharePoint best practices Give administrators the most innovative tools available Anticipate customers’ needs Deliver best of breed offerings Stay in lock step with SharePoint development and market trends
SharePoint Security Where to Start?Anyone have any ideas?
Design Permissions as part of GovernanceGovernance is about taking action to help your organizationorganize, optimize, and manage your systems and resources.
Questions to Ask How is your organization using SharePoint? Is there secure content in your SharePoint environment? Who is responsible for SharePoint Security? 5/30/2012
Plan!How granular do you need to control access to content?Who manages all the different parts of your SharePoint farm?How do you want to manage your users?
Farm Administrators Group Assigned in Central Admin and has permission to all servers and settings in the farmCentral Administration access, create new web apps, manage services, stsadm/PowerShell command Can take ownership of content: make themselves Site Collection Administrators 5/30/2012
Authentication Methods A SharePoint environment must support user accounts that can beauthenticated by a trusted authorityHow do you authenticate your users?
Windows Authentication NTLM: Users authenticated by using the credentials on the running thread Simple to implement SharePoint will not be integrated with other applications Kerberos If your SharePoint sites use external data Credentials passed from one server to another (“double hop”) Faster, more secure, and can be less error prone then NTLM Anonymous Access No authentication needed to browse the site
SharePoint AuthenticationDefined at the web application level
Who Needs to Access SharePoint? Claims-based authentication mode: use any supported authentication method or else you will support only Windows authentication 5/30/2012
Web Application Policies Quick way to apply permissions across web applicationsOnly part of SharePoint where users can be explicitly denied accessSet in Central Admin 5/30/2012
Site Collection AdministratorsGiven full control over all sites in a site collectionAccess to settings pages Manage users, restores items, manage site hierarchyCannot access Central Admin 5/30/2012
Securable ObjectsWhat can we secure?SiteLibrary or ListFolderDocument or Item
InheritanceIf all sites and site content inheritthose permissions defined at the site collection, what’s so hard about managing permissions if they are defined so high in the hierarchy?
Structure/Architecture Sub-site Site Sub-site Site Site Collection Web App Site Sub-site Site SiteFarm Collection Site Site Web App Collection Site Sub-site
Permission LevelsCollections of permissions thatallow users to perform a set of related tasksPermission levels are defined at the site collection level
Customizing Permission Levels The default permission levels are FullControl, Design, Contribute, Read, and Limited AccessWhat does “Read” mean to your organization? 5/30/2012
SharePoint GroupsA group of users that are defined at site collection level for easy management of permissionsThe default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectivelyAnyone with Full Control permission can create custom groups 5/30/2012
The Basics: PermissionsPermissions are applied on objects:1. Directly to users2. Directly to domain groups (visibility warning)3. To SharePoint Groups
Best PracticeMake most users members of the Members or Visitors groups Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site. Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents. 5/30/2012
Plan for Permission InheritanceArrange sites and subsites, and lists and libraries so they can share most permissions Separate sensitive data into their own lists, libraries, or subsitePermission worksheet:http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409 5/30/2012
Stick to the Plan If you do break inheritance, Microsoft recommendsusing groups to avoid having to track individual usersPeople move in and out of teams and change responsibilities frequently Tracking those changes and updating the permissionsfor uniquely secured objects would be time-consuming and error-prone. 5/30/2012