Friday, July 3, 2009

User Permissions in SharePoint

I saw a post on one of the SharePoint Groups on LinkedIn about permissions and security to which I replied. I think this could be useful information for lots of people, so I am blogging it too.

Not knowing how big your organisation is, how you are planning to leverage SharePoint in it, or if it’s an intranet, extranet or internet solution; I won’t know if my information will be of assistance. Ours is an intranet only solution, and I am responsible for the team site web app with 15 000 people across almost 1800 sites on the platform so far. We have 4 web applications, and in the team sites web app, we have dozens of site hierarchies. Each site hierarchy has dozens of subsites across hundreds of business units.

We have Quest installed on our Enterprise platform and it is a nightmare!! I have not been able to get one single sensical report sent to me on user permissions to date. We have just installed a tactical solution called SP Limited Access Discovery. It is EXACTLY what we need on the front line. It is absolutely critical that you have a decent management tool at your disposal to extract reports on permissions. From an external auditor perspective, the first thing they require is to demonstrate security – who has access to what, how and when. Out of box reporting in SharePoint is not enough.

Permissions are an ongoing war and challenge on a daily basis. The primary support team cannot agree on the best way to handle it, but in my personal experience having been sole administrator on the platform for almost the entire life of it, I can tell you that what they say in theory is not necessarily how it works in real world situations. And just because you can do something, doesn’t mean you should.

Plan, plan, plan. I cannot stress this enough. Make sure that whatever you decide to do, is scalable and more importantly, flexible. Ideally you should use Active Directory groups to leverage on SharePoint. If however, your AD user profiles and groups are out of date (like ours are), it is not an option, and you will need to make use of the standard groups in SharePoint. We work with Members, Owners and Visitors and create more groups as required. If you are working with publishing sites too, it is going to have its own set of challenges with the Approvers groups and such.

You have 2 options when creating subsites, to inherit permissions or to create unique permissions. You need to think about this really carefully. Things change. Business units merge. People move. Site administrators take a long time to understand how permissions work.

In my experience, inheriting permissions across 20 or 30 subsites has failed 100% of the time, 100% of the time we have had to redo the permission structure on those site collections, disinheriting, creating new groups etc etc. And while the site owners were adamant that that is what they wanted, it took less than 3 months in every single case for the phone to ring and for us to step in and fix it. This can get very tricky depending on the size of the collection. There are a lot of things you need to remember to do. Site owners lock themselves out of their sites on a daily basis not remembering all the steps to follow.

It also depends on who is going to manage your platform. Are you having one administrator and that person has to add and remove people for the entire organisation? Or are you having individual site owners for each site and letting them manage their space? Ongoing management and administration of your platform will impact how you set up groups.

If you have a large organisation, don’t give business site administrators site hierarchy access. It is too much power. The maximum access they should have is Site Owner. Also, advise business units to have as few site owners as possible. Having 6 or 7 will create a free for all on the site and there will be no control. One or 2 at the most is ideal. Do not give users access to Central Admin and SSP under any circumstances. Those consoles are for the domain of the server administrators and platform owners only.

While it takes marginally more time to create unique permissions in the beginning, from a long term management perspective, it has proved to be the most effective way by far to manage the team sites. Obviously in some circumstances it will make sense to inherit, it really depends on the type of business you have.

If you just have one site collection with all your sites in it, and you are creating unique permissions, make sure you set naming standards for the groups. We did this on our POC environment, and it really helped. Just short abbreviations or initials are fine. If there are multiple business units, put the BU name is in the front, eg: for Marketing – Promotional Material site and subsite, create the groups as Mktg – PM Members, Mktg – PM Owners, Mktg – PM Visitors. This helps your primary support team to manage the environment and assist users that are locked out. You can have hundreds of groups overnight; you need to know where they all belong and naming standards will save a lot of time. This is not such a big a deal if you have different site collections for each business unit. But if that business unit plans on having lots of subsites, it might be a good idea for them.

You need to make sure site owners add users in actual groups, not on a site level – it is impossible to manage in the long run. You will see if they have done this in the Site Permissions view. Also try and avoid creating unique permissions on a library, list or item level. It gets very difficult to manage. Rather keep restricted content on a separate subsite where possible and restrict permissions on that level.

The default Members group has delete rights. We split that out and made a special Delete Rights Only group. This had proved to be a winner across the platform. As most of your staff could end up as Members on a site to update content, you don’t necessarily want them deleting things at will.

If you are new to SharePoint and are going to be in charge of sites or the platform, make sure you get the permissions and inheritance concepts firmly under the belt as soon as possible. If you are planning a large rollout, this is going to be crucial.

Then there is licensing implications. If you have just bought MOSS 2007 Core CALs and are not planning to purchase Enterprise CALs at all, then follow all this advice, likewise if you have bought all Enterprise CALs. If however, you have bought Core and are planning to incrementally buy Enterprise, then you need to rethink this in other ways as well. Remember if you can view it or edit it, you need a license for it, (KPI’s, dashboards, etc). You cannot allocate an Enterprise CAL to a document library with unique permissions. It doesn’t work like that. They are activated on a site level – so whoever has access to that site needs a license. This will impact how you grant permissions and set up your hierarchies again.

Hope this helps. If I think of anything else I’ll let you know.


  1. Hi,

    This is a nice explanation of setting up your Site Hierarchies, thanks for sharing this lovely article Veronique.

    I also write my experiences with Sharepoint on my blog site :

  2. Thank you so much Mehul. I will check out your stuff too.

  3. This post does a great job of identifying key considerations and strategies for deploying healthy team site / collab areas within SharePoint!

  4. Hello
    I found your blog using google.
    I have a weird issue and I'm stuck with it.
    I have a site collection and want all my colleagues to be able access the root site. All of them get "Access denied" message when they access the root site. Only me and my developer colleagues can access it because we are set as site collection administrators.
    Do you have any idea about this issue?

  5. This will actually generate positive results in devising
    a better mailing list where they now can start building relationships and literally promote anything they want to be spoken to
    in Spanish. Those employees should also book the customers directly and should ensure that this is a desire on the part of management.
    It is worthwhile to wander through the trade show and promote your products and services.
    This is one very important aspect that should be running worldwide.

    Be TenaciousDo not let anything make you irresolute.

    Review my page ... Private Student Loans for People

  6. I always emailed this webpage post page to all my associates,
    because if like to read it then my links will too.

    my page; green coffee diet

  7. Hello i am kavin, its my first time to commenting
    anywhere, when i read this piece of writing i thought i could also create comment due to this sensible piece of writing.

    my web site ... nuva genic and solpria

  8. I'm really enjoying the theme/design of your site. Do you ever run into any internet browser compatibility issues? A small number of my blog readers have complained about my site not operating correctly in Explorer but looks great in Opera. Do you have any recommendations to help fix this problem?

    Feel free to surf to my homepage; Buy Enduros

  9. Hi colleagues, pleasant piece of writing and pleasant
    urging commented at this place, I am genuinely enjoying by these.

    My blog post ... Instant income blog