Permissions designed to scale


Published on

SharePoint Saturday permissions planning session.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Who has one? Not a checklist…it’s constantly changing every day and needs to be managed in the long term
  • Currently, is SharePoint a document repository? Is it critical to day to day business?Just internal users? Are there ways you can expand the use of SharePoint to offer more benefits to your organization? To partners? To the outside world?
  • Who do you trust to manage all the different parts of your SharePoint farm?
  • - Kerberos: Less traffic between servers, clients, and domain controllers- uses tickets instead of tokens so it doesn’t have to do a double hop to AD with each requestMuch more planning needed Anonymous: Instead, add the all Authenticated users security instead. This way actions can be traced to users.
  • CB lead, MG color
  • Break the inheritance and customize the Read permission level for a subsite to define what “read” really means to your organization
  • Permissions designed to scale

    1. 1. Permissions: Designed to Scale Jamie Aliperti @jaliperti SharePoint Saturday Portland May 19th, 2012
    2. 2. About Me Sales Engineering Manager Axceler based out of the Los Angeles office, and spend most of my time providing consultancy, training and support to current and future customers. I have over 7 years experience with Microsoft technologies, and lead the Los Angeles Sales Engineering team. Email: Twitter: @jaliperti
    3. 3. About AxcelerImproving SharePoint Collaboration Since 2007 Mission: To enable enterprises to simplify, optimize, and secure their collaborative platforms Delivered award-winning administration and migration software since 1994 Over 2,000 global customersDramatically improve the managementof SharePoint Innovative products that improve security, scalability, reliability, “deployability” Making IT more effective and efficient and lower the total cost of ownershipFocus on solving specific SharePoint problems(Administration & Migration) Coach enterprises on SharePoint best practices Give administrators the most innovative tools available Anticipate customers’ needs Deliver best of breed offerings Stay in lock step with SharePoint development and market trends
    4. 4. SharePoint Security Where to Start?Anyone have any ideas?
    5. 5. Design Permissions as part of GovernanceGovernance is about taking action to help your organizationorganize, optimize, and manage your systems and resources.
    6. 6. Questions to Ask How is your organization using SharePoint? Is there secure content in your SharePoint environment? Who is responsible for SharePoint Security? 5/30/2012
    7. 7. Plan!How granular do you need to control access to content?Who manages all the different parts of your SharePoint farm?How do you want to manage your users?
    8. 8. Farm Administrators Group Assigned in Central Admin and has permission to all servers and settings in the farmCentral Administration access, create new web apps, manage services, stsadm/PowerShell command Can take ownership of content: make themselves Site Collection Administrators 5/30/2012
    9. 9. Authentication Methods A SharePoint environment must support user accounts that can beauthenticated by a trusted authorityHow do you authenticate your users?
    10. 10. Windows Authentication NTLM:  Users authenticated by using the credentials on the running thread  Simple to implement  SharePoint will not be integrated with other applications Kerberos  If your SharePoint sites use external data  Credentials passed from one server to another (“double hop”)  Faster, more secure, and can be less error prone then NTLM Anonymous Access  No authentication needed to browse the site
    11. 11. SharePoint AuthenticationDefined at the web application level
    12. 12. Who Needs to Access SharePoint? Claims-based authentication mode: use any supported authentication method or else you will support only Windows authentication 5/30/2012
    13. 13. Web Application Policies Quick way to apply permissions across web applicationsOnly part of SharePoint where users can be explicitly denied accessSet in Central Admin 5/30/2012
    14. 14. Site Collection AdministratorsGiven full control over all sites in a site collectionAccess to settings pages Manage users, restores items, manage site hierarchyCannot access Central Admin 5/30/2012
    15. 15. Securable ObjectsWhat can we secure?SiteLibrary or ListFolderDocument or Item
    16. 16. InheritanceIf all sites and site content inheritthose permissions defined at the site collection, what’s so hard about managing permissions if they are defined so high in the hierarchy?
    17. 17. Structure/Architecture Sub-site Site Sub-site Site Site Collection Web App Site Sub-site Site SiteFarm Collection Site Site Web App Collection Site Sub-site
    18. 18. Permission LevelsCollections of permissions thatallow users to perform a set of related tasksPermission levels are defined at the site collection level
    19. 19. Customizing Permission Levels The default permission levels are FullControl, Design, Contribute, Read, and Limited AccessWhat does “Read” mean to your organization? 5/30/2012
    20. 20. SharePoint GroupsA group of users that are defined at site collection level for easy management of permissionsThe default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectivelyAnyone with Full Control permission can create custom groups 5/30/2012
    21. 21. The Basics: PermissionsPermissions are applied on objects:1. Directly to users2. Directly to domain groups (visibility warning)3. To SharePoint Groups
    22. 22. Best PracticeMake most users members of the Members or Visitors groups Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site. Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents. 5/30/2012
    23. 23. Plan for Permission InheritanceArrange sites and subsites, and lists and libraries so they can share most permissions Separate sensitive data into their own lists, libraries, or subsitePermission worksheet: 5/30/2012
    24. 24. Stick to the Plan If you do break inheritance, Microsoft recommendsusing groups to avoid having to track individual usersPeople move in and out of teams and change responsibilities frequently Tracking those changes and updating the permissionsfor uniquely secured objects would be time-consuming and error-prone. 5/30/2012
    25. 25. Go back and refine
    26. 26. Questions and Answers
    27. 27. Contact us for more infoContact me: Twitter@jaliperti