Don't be deceived by the simplified experience of managing SharePoint permissions! What appears to be harmless could tailspin to a giant mess, requiring massive cleanup. This presentation walks through real-world scenarios and pitfalls of permissions administrations, so you could learn from the mistakes of others and not end up digging yourself into a SharePoint permissions hole.
View a recording of the session here: https://www.youtube.com/watch?v=Poh4zxHTNvw
20. Photo Credit – Matthew Keagle & Creative Commons
Do you have a permissions strategy?
21. 21 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
- What is purpose of the site?
- To gather vs. to share info
- Extranet vs. Intranet
- Who’s the target audience?
- Who are the content editors?
- Who are the Power Users?
- Will there be confidential info?
- Do you have compliance to follow?
- Is anyone outside org invited?
- How will permissions be governed?
- How will you document?
- What is the training plan?
22. 23 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
“A governance strategy is never static – it is
a living, breathing process and a set of rules
that you should live by, not die by!”
--Christian Buckley, Microsoft MVP
@buckleyplanet
23. 24 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
SharePoint platform (and the cloud) matures
Governance should evolve as your
29. 30 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Office 365 Groups & its SP Site permissions go hand-in-hand
30. 31 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
SharePoint
Site Owners (Full Control)
Site Members (Edit)
Site Members (Edit)
Office 365 Groups
Owners
Members
Guests (External Users)
40. 41 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• “Everything” may pertain only to Documents
• “Access” could mean Read, Update, and Delete
Contribute (more often than not) is sufficient
41. 42 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Check or Refine governance policy
Ensure required training completion
Consider other permission level
• Admin privilege without site provision or security control
• e.g.: Design
42. 43 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Thy requests must go through me …
It’s not that you’re
a control freak
46. 47 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• Team Growth
• Role Change:
– Expanded Responsibilities
– Rolling Off Project
– Promotions
• Onboarding New Employees
• Employee Departures
47. 48 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Where in the World is
Carmen Sandiego?
48. 49 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• Hard to know who has
what access
• Cumbersome to manage
existing permissions
• Out-of-Box
“Check Permissions”
function is rather limited
50. 51 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.comThen Add or Remove Users from the Group
First, Assign Permissions to SharePoint Group
51. 52 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Microsoft recommends
AD (Active Directory) Group
SharePoint
On-Prem
2013/2016
Security Group in Office 365
SharePoint
Online
52. 53 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
AD Group
53. 54 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• Recommended by MSFT for performance
• Use AD group in SharePoint only if
– AD group definition is well defined
– IT Team is proactive in updating membership
• AD Membership should be up-to-date to
ensure proper access in SharePoint
57. 58 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• Site Managers could be locked out
• Be Mindful of Default Settings when creating new
58. 59 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
ALWAYS assign a group as group owner
Preferably Site Collection Owner or Site Owner group
Default -> the user who created group
59. 60 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Instead open membership list to everyone
Default -> only Group Members can view
60. 61 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
What to Look for When
Breaking Site Inheritance
62. 63 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Reflect and Assess!
Do I really need unique site permissions?
Do I need all 3 new SharePoint Groups?
Is there an existing group that I can use?
66. 67 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• SharePoint View doesn’t differentiate unique
item permissions
• Permission needs to be updated to each item
• Could lead to performance issue
67. 68 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
F A C T : Reduced performance after
5,000 unique inheritance
See Microsoft reference:
http://bit.ly/1iMmyiC
71. 72 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Promotes SharePoint Content
Convenient and Readily Available
Great Tie-in with other components
e.g.: Delve, OneDrive For Business, etc.
89. 91 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
If user is not declared in site permissions,
Permissions given to a user at library or list level
leads to
“Limited Access” creation for user at the site level
Site
List / Library
Limited Access
Contribute
90. • Hard to identify where
access was granted
• Clutters site permission
• No easy clean-up process
91. 93 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
*IMPORTANT!
When you Delete Limited Access from site,
SharePoint automatically
Removes the unique Permission in Library/List/File
Site
List / Library
Limited Access
Contribute
92. 94 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Limited Access can now be hidden
93. 95 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Already in a Permissions Hole?
94. 96 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
First Things First – Stop the Bleeding!
e.g.: Change Full Control access
for unqualified folks to Design
95. 97 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Assess the Damage and Document Findings
96. 98 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Third-Party
Product
Out of Box PowerShell
97. 99 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• Site permissions page
• Unique access are displayed in yellow
Pro: Free (with SharePoint)
Con: Manual Process and needs to be done per site
98. 100 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• Could run report on almost anything
• You don’t have to reinvent the wheel
e.g.: Check out this script http://bit.ly/1bH9f1v
Pro: Highly Customizable, Repeatable, Powerful
Con: Require proper access and knowledge
99. 101 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• Complexity of SharePoint permissions may
warrant a third-party tool investment
• List below is recommended by community
Note: NOT a personal endorsement
100. 102 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Few Considerations During Permissions Clean-Up
101. 103 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Remember that
it’s a process!
i.e.: You may not get
it done in 1 day
102. One is the
loneliest number
Gather requirements
Talk to business users
Leverage other team members Photo Credit - The Daily Journal
103. 105 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
For worst case
scenario…
105. 107 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Photo Credit: Lucasfilm / Paramount
• Inherit all permissions in site collection
• Manually re-configure all permissions
It’s high risk,
high reward
106. 108 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
•Get executive buy-in
Gather needs from business functions
Devise plan with Content & Site Managers
Communicate impact to end users
107. 109 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
Mitigate Survey the Field Clean Up Manage & Control
Do NOT forget this step!!
108. 110 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
• Enforce permissions governance
• Gain leadership support:
– Illustrate level of effort to remedy issue
– Quantify the business impact ($)
• Form & engage Governance Committee
• Provide continuous training for Site Managers
109. 111 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
People Process Tool
Assign Roles Define how to
periodically access
Choose system
for monitoring
114. 116 | @bobbyschang | linkedin.com/in/bobbyschang | bobbyschang.com
“The greatest accomplishment is not in never failing,
but in rising again after you fall” --Vince Lombardi
Photo Credit - Journal Communications, Inc.