![Page 1: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/1.jpg)
Why Permissions Drive your Governance StrategyChristian [email protected]
![Page 2: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/2.jpg)
Some of the questions we’ll ask during this webinar:• How important are permissions to your
overall SharePoint governance strategy?• How should I plan for permissions?• What can I do out-of-the-box?• What are the permissions best practices?
![Page 3: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/3.jpg)
AboutChristian Buckley, Director of Product Evangelism at Axceler• Microsoft MVP for SharePoint Server• Most recently at Microsoft, part of the Microsoft Managed
Services team (now Office365-Dedicated) and then Advertising Operations
• Prior to Microsoft, was a senior consultant, working in the software, supply chain, and grid technology spaces focusing on collaboration
• Co-founded and sold a collaboration software company to Rational Software. At another startup (E2open), helped design, build, and deploy a SharePoint-like collaboration platform (Collaboration Manager), onboarding numerous high-tech manufacturing companies, including Hitachi, Matsushita (Panasonic), and Seagate
• Co-authored ‘Microsoft SharePoint 2010: Creating and Implementing Real-World Projects’ link (MS Press, March 2012) and 3 books on software configuration management.
• Twitter: @buckleyplanet Blog: buckleyplanet.com Email: [email protected]
![Page 4: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/4.jpg)
Get the Book
Just released from Microsoft PressOrder your copy at http://oreil.ly/qC4loT
Tackle 10 common business problems with proven SharePoint solutions• Set up a help desk solution to track service
requests• Build a modest project management system• Design a scheduling system to manage resources• Create a site to support geographically dispersed
teams• Implement a course registration system• Build a learning center with training classes and
resources• Design a team blog platform to review content• Create a process to coordinate RFP responses• Set up a FAQ system to help users find answers
quickly• Implement a cost-effective contact management
system
![Page 5: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/5.jpg)
Axceler Overview
Improving Collaboration since 2007Mission: To enable enterprises to simplify, optimize, and secure their collaborative platforms
Delivered award-winning administration and migration software since 1994, for SharePoint since 2007Over 2,000 global customers
Dramatically improve the management of SharePoint
Innovative products that improve security, scalability, reliability, “deployability”Making IT more effective and efficient and lower the total cost of ownership
Focus on solving specific SharePoint problems (Administration & Migration)
Coach enterprises on SharePoint best practicesGive administrators the most innovative tools availableAnticipate customers’ needsDeliver best of breed offeringsStay in lock step with SharePoint development and market trends
![Page 6: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/6.jpg)
Definitions
![Page 7: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/7.jpg)
What do your permissions look like in SharePoint?
![Page 8: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/8.jpg)
Overview / introductionHow to Successfully Move to 2010
Before / Now – clean up your 2007 environmentChallenges with SharePoint AdministrationHow Axceler ControlPoint can help
During – right tools to reduce risks, errors and ensure successful moveChallenges with SharePoint Migration / UpgradesHow Davinci Migrator for SharePoint can help
After – ongoing management and administrationCustomer success storiesAbout Axceler
Draft Outline of presentation
![Page 9: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/9.jpg)
How did that happen?• You deployed SharePoint out-of-the-box• You had no specific plan for permissions• The business grew and evolved• People came and went• Projects came and went• And suddenly you found yourself with a bit of a
mess
![Page 10: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/10.jpg)
Governance is about taking action to help your organization organize, optimize, and manage your systems and resources.
![Page 11: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/11.jpg)
• SharePoint out of the box is a powerful platform
• But many organizations don’t think they have the time, money, people to spend on planning
• The same can be said for governance• The result?
o Site sprawlo Unfettered contento Process lawlessness
Why are we talking about governance?
![Page 12: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/12.jpg)
• Central to your governance implementation is understanding roles and responsibilities within your SharePoint environment• Understanding how the organization uses
SharePoint• Identifying secure content within the environment• Determining who needs access• Creating policies that secure and protect, but are
also flexible enough to meet the growing demands of your organization to collaborate
Why are we talking about permissions?
![Page 13: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/13.jpg)
Planning your Permissions
![Page 14: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/14.jpg)
It starts with a plan • How granular do you need to control
access to your content?
• Who manages all the different parts of your SharePoint farm?
• How do you want to manage your users?
![Page 15: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/15.jpg)
Within SharePoint 2010, reports on permissions are not easily generated out of the box, but there are a few features to review permissions:
PowerShell commands can be written to find users that have access to a siteA Feature called “Check Permissions” provides Administrators the ability to check what permissions a user has to a siteYes – that’s pretty limited. But you can write custom reports using the SharePoint object modelAnd there are a lot of 3rd party tool options
![Page 16: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/16.jpg)
Building reports on permissions is a manual process that can involve compiling all of your site and permissions data into a spreadsheet just to make it usablePermissions reporting is critical to your business for a number of reasons:
Auditing, Compliance, TransparencyMaintaining accurate user access to troubleshooting functionality problems that, commonly, stem from end users trying to perform a task without having the correct permissions
![Page 17: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/17.jpg)
What is missing from SharePoint 2010 is more centralized management and reporting of all permissionsAs an Administrator, you need to be able to see who has access to what and how they got that access
![Page 18: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/18.jpg)
Securable Objects• What can we secure?
• Site• Library or List• Folder• Document or Item
![Page 19: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/19.jpg)
Permissions By Site
![Page 20: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/20.jpg)
Permissions By User
![Page 21: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/21.jpg)
Authentication
![Page 22: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/22.jpg)
Authentication MethodsA SharePoint environment must support user accounts that can be authenticated by a trusted authority
How do you authenticate your users?
![Page 23: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/23.jpg)
Windows Authentication• NT LAN Manager (NTLM):
• Microsoft security protocol, users authenticated by using the credentials on the running thread
• Simple to implement – but SharePoint will not be integrated with other applications
• Kerberos• If your SharePoint sites use external data
• Credentials passed from one server to another (“double hop”)• Faster, more secure, and can be less error prone then NTLM
• Anonymous Access• No authentication needed to browse the site
![Page 24: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/24.jpg)
Active Directory Domain Services (AD DS)
• Authentication based on user account and password from AD
• This works well for Windows environments
• However, do you need support for internal, partner, or cloud-based computing models?
![Page 25: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/25.jpg)
Planning for Extranets• Credentials stored in:
• Lightweight Directory Access Protocol (LDAP) data store (Novell, Sun)
• AD DS• SQL or other database• Custom or third-party membership and role providers
• In SharePoint 2010, forms-based authentication is only available when you use claims-based authentication
![Page 26: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/26.jpg)
Claims-Based Authentication (SharePoint 2010)
• Usually for external customers or partners• Defined at the web application level• An outside identity provider authenticates
users• A claim is just a piece of information
describing a user: name, email, age, hire date, etc. used to authenticate the user
![Page 27: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/27.jpg)
So Much Potential…Integration with Facebook, Google, Live ID, etc. is becoming more and more common. A scenario:
1. “I’d like to access the Axceler Microsoft technology partners site.”2. “Not until you can prove to me that you are in the Axceler Microsoft
technology partners group.”3. “Here is my Live ID and password.”4. “Hi, Steve. I see you are in the Axceler Microsoft technology partners
group. Here is a token you can use.”5. “I’d like to access the Axceler Microsoft technology partner document,
and here’s proof I have access to it!”
![Page 28: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/28.jpg)
Now That We’ve Authenticated Our Users….
How do we make permissions management part of
our governance plan?
![Page 29: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/29.jpg)
Organizing Permissions
![Page 30: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/30.jpg)
Understand your structure
Farm
Web App
Site Collection
SiteSub-site
Sub-siteSite
Site Sub-site
Site Collection Site
Web App Site Collection
Site
Site Sub-site
![Page 31: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/31.jpg)
Understand your content
Site Collection
Site Sub-Sites
Site Sub-site
Lists/Libraries
Lists/Libraries
Lists/Libraries
Lists/Libraries
..and then plan for your user roles
![Page 32: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/32.jpg)
Farm Administrators Group
![Page 33: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/33.jpg)
Farm Administrators
Define the role:• Assigned in Central Admin and has permission to all
servers and settings in the farm• Central Administration access, create new web apps,
manage services, stsadm/PowerShell command• Can take ownership of content, and make
themselves Site Collection Administrators
Farm
Web App
Site Collection
SiteSub-site
Sub-siteSite
Site Sub-site
Site Collection Site
Web App Site Collection
Site
Site Sub-site
![Page 34: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/34.jpg)
Site Collection Administrators
Define the role:• Given full control over all sites in a site
collection• Access to settings pages: Manage users,
restores items, manage site hierarchy• Cannot access Central Admin
Site Collection
SiteSub-site
Sub-siteSite
Site Sub-site
![Page 35: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/35.jpg)
Other Permission LevelsDefine the roles:
• Site Admins, Team Leads, Power Users, End Users
• Collections of permissions that allow users to perform a set of related tasks
• Defined at the site collection level
![Page 36: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/36.jpg)
SharePoint GroupsA group of users that are defined at the site collection level for easy management of permissions
• The default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectively
• Anyone with Full Control permission can create custom groups
![Page 37: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/37.jpg)
Customizing Permission LevelsThe default permission levels are Full Control, Design, Contribute, Read, and Limited Access
• What does “Read” mean to your organization?
![Page 38: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/38.jpg)
Permissions are applied on objects:1. Directly to users2. Directly to domain groups (visibility
warning)
3. To SharePoint Groups
![Page 39: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/39.jpg)
Check Permission ButtonSharePoint 2010 lets administrators Check Permissions to determine a user or group’s permissions on all content
![Page 40: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/40.jpg)
Inheritance
If all sites and site content inherit those permissions defined at the site collection, what’s so hard about
managing permissions if they are defined so high in the hierarchy?
![Page 41: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/41.jpg)
Fine Grained PermissionsSites, lists, libraries, folders,
documents, and items can all have unique security
…but that doesn’t men they should
![Page 42: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/42.jpg)
Inheritance -- what exactly is happening?• Copies groups, users, and permission levels
from the parent object to the child object
• Changes to parent object do not affect the child
![Page 43: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/43.jpg)
The Problem with exceptions
“If you use fine-grained permissions extensively, you will spend more time managing the permissions, and users will experience slower performance
when they try to access site content”~Planning site permissions, technet http://bit.ly/InKv9i
As a result, permissions management (additions, deletions, edits) is done one
securable object at a time!
![Page 44: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/44.jpg)
Performance is Affected too!Performance is reduced once 1000 objects have broken inheritance in a list or library
• Sites, lists, and libraries need to build security trimmed navigation
• List load time increases
*Apply unique permissions to folders if need be*
![Page 45: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/45.jpg)
Orphaned Domain UsersDeleted and disabled Active Directory users are not updated in SharePoint
• Permissions• User Profiles• My Sites
![Page 46: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/46.jpg)
Following Best Practices
![Page 47: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/47.jpg)
Distributed AdministrationSharePoint is designed to have
site administrators and power users
![Page 48: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/48.jpg)
Be Careful!• Train your admins and power users!“I didn’t know that restoring inheritance would remove our unique security model!” ~Countless well intentioned site admins
• Manage power users through the “Owners” SharePoint groups
• Limit the members to only those users you trust to change the structure, settings, or appearance of the site
![Page 49: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/49.jpg)
You’re Not SpecialMake most users members of the Members or Visitors groups
• Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site.
• Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.
![Page 50: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/50.jpg)
Stick to the PlanIf you do break inheritance, Microsoft recommends using groups to avoid having to track individual users
• People move in and out of teams and change responsibilities frequently
• Tracking those changes and updating the permissions for uniquely secured objects would be time-consuming and error-prone.
![Page 51: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/51.jpg)
Plan for Permission Inheritance• Arrange sites and sub-sites, and lists and
libraries so they can share most permissions • Separate sensitive data into their own lists,
libraries, or sub-site• Microsoft provides a permissions worksheet
(Excel file) http://bit.ly/SK0bP6
![Page 52: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/52.jpg)
It’s SharePoint’s Fault!Administrators can audit permission changes by going to the site collection’s settings page
![Page 53: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/53.jpg)
Best Practices
![Page 54: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/54.jpg)
Planning is keyUtilize your established PM methodologyFollow these simple, and universal, guidelines for planning:
Understand your business objectivesUnderstand your end user expectationsUnderstand your governance modelTake feedback, iterate on your planMake your efforts transparent
![Page 55: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/55.jpg)
Keep It SimpleYour governance plan should specify policies for how to manage access to sites and content, defining group, role, and user permissionsKeep your policies simple – so people understand them, and are more likely to follow themThe more complex you make your permissions, the more difficult it becomes to determine who has access to what – increasing the risk of information security breaches and the exposure of confidential information
![Page 56: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/56.jpg)
Use groups to manage membershipsBuild SharePoint groups from Active Directory (AD) groups
They are more flexible than using AD groups alone, which may be out of your control and become a bottleneck
Use role-based permissionsUse SharePoint inheritance, whenever possible (it should be the standard, not the exception)
Scrutinize requests for custom permissionsAvoid item-level permissions unless it is a clear use case / need (financials, product roadmap)
Do you best to get more visibility into user accessPermissions reporting is critical to your business for a number of reasons – from regular auditing, to maintaining accurate user access, to troubleshooting functionality problems that, commonly, stem from end users trying to perform a task without having the correct permissions.
In Summary….
![Page 57: Why Permissions Drive your Governance Strategy](https://reader035.vdocument.in/reader035/viewer/2022062905/5446600e8d7f728f178b580a/html5/thumbnails/57.jpg)
Contact me
Order your copy at http://oreil.ly/qC4loT
Christian [email protected]+1 [email protected] and http://info.axceler.com
Additional Resources availablePermissions Worksheet (Microsoft) http://bit.ly/SK0bP6 Developing and Enforcing SharePoint Governance Policies with Axceler ControlPoint http://bit.ly/SJVq8aWhat to Look for in a SharePoint Management Tool http://bit.ly/l26ida The Five Secrets to Controlling Your SharePoint Environment http://bit.ly/kzdTjZ