In this article Toni Frankola, CEO, Microsoft MVP and SPDocKit Product Owner, outlines SharePoint permissions governance best practices. We’ve included all the things you should keep an eye on before going into SharePoint permission management. These best practices we refer to both SharePoint on-prem and SharePoint Online.
Let’s begin with why it’s important to develop a long-term effective SharePoint permissions strategy and the consequences if you fail to do so.
The Importance of SharePoint Permissions Strategy
Implementing SharePoint in your organization is probably one of the best things you can do to achieve better collaboration and high productivity. However, as with all great things, in order to work properly, SharePoint must be responsibly handled and regularly audited.
The consequences of a poorly managed SharePoint environment can be seen in the Snowden and Manning cases. There’s been a lot of buzz that Edward Snowden received access to the confidential information he leaked from the National Security Agency while working for the company Booz Allen Hamilton. Bradley Manning, of course, leaked sensitive military intelligence regarding the American facility at Guantanamo Bay.
Did you know that the annual costs of data breaches in the US alone are in the billions of dollars? Yes. Billions. Just check out the research in Net Losses: Estimating the Global Cost of Cybercrime if you won’t take my word for it.
There’s also Handle with Care: Protecting Sensitive Data in Microsoft SharePoint, Collaboration Tools and File Share Applications, research done by the Ponemon Institute in May, 2017, which is the source for the following Figure 1.
And okay, not all administrators go rogue, and not all SharePoint security breaches end up as high-profile media scandals like the two I mentioned, and not all breaches are done with the intention of leaking classified data – to tell the truth, most security breaches happen because of sloppiness.
Secure SharePoint Farm
You need to have a SharePoint farm that’s properly installed to begin with. This means that as soon as you install the farm, you should perform security hardening.
Make sure that:
- The entire farm isn’t installed under one account.
- You are using dedicated service accounts and following the recommended best practices for service accounts.
- Passwords are complex and long (consider using an automatic password change feature)
- In case of a breach, you have a contingency plan ready.
- You have more than one administrator.
Get to Know SharePoint Permissions and Groups
In SharePoint, you have seven default permission levels: Full Control, Design, Edit, Contribute, Read, Limited Access, and View Only.
Also, there are three SharePoint out-of-the-box groups for each site: Owners (Full Control), Members (Edit), and Visitors (Read).
Before you even begin setting up permissions, it’s important to understand what each user role consists of. For example, do you know who the farm administrator is and what he does?
Farm administrators have access to all servers and SharePoint farm settings in your environment. These users can at any time make themselves Site Collection Administrator. The farm administrator can assign himself/herself permission to access anything within the farm. SharePoint unfortunately still hasn’t included an adequate means of preventing this broad authority from being misused.
Because of the power that comes with this role, it’s important that you know exactly who these people are. You need to know that they are reliable and can be trusted, apart from their expertise. Obviously, you have to assign this role to someone for SharePoint to work properly; it’s just a matter of always knowing who that person is and being able to trust him/her.
It’s recommended that Farm Administrators use dedicated accounts and not their private ones.
Site Collection Administrators have a full control over all sites in a site collection. This the highest role with the site collection permission.
Site Owners have full control over a particular subsite.
Create a Good Permissions Policy
Permissions management is one of the most important tasks in SharePoint administration. And yet, people almost always get it wrong. Don’t make the same mistake –– avoid assigning permissions directly. Always stick to default SharePoint groups. It might be best if you use AD groups.
Avoid custom groups at all cost, as well as custom permission levels, even though it seems like a quick fix. You might think it’s a great idea at first, but at some point, it will become a nightmare to manage those custom atrocities. When auditing SharePoint permissions, check to see whether someone accidentally assigned permissions to individual users.
Be Careful How You Use Unique Permissions
If your SharePoint permissions are a mess, your end users will notice it, and SharePoint performance will be poor. Keep in mind to always break permission inheritance at the site level. You might find yourself in a lot of trouble if you break the inheritance on a list item level. For example, if you have a list with more than 5,000 list items and somewhere in there you decide to break the inheritance, Congratulations, you’ve just made a mess.
Can you imagine how many resources it takes for SharePoint to go over a list with more than 5,000 items and check who has permissions to see what? And the next time you do an audit, would you even be able to dig out all the list items with a unique permission?
Classify SharePoint Content
This is where proper planning becomes important in order to organize your content.
Best practices recommend that you create separate site collections, then segment your content by security level. This is how you will avoid having classified documents in multiple libraries all over your environment, which are hard to track down later.
For example, create a site collection for each department in your organization. You might even consider creating a generic site collection for random things such as lunch, weather, etc. How you arrange site collections depends on the needs of your business.
We don’t recommend that you mix content because that might become problematic when you want to share that content later on.
Determine Who Needs Access and To What
First, determine who needs access to what and why.
The best practice is to always grant the lowest permission level possible. Then if a user really needs a higher permission level, you can always assign it to him/her once you know why it is needed. With SharePoint 2016 and SharePoint Online you have this cool option that users can request access to a specific content. The Site Owner is notified via mail and can decid whether to approve or reject the request.
Audit SharePoint Permissions
Permission audits should be performed regularly. You can use the existing SharePoint options for that audits (which are limited), write your own custom PowerShell script, or use a third-party tool for SharePoint permissions management such as our SPDocKit, for example.
To check whether a particular user has permissions on a certain site, use the Check Permission button in the SharePoint interface. In order to figure out exactly where this user has permissions, you will need a third-party tool.
Risks of External Sharing and Anonymous Links
There are three options for sharing specific content with external users in SharePoint Online, including at the site level or the document level (access to a specific document within a library). The third option is sharing a link with anonymous users. (It’s not recommended.)
Who are external users? An external user is an authenticated user from outside your organization who joins as your tenant to collaborate on a project. Note that the External Sharing option should be allowed by an Office 365 administrator (it can be done through the SharePoint Admin Center). Otherwise, you won’t be able to share SharePoint Online content with people outside the organization.
When an entire subsite is shared with external users, they are added to SharePoint groups automatically. (“Members” and “Visitors” are terms associated with SharePoint groups.) However, the external user may get more permissions than you intended to give. How does this happen? Well, it turns out that the external user is automatically added to the Members Group when you share the subsite. That group might have privileges to view other sites, lists, or content, and you have suddenly given much wider access than you intended. I know, I know, makes very little sense to me, too.
When you share certain content with the group titled “Everyone,” this actually means that the existing external users can see it as well, even though External Sharing is switched off at that particular site collection level. The other option is to explicitly choose Everyone except External Users. Obviously, many might be under the impression that the Everyone option means everyone in your organization. That’s, again, why keeping permissions to a bare minimum, and the simple edit/delete permission, is a best practice for typical users.
Tips and Takeaways
SharePoint Permissions governance main points:
- Use AD groups or Azure AD groups whenever possible.
- Don’t assign too many permissions and consider their future growth beforehand.
- Define groups on a site collection level.
- Never give direct access to users.
- If you need to break permissions, break them in the following order: site > list > folder > list item.
- Use the existing groups whenever possible when creating new sites with unique permissions.
- Find unused groups and delete them.
- Find and remove orphaned users.
- Avoid creating custom permission levels.
- Watch out when restoring permission inheritance on a certain site – permission inheritance will be restored on the entire hierarchy in a downward direction.
- If you want to create a group that’s hidden from all site visitors, select the additional options: “Group Members” and “Who can view the membership of the group.”
Article by: Toni Frankola
Co-founder and CEO at Acceleratio Ltd, SharePoint MVP
Frankola, T. (2017). SharePoint Permissions Governance – Blog – SPDocKit. [online] SPDocKit. Available at: https://www.spdockit.com/blog/sharepoint-permissions-governance/ [Accessed 11 Sep. 2017].