How to devise great permissions policies for SharePoint

Learn about best practices for secure SharePoint deployment to keep your implementation of the collaboration suite on track.

Microsoft SharePoint security is not difficult to establish and maintain, as long as your organisation has a well thought-out plan for best practices before implementation.

SharePoint provides a Web-based portal for content management, collaboration, managing business processes and forms, and search inside the company, as well as reaching out to authorized partners, contractors and other third parties. It's easy to deploy and use, so that business users can manage their sites without constantly relying on IT for help.

Security is not difficult, but issues can arise, primarily over access control if SharePoint permissions are poorly thought out or implemented. External users can also be an issue if they are not properly managed.

This two-part tip will explain five of the most important things experts say you should keep in mind when you design SharePoint security. Part two will cover how to handle external users, authorization and general security issues.

A common error is simply the failure to create thoughtful SharePoint security best practices in first place.

If the policy is too permissive, users wind up with too much liberty to customize SharePoint sites, especially around access to resources. The evitable consequence is people seeing and/or being able to change documents they shouldn't have those rights to.

This often happens when users ask the help desk to do something for their site. But instead of addressing the specific request, IT responds by simply giving them site admin privileges so they can make the change--and any future changes--without coming back to the help desk. This behavior is typical of overworked IT departments, said Matt Ranlett, principal consultant in Atlanta, Ga.-based Intellinet Corp.'s worker information practice and a Microsoft MVP for SharePoint Server.

On the other extreme are organisations that are so rigid that everything is locked down and every change requires a help desk request. That's bad news for small IT departments and for users who just want to get on with their jobs.

"There needs to be a middle ground," said Ranlett. "There's more art than science to how you grant users permission to make modifications to the design of a site."

Smaller organisations generally don't have to worry about policy control and enforcement across multiple units and SharePoint deployments, so once your organisation has configured SharePoint and set appropriate use policies, site admins should pretty much run things on their own.

If you are like most midmarket companies, you use Active Directory as your primary user information repository for email distribution groups, user authentication, and application and file access and authorization. Simplify your management of SharePoint identities by either using existing AD security groups or creating new ones and moving them to SharePoint.

You should note that SharePoint is designed to be perfectly workable if you don't have Active Directory. You can create SharePoint groups for authorization privileges and use any LDAP, SQL Server, Oracle, or third-party product for authentication.

A small IT staff doesn't have time to manage users and groups in two places. You can always have the site admin manage individual exceptions in SharePoint, rather than involve IT in an AD change.

"If I want to share information with you and Bob down hall, it's not likely there's an AD group to reflect that," said Neil MacDonald, VP at Stamford, Conn.-based Gartner.

SharePoint doesn't have a centralized rights management interface. It can't generate reports that show what a given user has access to--you would have to check each object (think, 1,000 documents, for example) in SharePoint to see if the user has access. In AD, on the other hand, it's easy to report on user access and replicate rights for new employees or for changing roles.

One caution here: Don't assume your existing AD groups will automatically meet your SharePoint needs. A department AD group or geographic group may be a convenient way to organize employees for authentication and other AD tasks, but may not reflect how people work.

"The problem is AD doesn't necessarily reflect how people share information or want to share information," said MacDonald.

Read more on IT risk management