SharePoint Authorization and Authentication-Controlling Access to Documents and Data
1. Tom Resing, MCM + Author
Managing Authentication
and Authorization --
Controlling Access to
Documents and Data
2. Photo by mbrand - Creative Commons Attribution-NonCommercial License https://www.flickr.com/photos/87317539@N00 Created with Haiku Deck
3. Photo by YanivG - Creative Commons Attribution-NonCommercial-ShareAlike License https://www.flickr.com/photos/17796222@N00 Created with Haiku Deck
4. Photo by ell brown - Creative Commons Attribution License https://www.flickr.com/photos/39415781@N06 Created with Haiku Deck
5. Photo by cackhanded - Creative Commons Attribution-NonCommercial License https://www.flickr.com/photos/37354253@N00 Created with Haiku Deck
6. Photo by mikecogh - Creative Commons Attribution-NonCommercial-ShareAlike License https://www.flickr.com/photos/89165847@N00 Created with Haiku Deck
7. Photo by Jamison_Judd - Creative Commons Attribution License https://www.flickr.com/photos/14072475@N07 Created with Haiku Deck
8. Photo by Stuck in Customs - Creative Commons Attribution-NonCommercial-ShareAlike License https://www.flickr.com/photos/95572727@N00 Created with Haiku Deck
9. Photo by kevin dooley - Creative Commons Attribution License https://www.flickr.com/photos/12836528@N00 Created with Haiku Deck
One of SharePoint's core strengths is secure content management on the web. Maybe because of that core strength, managing access to that content is one of the more common pains, as well. As a SharePoint Administrator, questions about securing SharePoint and its content are often thrown your way. In this class, we'll discuss access considerations which are key from the planning and architecture through end user support and disaster recovery.
8:30AM-9:45 1hr15min
Areas covered will include: Authentication Types; Permissions Boundaries; Self Service Site Creation; Managing Authentication and Authorization with PowerShell; Troubleshooting Tools; Active Directory Integration; Search Permission Trimming
I’m proud to work at Jive Software, a recognized leader in modern communication for business. Feel free to ask me more about it after the presentation.
Let's dive into authentication.
SharePoint itself, doesn't authenticate your users. Never has. Whenenever you enter your username and password
Here’s what the new web application screen looks like in 2010. Note the choice of claims or classic.
It’s the third element I mentioned, but the first I’d like to dig deeper into. Let’s take a look at the layers of access control.
The layers of SharePoint are many. The first two topics are really not SharePoint Specific. I’ll spend less time on them.
The first layer is physical security, You may not always have direct influence or responsibility for the full physical security of your documents and data, but as an IT Pro with SharePoint responsibility you will always have some. Physical access control to the hardware is probably the most obvious. For the most part, we’ve moved beyond the days of SharePoint running on desktop PCs sitting under someone’s desk for more reasons than just security. Most customers I’ve worked with in the last 7 years offered very little physical access to the actual servers running their SharePoint Farm, if any. What might be a little less obvious is physical access to other SharePoint related assets. In the case of Edward Snowden, I believe he got access to the SharePoint content databases, even though access to them wasn’t needed for his role. It could have been access to a backup of the database, either on a file share or a physical copy on a tape. Or, through his user account, he may have had direct network access to the server through the network. If you’re responsible for access control to documents and data stored in SharePoint, it’s your responsibility to limit that access.
It’s the third element I mentioned, but the first I’d like to dig deeper into. Let’s take a look at the layers of access control.
The layers of SharePoint are many. The first two topics are really not SharePoint Specific. I’ll spend less time on them.
Let’s talk about a web application layer override called User Policy. User Policy can be applied to users or groups of users on a web application zone level.
My recommendation is to ignore this screen, in most cases. Why? Because the site collection administrators have no visibility into these settings. In the end, it causes confusion when their permission settings don’t work.
Two exceptions. 1) If it entirely obvious why you’re doing this and it won’t cause confusion or 2) You need to apply a user policy to a service account for configuration
SharePoint’s logging system is great for all things SharePoint. Make sure to visit your familiar Windows Event Viewer for System, Application and Security logs from Windows and IIS. Those aren’t in ULS and can be very helpful for troubleshooting Authentication issues.