2. San Francisco SharePoint Users Group – April 2014 22
Best Practice-
SharePoint Permission
Management
3. San Francisco SharePoint Users Group – April 2014 3
Goals for permission management
• Easy to understand
• Self-documenting
• Secures confidential content
• Easy to administer
• Keep track of who changes permissions
4. San Francisco SharePoint Users Group – April 2014 4
Knowledge Assumptions
• Basic SharePoint Navigation
• Know how to create groups
• Know how to add users to groups
http://xkcd.com/1339/
10. San Francisco SharePoint Users Group – April 2014 10
View Permissions Inheritance
Access via -> Site Settings -> Site Permissions -> Show these items
11. San Francisco SharePoint Users Group – April 2014 11
Three Levels of Admin RightsIn descending order of power
• Primary/Secondary Site Collection Administrators
Can only be changed by Farm Administrators
Highest level of admin rights for a site collection
Receive system emails for site collection
Has admin rights to everything in site collection
• Site Collection Administrators
Can be added/removed by other Site Collection Admins
Receive system emails for site collection
Cannot remove Primary/Secondary SCAs
Has admin rights to everything in site collection
• Users with Full Control Rights
Cannot added/remove SCAs
Can control permissions of other users
Do not receive system emails for site collection
Can delete objects they have full control on
This includes the entire site collection if they have rights
at the root!
12. San Francisco SharePoint Users Group – April 2014 12
Enable Auditing
Access via -> Site Settings -> Configure Audit Settings
13. San Francisco SharePoint Users Group – April 2014 13
Best Practices
• Keep permissions Safe for Work, no naked IDs
• Use the default groups whenever possible
• Create new groups for specific security needs
• Create new groups at the root of your site
collection with read permission, then elevate
• Document in the group’s description what it
provides access to
• Place more public information at the upper
levels of your site
• Place more secure information at the lower
levels of your site
• Limit the number of users with admin rights
• If needed, enable auditing
14. San Francisco SharePoint Users Group – April 2014 14
Fixing Permissions
• Role Based or Hierarchy Based
• Plan a new group where ever a specific,
discrete permission requirement exists
• Make the group names as descriptive as
possible, and/or write out a detailed, plain
English narrative of the group’s purpose in the
Description field
• Create all groups at the root of your site
collection with Read permissions
• Elevate these permissions as needed within the
site
• Place users into groups as required
15. San Francisco SharePoint Users Group – April 2014 15
Fixing Permissions
• Communicate out to your users the date & time
you will be switching over to a new permissions
management scheme
• Ensure your users know they should contact
you directly if they lose access to anything
• On the date and time agreed upon, remove all
individually assigned users permissions on your
site
• All that should be left are groups on your
permissions screens