Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Enforcing SharePoint Governance
1. Planning Microsoft® SharePoint® Governance:
How to Implement an Effective Governance
Plan in SharePoint,
Roberto Vazquez Delgado
AvePoint – Technical Solutions Professional
Roberto.Delgado@AvePoint.com
2. AvePoint Corporate Overview
• Founded and Debuted in 2001
• World's Largest SharePoint-Exclusive Research & Development Team
Specialized with 1,000 Employees (600+ in R&D)
• World's Largest Provider of Enterprise-Class Governance and
Infrastructure Management Solutions
Experienced • 25 Offices, 13 Countries in 5 Continents & 8000+ Customers
• Depth-Managed, Microsoft Certified Partner
• Comprehensive SharePoint Governance & Management Platform
Invested • Offering True 24 x 7 Support - Microsoft Certified Technicians
3. Agenda
• Definition and Purpose of Governance
• SharePoint Governance Challenges
– IT Governance
– Information Governance
– Application Management
• What does SharePoint Governance look like?
– Out of the box capabilities
– When to think about additional technology options
• Final Considerations
8. Today’s Focus Areas for SharePoint Governance
• IT governance of the
software itself and the
services you provide
IT Information
Governance
• Information governance
Governance
of the content and
information that users
store in those services.
Application
Management
• Application governance of
the custom solutions you
provide
9. Getting the right tools for the job…
• Standard administration
interfaces
– Quotas, locks, permissions,
records management
• Powershell
– Administrative functions, Data
protection
• SharePoint services and features
– Managed metadata service for
classification
– ISV solutions for management
• SharePoint Designer, Visual Manual
Studio Automated
10. IT Governance
Centrally
Managed Locally
Managed
Software, Services, and
Sites are hosted and Software, Services, and
managed centrally by a Sites are hosted and
core IT group managed locally by
individual groups
A successful IT service includes the following elements:
• A governing group defines the initial offerings, policies, and evaluates success of the service
• The policies you develop are communicated to your enterprise and are enforced
• Users are encouraged to use the service and not create their own solutions – installations are
tracked
• Multiple services are offered to meet different needs in your organization
11. Service-level agreements should include:
• Length of time and approvals necessary to create a site.
• Costs for users/departments.
• Operations-level agreement – which teams perform which
operations and how frequently.
• Policies around problem resolution through a help desk.
• Negotiated performance targets for first load of a site,
subsequent loads, and performance at remote locations.
• Availability, recovery, load balancing, and failover strategies.
• Customization policies.
• Storage limits for content and sites.
• How to handle inactive or stale sites.
13. Simplifying IT Governance Implementation with
Technology
CONSIDER 3RD PARTY TOOLS TO:
• Centrally enforce limitations – plans and policies for
– Data Protection, Recovery, and Availability
– Audit Policies
– Permission management
• Scalability in Management
– Giving IT Teams the technology to manage thousands of
users
– Terabytes of Content
– Millions of Audit Records
16. Information Governance
Loosely
Managed Highly
Restricted
Content is tagged only socially Content is tagged with structured
and not tracked; permissions and metadata, permissions are tightly
archiving are not controlled or controlled, content is archived or
managed. purged per retention schedules.
Appropriate for: Appropriate for:
• Low-business- • Structured content
impact content • High-business-impact content
• Short-term projects • Personal identifiable
• Records information
• Collaboration • Records
17. @danholme
Information Architecture vs. Management
Information Architecture Management
• Organize and describe content • Manage the content & service
– Metadata – Access levels (permissions)
– Structure – Lifecycle
– Relationships – Storage
• Inputs • Inputs
– Knowledge Management team – Information management policies
– Librarians – IT usage policies
– Content owners – Regulatory environment
– Subject matter experts (SMEs) – SLAs
• Outcomes • Outcomes
– Site map (navigation) – Access levels
– Taxonomy – Records management
– Search – Compliance
– Targeting (audiences) – Performance
18. Information Architecture
Wireframe & Search &
Site Map Navigation
Information
Architecture
Managed
Content Types
Metadata
19. Management controls and scopes
Farm
Service
Zone Web Application
Application
Content DB
Site collection
Top-level site
Sub site List/Library Sub site
[Folder]
Item / Document
20. Information Access
Information Management:
IT Governance: Access
Permissions and Audiences
Should I use How do I make
How do I structure How do I target How do I make this
Information Rights sure that only
permissions in a content to specific content accessible
Management (IRM) people who need
site? audiences? to external users?
to protect content? access have it?
Determine the rules or policies that you need to have in place for the
following types of items:
• Pages • Blogs and Wikis
• Lists • Anonymous comments
• Documents • Anonymous access
• Records • Terms and term sets
• Rich media • External data
24. Application Management
Strictly
Managed Loosely
Managed
Customizations must adhere to
customization policy, Rules about development
deployments and updates tested environments or
and rigorously managed. customizations are less rigid.
Determine customization types you want to allow, and how to manage them:
• Service level descriptions • Guidelines for updating customizations
• Processes for analyzing customizations • Approved tools for development
• Process for piloting and testing customizations • Who is responsible for ongoing code
• Guidelines for packaging and deploying support
customizations • Specific policies regarding each potential
type of customization (done through the UI
or SD)
25. Customizations & Branding
• Isolate custom solutions: Sandbox Solutions
– Cannot use certain computer and network resources
– Cannot access content outside the site collection they are deployed in.
– Can be deployed by a site collection administrator.
– Governed: only a farm administrator can promote a sandboxed solution to run
directly on the farm in full trust.
• Master Pages and Page Layouts
• Themes
• To “Designer” or not to “Designer”
• Separate development, pre-production, and production environments
(keep these environments in sync)
26. @jthake
Challenges with SharePoint development
• Environment setup
• Platform learning curve
• Toolset support
• Team development
• Versioned releases
http://wss.made4the.net/archive/2009/10/26/factors.aspx
http://wss.made4the.net/archive/2009/07/06/how-asp-net-developers-can-
leverage-sharepoint-webcast.aspx
28. Streamlining ALM with DocAve
WFE Elements
WFE Elements WFE Elements
Solutions
Solutions Solutions
Customizations
Customizations Customizations
Development Staging Production
• Centrally enable or disable SharePoint Designer
• Control propagation of artifacts, customizations and solutions
within or across environments
• Compare environments for selective artifact propagation
• Easily copy content from production back to dev/text
environments to increase testing quality
33. Service Request Type - Site Collection Request
Sales HR Project
Policy Silver Silver, Bronze Gold, Silver
Security Sales Management HR Management Marketing
Management
Site Templates Custom Sales Enterprise Wiki Team Site,
Template Publishing Site
Service Type Acct Type:
Metadata EPG/SMB/FIN
Workflow 1 Step 3 Step 2 Step
Global Metadata Location Location Location
Primary/Secondary *Fill in the blank* *Fill in the blank* *Fill in the blank*
Site Contact
34. Service Request Types – Surfacing Options to Content
Owners and Business Users
• Site Collection Request
• Transfer / Clone User Request
• Site Collection Content Lifecycle Request
• Sub-site Request
• Content Move Request
• Solution Package Deployment Request
• Gallery Artifact Deployment Request
• Recover Content Request
• Report Request
35. Key takeaways
• Governance is there to ensure IT solutions achieve business
goals
• Start simple
• Training
• Keep it fresh
• Don’t have a policy unless you can enforce it
36. Contact
AvePoint Roberto V. Delgado
Phone Slides (sorry, no phone )
(201) 793-1111 www.slideshare.net/robertovd
1-800-661-6588 (toll-free)
Email Email
sales@avepoint.com roberto.delgado@avepoint.com
Social & Community Social & Community
www.DocAve.com www.DocAve.com
http://www.facebook.com/AvePointInc www.facebook.com/AvePointInc
@AvePoint_Inc @sharepointrober
37. Resources
Product Info:
http://www.avepoint.com
/sharepoint-
solutions/governance-
and-compliance
NEW PRODUCT!
Governance Automation:
http://www.avepoint.com
/GovernanceAutomation
Website houses all white papers, case studies, download links, datasheets, etc!
Download a FREE, fully-enabled 30 Day trial of DocAve at
www.avepoint.com/download
Creation of a well constructed governance plan is a core task for any org looking to establish good controlled sharepoint deployment….But it is just the beginning…
JohnEmphasis here on communication and accountability. Governance is the set of policies, roles, responsibilities, and processes that guides, directs, and controls how an organization's business divisions and IT teams cooperate to achieve business goals. Regardless of what gets documented for the organization, the question of “What’s possible” (technology) is key. We are writing specific governance plans for a technology, so knowing what to enforce is key. Does this sound like you? Anonymous AvePoint customer quote: "We have a lot of great standards that people don't really want to follow."
John(+Toby – very restricted is easy out of the box – need a perfect mix)Today we are looking at a spectrum for each area of governance: 1. Few restrictions, everyone has access (i.e., SharePoint Designer) – typical sayings are “I can’t find anything,” “It’s so slow,” “UXvaries from site to site,” “everyone has access to things they shouldn’t.”2. Restricted: “It’s a file share,” “It’s ugly,” “Nobody has access,” “Red tape to get anything done.”Depending on how regulated you are, you may not have a choice which route to go in! Hosting service providers, PR / Advertising companies with competing accounts, restricted R&D, “ethical walls.”
When is the right time? We see most line of businesses within organizations progressing in this sequence. We’re focusing today on how to introduce governance for each of these areas, because it’s never too late to start!
Our focus today is on a subset of these categories, drawing on the major themes above. IT Assurance for the platform, services, content, etc. Information Governance for managing collaboration
Progression from Manual to Automated, again back to the technology of Governance. We are only implementing a solution as strong as our enforcement.
SharePoint’s Grassroots adoption vs. liability that it causes is an important question. How many people have used SharePoint to manage a project because it was simple to set up a site and manage it through to completion? What about Office 365 governance, who is managing that?For IT governance, you can control the services that you offer, and you can control or track software installations in your environment to prevent proliferation of unmanaged servers for which you can't provide support. What will you provide with each service, and what will you include in service-level agreements for each service?When you develop an IT service to support SharePoint 2010 Products, a key to success is your enterprise's ability to govern the service and ensure that it meets the business needs of your organization in a secure and cost-effective way. A successful IT service includes the following elements:A governing group defines the initial offerings of the service, defines the service's ongoing policies, and meets regularly to evaluate success.The policies you develop are communicated to your enterprise and are enforced.Users are encouraged to use the service and not create their own solutions – installations are tracked.Multiple services are offered to meet different needs in your organization. Offering a set of services enables you to apply unique governance rules and policies at various levels and costs.
We need to establish a benchmark for how we will be checking and enforcing the policies and SLAs. Goal here is to find outliers, whether we’re meeting these plans, and whether adoption is going up. Shown on the left- examples of monitoring available in SharePoint, to the right, in DocAve.
Our environment today is a single-farm deployment of SharePoint, using multiple web applications to simulate multiple farms. DocAve version 6 (currently being showcased at AvePoint’s booth) is the tool of choice for our examples.
Continuity of Operations Plan (COOP) and Disaster Recovery (DR), NOTE: IT Assurance is really about the service (SLAs), includingArchitecture - Provision IA, restructure IA, replicate IA, and extend storage architectureInfrastructure- Disaster Recovery- Platform level backup - protecting all critical SharePoint assets, quickly restoring, maintaining warm stand-by databases for failoverSLAs - InstaMount, fast granular recovery, Performance - SQL database performance with auditor, extender, archiver, monitoringSupports the long-term content and information management requirementsExtends SharePoint storage beyond SQL (storage scalability)Automates content deletion, retention, or preservation based on customizable business rulesIntegrates with enterprise-strength storage systems to provide enhanced HSM, content deduplication, and support long-term storage via WORM or tape ([ML]: Dan or whoever- this one needs help :) ]Arhitect & implement COOP & DR capabilitiesContinuity of Operations Plan (COOP) Ensures resiliency of service in the face of disasterMaintains warm stand-by databases for one-switch failoverComprehensively protects all SharePoint assets- synchronously- for consistency upon restoreQuickly recovers lost or corrupted content with fast farm, database, or granular restores (inc. InstaMount)Level 3 examples (platform recovery)Protects business data, supporting enterprise SLAs for RTO and RPOComprehensively protects all SharePoint assets- synchronously- for consistency upon restoreQuickly recovers lost or corrupted content with fast farm, database, or granular restores (inc. InstaMount)Helps to meet varying SLAs for SharePoint content with granular backupLevel 3 examples (data protection)Delivers highly-available serviceMaintains warm stand-by databases for one-switch failoverLevel 3 examples (high availability)
TO OVERCOME CHALLENGES MENTIONED IN MARKET PROBLEMS SECTION for compliance, appropriateness, and restrictions
Information management is the governance of information in an enterprise — its documents, lists, Web sites, and Web pages — to maximize the information’s usability and manageability. Another aspect of information management is determining who has access to what content – how are you making content available internally and externally and to whom?
Important because the management controls will sometimes determine elements of information architecture- at which levels various options can be controlled that are required to support the business need – eg. Uploading large documents or blocking certain file types has to be controlled at the web app- if you only want that functionality for specific departments or use cases, that might require a new web application.
These are the components of information architecture- all of this helps determine how you manage, and your users find, interact with, and leverage data. Planning for these components ultimately can simplify management- and the application of policies can be drastically simplified- for instance, information management policies, auditing, etc can all be enabled per content typeFor those who want more information on Managed Metadata, Andrew Connell has about a 6-part blog series on it here:http://www.andrewconnell.com/blog/archive/2011/06/15/sharepoint-2010-managed-metadata-about-the-series.aspx
Be sure to consider access to content when you design your solution and sites. This overlaps with IT Governance as you consider your entire environment.
When thinking about content, consider the balance between the following factors, and perhaps have business users fill out an assessment for their site. Which of these factors is the highest priority for each type of content?Availability: available when users need it (can get to it) – so where will content be located? What geography should we locate the data? Do we need to provide mobile access to this content? Access: who has access to the content, if it should be secure, is it? How are we ensuring that is the case? Weekly security audits required? Ongoing monitoring of users? Redundancy: Do we really need another site, or more content? Have we considered shared sites or resources or copies to reduce redundancy, and provide one version of the truth? For example, having a single copy of a document is good for reducing redundancy, but it is a problem for availability and access if it is deleted. What steps need to happen when a list item, document, or page is created, updated, or deleted and who gets affected? Introduce a site contact to speak for the business. For best results, develop a long term solution with them, rather than a temporary solution.
Much of the balancing act on the previous slide should be covered by your document and records management plans, but also consider the storage costs for the content. Understand the capacity planning limits for documents and items, and keep performance and scale in mind.Migration & Planning, onboarding potentially different systems- File share to SharePoint, have users been educated on how content is tagged, and how permissions will work? Have we assessed the changing taxonomy of bringing over other ECM data? Storage decisions for life of content, which could include geography (cloud), retention (WORM), or even availability ( redundancy). Plan for expiration of content today. Content curves are exponential, but as a major financial customer asked AvePoint: “How do we get to the point where I no longer have to purchase new hardware for SharePoint?” Governance helps us dictate the lifecycle of content, including death.
Storage Optimization pitch: Connect to keep out of SQLStorage Manager to externalize to less expensive storage based on customizable rules and policies (eg. File size, type) Archiver to take end-of life content out of SharePoint completelyIntegrates with EMC, NetApp, IBM, Dell, and Hitachi storage systems to optimize storage costs for SharePoint BLOBs, backup and archive data, as well as audit logs.Simplifies and automates administrative and management proceduresDeploys changes to security and configuration in batch modeReports on SharePoint sites, users, storage, and activity in real-time or on a scheduled basisProduces actionable reports on SharePoint users, security, and contentProactively alerts adminsitrators when activity, storage, or network usage thresholds are metLevel 3 examples (governance)Level 3 examples (CLI) - e.g. Automatically provision SharePoint content or media files to connect up to petabytes of file share content into SharePoint. Generalized: Automate the execution of existing plans, or automatically configure additional DocAve plans to provision, delete, edit, or reconfigure SharePoint content and configurations en masse.Level 3 examples (API/SDK)Enable information management while enforcing policies and standards:Empowers business users to manage SharePoint while enforcing policies and standardsSecurity trims administrative functions based on role or SharePoint permission (delegation)Level 3 examples (governance and automation portal)Integrates with and supports leading SharePoint hardware and software solutionsProtects Nintex, NewsGator, and KnowledgeLake solutions, as well as any custom application databaseLevel 3 examplesPlatform consolidation (not in 6.0)Migrates from more than 14 different content management systemsMaintains critical data, including content, metadata, and security with customizable mappingProvides for minimal business disruption over the course of the migration project with live or scheduled migration optionsLevel 3 examples (migration)
SharePoint’s third phase of growth, as an application development platform, also requires another analysis on our Governance spectrum. The same way we have tried to find a balance between the business and what services IT can offer, we must consider the IT Assurance and other governance aspects again!
Environment setupInstalling SharePointHardware requirementsTeam developmentbuilding implementationsTool supportsource control in VSeWSS projectsDebugging trickyno out of the box build server abilityVersioned releasesFeaturesContent typesVersion 1.1 was always a scary thoughtSee also: http://wss.made4the.net/archive/2009/10/26/factors.aspxhttp://wss.made4the.net/archive/2009/07/06/how-asp-net-developers-can-leverage-sharepoint-webcast.aspx
Combining best practices from Microsoft, with service agreements (plans built in DocAve)
Given back to the business at a value. AvePoint won’t provide the billing mechanism for you, but gives you the tools you need to establish a full SLA, defined in an automated interface.
So just to recap, essentially we have some options with how we plan to implement and enforce SharePoint governance policies. The heavily manual apprach, which requires people to essentially police themselves, we can use tools like powershell or the docavesoftwaer platform in a semi-automated approach, as we just saw in the previous example of policy creation and implementation , so a fully automated approach would really be the holy grail- which is what I’d like to spend the last few minutes discussing. Governance Automation is a product that we’ll be releasing soon, that will surface the pre-configured policies in a form to business users for a variety of service requests. So if we take this site provisioning example, we just saw how we can align various docave rules with various policiy levels, but lets look at how we would expose that to the business. Once a business subcribes to a policy, the coorespondingdocuave plans would automatically be associated with that site, in the site provisioning use case. But there are several other use cases we’re targeting- whether site collection lifecycle mangaement,, deploying galler artifacts, etc. for more information on that product, we do have a web page up where you can read more information and see what’s coming.
Automation gives you the chance now to specify how sites may be created!(this is an example of what a Governance Automation form could look like)
These are the other types of services and use cases that we could target with GA+