SharePoint Permissions Worst Practices

1 | @bobbyschang | bobbyschang.com
Worst Practices
Bobby Chang
@bobbyschang

2 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Contact Info
• slideshare.net/bobbyschang
• linkedin.com/in/bobbyschang
• @bobbyschang
• bobbyschang.com
Bobby Chang
Consultant, Microsoft Certified Trainer
er er

Why Worst Practices?

Rather Than a List of To-Do’s

At Times It’s More Effective (and Fun) to Share
What NOT To Do

And Scare You Share With You Its Consequences

SharePoint Permissions
Basic Overview

Permissions Fundamental
To Provide or Restrict
Access to SharePoint Content

Site Collection
Site
List / Library
Item
Child Site

Site Collection
Site
List / Library
Item
Child Site
Break Inheritance

Permission Level
Determines how much access a user has

Contribute
• CRUD (Create, Read, Update, Delete) content
• Potential Audience = Team members, Content managers
Read
• Consume content
• Potential Audience = All employees, Clients
Full Control
• “The Kitchen Sink”
• Potential Audience = Site Administrators, Power Users

“Edit”

Edit Contribute

Delete List/Library
Edit is NOT recommended!

Right?!

Planning
Matters
Planning matters

Photo Credit – Matthew Keagle & Creative Commons
Do you have a permissions strategy?

- What is purpose of the site?
- To gather vs. to share info
- Extranet vs. Intranet
- Who’s the target audience?
- Who are the content editors?
- Who are the Power Users?
- Will there be confidential info?
- Do you have compliance to follow?
- Is anyone outside org invited?
- How will permissions be governed?
- How will you document?
- What is the training plan?

“A governance strategy is never static – it is
a living, breathing process and a set of rules
that you should live by, not die by!”
--Christian Buckley, Microsoft MVP
@buckleyplanet

SharePoint platform (and the cloud) matures
Governance should evolve as your

2007 2010 2013

For instance…

Office 365 Group
SharePoint

Office 365 Groups & its SP Site permissions go hand-in-hand

SharePoint
Site Owners (Full Control)
Site Members (Edit)
Site Members (Edit)
Office 365 Groups
Owners
Members
Guests (External Users)

Understand
Impact
Plan Communicate

“Full Control” for Everyone
Worst Practice

Create & Delete Sites
Create SharePoint Groups
Manage Permissions
Activate & Deactivate SharePoint Features
Create, Update, Delete List/Library View
Generate Site Web Analytics Reports
Create, Modify, Delete SharePoint workflow
Create, Modify, Delete Site & List/Library Columns
Delete Site & List Template
Delete Master Page & Page Layout
Add, Update, Delete Pages
Add, Update, Delete Web Parts
Etc. etc. etc.

Dear Site Managers,
You play a pivotal role to SharePoint success (or failure)

When asked to pleeasseee have access to EVERYTHING

Image Credit: © SheKnows LLC
Let’s not rush to give
Full Control

• “Everything” may pertain only to Documents
• “Access” could mean Read, Update, and Delete
Contribute (more often than not) is sufficient

Check or Refine governance policy
Ensure required training completion
Consider other permission level
• Admin privilege without site provision or security control
• e.g.: Design

Thy requests must go through me …
It’s not that you’re
a control freak

Simply can’t have everyone
manage your site

Assigning Permissions to Individual Users
Worst Practice

SharePoint Permissions Worst Practices

• Team Growth
• Role Change:
– Expanded Responsibilities
– Rolling Off Project
– Promotions
• Onboarding New Employees
• Employee Departures

Where in the World is
Carmen Sandiego?

• Hard to know who has
what access
• Cumbersome to manage
existing permissions
• Out-of-Box
“Check Permissions”
function is rather limited

Instead, Use …
SharePoint Group

51 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.comThen Add or Remove Users from the Group
First, Assign Permissions to SharePoint Group

Microsoft recommends
AD (Active Directory) Group
SharePoint
On-Prem
2013/2016
Security Group in Office 365
SharePoint
Online

AD Group

• Recommended by MSFT for performance
• Use AD group in SharePoint only if
– AD group definition is well defined
– IT Team is proactive in updating membership
• AD Membership should be up-to-date to
ensure proper access in SharePoint

Default Settings for SharePoint Groups
Worst Practice

• Site Managers could be locked out
• Be Mindful of Default Settings when creating new

ALWAYS assign a group as group owner
Preferably Site Collection Owner or Site Owner group
Default -> the user who created group

Instead open membership list to everyone
Default -> only Group Members can view

What to Look for When
Breaking Site Inheritance

Reflect and Assess!
Do I really need unique site permissions?
Do I need all 3 new SharePoint Groups?
Is there an existing group that I can use?

Item Level Permissions
Worst Practice

• Item = Document or List Item
• You can set permissions at the Item Level

doesn’t mean you should
Just because you can …

• SharePoint View doesn’t differentiate unique
item permissions
• Permission needs to be updated to each item
• Could lead to performance issue

F A C T : Reduced performance after
5,000 unique inheritance
See Microsoft reference:
http://bit.ly/1iMmyiC

Promotes SharePoint Content
Convenient and Readily Available
Great Tie-in with other components
e.g.: Delve, OneDrive For Business, etc.

After all, sharing is caring. Right!?

Item Level Permission (Worst Practice #5)
Permissions for Ind. Users (Worst Practice #3)
Oh so easy
Share a File in SharePoint
+ ________________________________

(Site Permissions > Access Request Settings)

But don’t fight against the Microsoft wave

In Office 365, you have options

Fun with Limited Access
*BONUS* Worst Practice

Because Limited Access is The Devil

If user is not declared in site permissions,
Permissions given to a user at library or list level
leads to
“Limited Access” creation for user at the site level
Site
List / Library
Limited Access
Contribute

• Hard to identify where
access was granted
• Clutters site permission
• No easy clean-up process

*IMPORTANT!
When you Delete Limited Access from site,
SharePoint automatically
Removes the unique Permission in Library/List/File
Site
List / Library
Limited Access
Contribute

Limited Access can now be hidden

Already in a Permissions Hole?

First Things First – Stop the Bleeding!
e.g.: Change Full Control access
for unqualified folks to Design

Assess the Damage and Document Findings

Third-Party
Product
Out of Box PowerShell

• Site permissions page
• Unique access are displayed in yellow
Pro: Free (with SharePoint)
Con: Manual Process and needs to be done per site

• Could run report on almost anything
• You don’t have to reinvent the wheel
e.g.: Check out this script http://bit.ly/1bH9f1v
Pro: Highly Customizable, Repeatable, Powerful
Con: Require proper access and knowledge

• Complexity of SharePoint permissions may
warrant a third-party tool investment
• List below is recommended by community
Note: NOT a personal endorsement

Few Considerations During Permissions Clean-Up

Remember that
it’s a process!
i.e.: You may not get
it done in 1 day

One is the
loneliest number
 Gather requirements
 Talk to business users
 Leverage other team members Photo Credit - The Daily Journal

For worst case
scenario…

Consider starting over

Photo Credit: Lucasfilm / Paramount
• Inherit all permissions in site collection
• Manually re-configure all permissions
It’s high risk,
high reward

•Get executive buy-in
Gather needs from business functions
Devise plan with Content & Site Managers
Communicate impact to end users

Mitigate Survey the Field Clean Up Manage & Control
Do NOT forget this step!!

• Enforce permissions governance
• Gain leadership support:
– Illustrate level of effort to remedy issue
– Quantify the business impact ($)
• Form & engage Governance Committee
• Provide continuous training for Site Managers

People Process Tool
Assign Roles Define how to
periodically access
Choose system
for monitoring

(Under Site collection Settings)

“The greatest accomplishment is not in never failing,
but in rising again after you fall” --Vince Lombardi
Photo Credit - Journal Communications, Inc.

linkedin.com/in/bobbyschang
bobbyschang.com
@bobbyschang
Questions?
Feel Free to Contact Me
Bobby Chang
twitter.com/bobbyschang
slideshare.net/bobbyschang

SharePoint Permissions Worst Practices

More Related Content

What's hot (20)

Similar to SharePoint Permissions Worst Practices (20)

Recently uploaded (20)

SharePoint Permissions Worst Practices