Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Permissions designed to scale
1. Permissions: Designed to Scale
Jamie Aliperti
jamie.aliperti@axceler.com
@jaliperti
SharePoint Saturday Portland
May 19th, 2012
2. About Me
Sales Engineering
Manager
Axceler
based out of the Los Angeles
office, and spend most of my time
providing consultancy, training and
support to current and future
customers. I have over 7 years
experience with Microsoft
technologies, and lead the Los
Angeles Sales Engineering team. Email: Jamie.Aliperti@axceler.com
Twitter: @jaliperti
3. About Axceler
Improving SharePoint Collaboration Since 2007
Mission: To enable enterprises to simplify, optimize, and
secure their collaborative platforms
Delivered award-winning administration and migration
software since 1994
Over 2,000 global customers
Dramatically improve the management
of SharePoint
Innovative products that improve security, scalability,
reliability, “deployability”
Making IT more effective and efficient and lower the total
cost of ownership
Focus on solving specific SharePoint problems
(Administration & Migration)
Coach enterprises on SharePoint best practices
Give administrators the most innovative tools available
Anticipate customers’ needs
Deliver best of breed offerings
Stay in lock step with SharePoint development and
market trends
5. Design Permissions as part of
Governance
Governance is about taking action to
help your organization
organize, optimize, and manage your
systems and resources.
6. Questions to Ask
How is your organization using
SharePoint?
Is there secure content in your
SharePoint environment?
Who is responsible for SharePoint
Security?
5/30/2012
7. Plan!
How granular do you need to control access to
content?
Who manages all the different parts of your
SharePoint farm?
How do you want to manage your users?
8. Farm Administrators Group
Assigned in Central Admin and has permission to
all servers and settings in the farm
Central Administration access, create new web
apps, manage services, stsadm/PowerShell
command
Can take ownership of content: make
themselves Site Collection Administrators
5/30/2012
9. Authentication Methods
A SharePoint environment must
support user accounts that can be
authenticated by a trusted authority
How do you authenticate your users?
10. Windows Authentication
NTLM:
Users authenticated by using the credentials on the running thread
Simple to implement
SharePoint will not be integrated with other applications
Kerberos
If your SharePoint sites use external data
Credentials passed from one server to another (“double hop”)
Faster, more secure, and can be less error prone then NTLM
Anonymous Access
No authentication needed to browse the site
12. Who Needs to Access SharePoint?
Claims-based authentication mode: use any supported
authentication method or else you will support only
Windows authentication
5/30/2012
13. Web Application Policies
Quick way to apply permissions across web
applications
Only part of SharePoint where users can be explicitly
denied access
Set in Central Admin
5/30/2012
14. Site Collection Administrators
Given full control over all sites in a site
collection
Access to settings pages
Manage users, restores
items, manage site hierarchy
Cannot access Central Admin
5/30/2012
16. Inheritance
If all sites and site content inherit
those permissions defined at the
site collection, what’s so hard
about managing permissions if
they are defined so high in the
hierarchy?
17. Structure/Architecture
Sub-site
Site
Sub-site
Site
Site
Collection
Web App Site Sub-site
Site
Site
Farm Collection
Site
Site
Web App
Collection
Site Sub-site
18. Permission Levels
Collections of permissions that
allow users to perform a set of
related tasks
Permission levels are defined at the
site collection level
19. Customizing Permission Levels
The default permission levels are Full
Control, Design, Contribute, Read, and Limited Access
What does “Read” mean to
your organization?
5/30/2012
20. SharePoint Groups
A group of users that are defined at site collection level
for easy management of permissions
The default SharePoint groups are
Owners, Visitors, and Members, with Full
Control, Read, and Contribute as their default
permission levels respectively
Anyone with Full Control permission can create custom
groups
5/30/2012
21. The Basics: Permissions
Permissions are applied on objects:
1. Directly to users
2. Directly to domain groups (visibility warning)
3. To SharePoint Groups
22. Best Practice
Make most users members of the Members or
Visitors groups
Members group can contribute to the site by adding or
removing items or documents, but cannot change the
structure, site settings, or appearance of the site.
Visitors group has read-only access to the site, which
means that they can see pages and items, and open items
and documents, but cannot add or remove pages, items, or
documents.
5/30/2012
23. Plan for Permission Inheritance
Arrange sites and subsites, and lists and libraries
so they can share most permissions
Separate sensitive data into their own
lists, libraries, or subsite
Permission worksheet:
http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409
5/30/2012
24. Stick to the Plan
If you do break inheritance, Microsoft recommends
using groups to avoid having to track individual users
People move in and out of teams and change
responsibilities frequently
Tracking those changes and updating the permissions
for uniquely secured objects would be time-consuming
and error-prone.
5/30/2012
27. Contact us for
more info
Contact me: jamie.aliperti@axceler.com
Twitter@jaliperti
Editor's Notes
Who has one? Not a checklist…it’s constantly changing every day and needs to be managed in the long term
Currently, is SharePoint a document repository? Is it critical to day to day business?Just internal users? Are there ways you can expand the use of SharePoint to offer more benefits to your organization? To partners? To the outside world?
Who do you trust to manage all the different parts of your SharePoint farm?
- Kerberos: Less traffic between servers, clients, and domain controllers- uses tickets instead of tokens so it doesn’t have to do a double hop to AD with each requestMuch more planning needed Anonymous: Instead, add the all Authenticated users security instead. This way actions can be traced to users.
CB lead, MG color
Break the inheritance and customize the Read permission level for a subsite to define what “read” really means to your organization