why permissions drive your governance strategy
TRANSCRIPT
Why Permissions Drive your Governance StrategyChristian [email protected]
Some of the questions we’ll ask during this webinar:• How important are permissions to your
overall SharePoint governance strategy?• How should I plan for permissions?• What can I do out-of-the-box?• What are the permissions best practices?
AboutChristian Buckley, Director of Product Evangelism at Axceler• Microsoft MVP for SharePoint Server• Most recently at Microsoft, part of the Microsoft Managed
Services team (now Office365-Dedicated) and then Advertising Operations
• Prior to Microsoft, was a senior consultant, working in the software, supply chain, and grid technology spaces focusing on collaboration
• Co-founded and sold a collaboration software company to Rational Software. At another startup (E2open), helped design, build, and deploy a SharePoint-like collaboration platform (Collaboration Manager), onboarding numerous high-tech manufacturing companies, including Hitachi, Matsushita (Panasonic), and Seagate
• Co-authored ‘Microsoft SharePoint 2010: Creating and Implementing Real-World Projects’ link (MS Press, March 2012) and 3 books on software configuration management.
• Twitter: @buckleyplanet Blog: buckleyplanet.com Email: [email protected]
Get the Book
Just released from Microsoft PressOrder your copy at http://oreil.ly/qC4loT
Tackle 10 common business problems with proven SharePoint solutions• Set up a help desk solution to track service
requests• Build a modest project management system• Design a scheduling system to manage resources• Create a site to support geographically dispersed
teams• Implement a course registration system• Build a learning center with training classes and
resources• Design a team blog platform to review content• Create a process to coordinate RFP responses• Set up a FAQ system to help users find answers
quickly• Implement a cost-effective contact management
system
Axceler Overview
Improving Collaboration since 2007Mission: To enable enterprises to simplify, optimize, and secure their collaborative platforms
Delivered award-winning administration and migration software since 1994, for SharePoint since 2007Over 2,000 global customers
Dramatically improve the management of SharePoint
Innovative products that improve security, scalability, reliability, “deployability”Making IT more effective and efficient and lower the total cost of ownership
Focus on solving specific SharePoint problems (Administration & Migration)
Coach enterprises on SharePoint best practicesGive administrators the most innovative tools availableAnticipate customers’ needsDeliver best of breed offeringsStay in lock step with SharePoint development and market trends
Definitions
What do your permissions look like in SharePoint?
Overview / introductionHow to Successfully Move to 2010
Before / Now – clean up your 2007 environmentChallenges with SharePoint AdministrationHow Axceler ControlPoint can help
During – right tools to reduce risks, errors and ensure successful moveChallenges with SharePoint Migration / UpgradesHow Davinci Migrator for SharePoint can help
After – ongoing management and administrationCustomer success storiesAbout Axceler
Draft Outline of presentation
How did that happen?• You deployed SharePoint out-of-the-box• You had no specific plan for permissions• The business grew and evolved• People came and went• Projects came and went• And suddenly you found yourself with a bit of a
mess
Governance is about taking action to help your organization organize, optimize, and manage your systems and resources.
• SharePoint out of the box is a powerful platform
• But many organizations don’t think they have the time, money, people to spend on planning
• The same can be said for governance• The result?
o Site sprawlo Unfettered contento Process lawlessness
Why are we talking about governance?
• Central to your governance implementation is understanding roles and responsibilities within your SharePoint environment• Understanding how the organization uses
SharePoint• Identifying secure content within the environment• Determining who needs access• Creating policies that secure and protect, but are
also flexible enough to meet the growing demands of your organization to collaborate
Why are we talking about permissions?
Planning your Permissions
It starts with a plan • How granular do you need to control
access to your content?
• Who manages all the different parts of your SharePoint farm?
• How do you want to manage your users?
Within SharePoint 2010, reports on permissions are not easily generated out of the box, but there are a few features to review permissions:
PowerShell commands can be written to find users that have access to a siteA Feature called “Check Permissions” provides Administrators the ability to check what permissions a user has to a siteYes – that’s pretty limited. But you can write custom reports using the SharePoint object modelAnd there are a lot of 3rd party tool options
Building reports on permissions is a manual process that can involve compiling all of your site and permissions data into a spreadsheet just to make it usablePermissions reporting is critical to your business for a number of reasons:
Auditing, Compliance, TransparencyMaintaining accurate user access to troubleshooting functionality problems that, commonly, stem from end users trying to perform a task without having the correct permissions
What is missing from SharePoint 2010 is more centralized management and reporting of all permissionsAs an Administrator, you need to be able to see who has access to what and how they got that access
Securable Objects• What can we secure?
• Site• Library or List• Folder• Document or Item
Permissions By Site
Permissions By User
Authentication
Authentication MethodsA SharePoint environment must support user accounts that can be authenticated by a trusted authority
How do you authenticate your users?
Windows Authentication• NT LAN Manager (NTLM):
• Microsoft security protocol, users authenticated by using the credentials on the running thread
• Simple to implement – but SharePoint will not be integrated with other applications
• Kerberos• If your SharePoint sites use external data
• Credentials passed from one server to another (“double hop”)• Faster, more secure, and can be less error prone then NTLM
• Anonymous Access• No authentication needed to browse the site
Active Directory Domain Services (AD DS)
• Authentication based on user account and password from AD
• This works well for Windows environments
• However, do you need support for internal, partner, or cloud-based computing models?
Planning for Extranets• Credentials stored in:
• Lightweight Directory Access Protocol (LDAP) data store (Novell, Sun)
• AD DS• SQL or other database• Custom or third-party membership and role providers
• In SharePoint 2010, forms-based authentication is only available when you use claims-based authentication
Claims-Based Authentication (SharePoint 2010)
• Usually for external customers or partners• Defined at the web application level• An outside identity provider authenticates
users• A claim is just a piece of information
describing a user: name, email, age, hire date, etc. used to authenticate the user
So Much Potential…Integration with Facebook, Google, Live ID, etc. is becoming more and more common. A scenario:
1. “I’d like to access the Axceler Microsoft technology partners site.”2. “Not until you can prove to me that you are in the Axceler Microsoft
technology partners group.”3. “Here is my Live ID and password.”4. “Hi, Steve. I see you are in the Axceler Microsoft technology partners
group. Here is a token you can use.”5. “I’d like to access the Axceler Microsoft technology partner document,
and here’s proof I have access to it!”
Now That We’ve Authenticated Our Users….
How do we make permissions management part of
our governance plan?
Organizing Permissions
Understand your structure
Farm
Web App
Site Collection
SiteSub-site
Sub-siteSite
Site Sub-site
Site Collection Site
Web App Site Collection
Site
Site Sub-site
Understand your content
Site Collection
Site Sub-Sites
Site Sub-site
Lists/Libraries
Lists/Libraries
Lists/Libraries
Lists/Libraries
..and then plan for your user roles
Farm Administrators Group
Farm Administrators
Define the role:• Assigned in Central Admin and has permission to all
servers and settings in the farm• Central Administration access, create new web apps,
manage services, stsadm/PowerShell command• Can take ownership of content, and make
themselves Site Collection Administrators
Farm
Web App
Site Collection
SiteSub-site
Sub-siteSite
Site Sub-site
Site Collection Site
Web App Site Collection
Site
Site Sub-site
Site Collection Administrators
Define the role:• Given full control over all sites in a site
collection• Access to settings pages: Manage users,
restores items, manage site hierarchy• Cannot access Central Admin
Site Collection
SiteSub-site
Sub-siteSite
Site Sub-site
Other Permission LevelsDefine the roles:
• Site Admins, Team Leads, Power Users, End Users
• Collections of permissions that allow users to perform a set of related tasks
• Defined at the site collection level
SharePoint GroupsA group of users that are defined at the site collection level for easy management of permissions
• The default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectively
• Anyone with Full Control permission can create custom groups
Customizing Permission LevelsThe default permission levels are Full Control, Design, Contribute, Read, and Limited Access
• What does “Read” mean to your organization?
Permissions are applied on objects:1. Directly to users2. Directly to domain groups (visibility
warning)
3. To SharePoint Groups
Check Permission ButtonSharePoint 2010 lets administrators Check Permissions to determine a user or group’s permissions on all content
Inheritance
If all sites and site content inherit those permissions defined at the site collection, what’s so hard about
managing permissions if they are defined so high in the hierarchy?
Fine Grained PermissionsSites, lists, libraries, folders,
documents, and items can all have unique security
…but that doesn’t men they should
Inheritance -- what exactly is happening?• Copies groups, users, and permission levels
from the parent object to the child object
• Changes to parent object do not affect the child
The Problem with exceptions
“If you use fine-grained permissions extensively, you will spend more time managing the permissions, and users will experience slower performance
when they try to access site content”~Planning site permissions, technet http://bit.ly/InKv9i
As a result, permissions management (additions, deletions, edits) is done one
securable object at a time!
Performance is Affected too!Performance is reduced once 1000 objects have broken inheritance in a list or library
• Sites, lists, and libraries need to build security trimmed navigation
• List load time increases
*Apply unique permissions to folders if need be*
Orphaned Domain UsersDeleted and disabled Active Directory users are not updated in SharePoint
• Permissions• User Profiles• My Sites
Following Best Practices
Distributed AdministrationSharePoint is designed to have
site administrators and power users
Be Careful!• Train your admins and power users!“I didn’t know that restoring inheritance would remove our unique security model!” ~Countless well intentioned site admins
• Manage power users through the “Owners” SharePoint groups
• Limit the members to only those users you trust to change the structure, settings, or appearance of the site
You’re Not SpecialMake most users members of the Members or Visitors groups
• Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site.
• Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.
Stick to the PlanIf you do break inheritance, Microsoft recommends using groups to avoid having to track individual users
• People move in and out of teams and change responsibilities frequently
• Tracking those changes and updating the permissions for uniquely secured objects would be time-consuming and error-prone.
Plan for Permission Inheritance• Arrange sites and sub-sites, and lists and
libraries so they can share most permissions • Separate sensitive data into their own lists,
libraries, or sub-site• Microsoft provides a permissions worksheet
(Excel file) http://bit.ly/SK0bP6
It’s SharePoint’s Fault!Administrators can audit permission changes by going to the site collection’s settings page
Best Practices
Planning is keyUtilize your established PM methodologyFollow these simple, and universal, guidelines for planning:
Understand your business objectivesUnderstand your end user expectationsUnderstand your governance modelTake feedback, iterate on your planMake your efforts transparent
Keep It SimpleYour governance plan should specify policies for how to manage access to sites and content, defining group, role, and user permissionsKeep your policies simple – so people understand them, and are more likely to follow themThe more complex you make your permissions, the more difficult it becomes to determine who has access to what – increasing the risk of information security breaches and the exposure of confidential information
Use groups to manage membershipsBuild SharePoint groups from Active Directory (AD) groups
They are more flexible than using AD groups alone, which may be out of your control and become a bottleneck
Use role-based permissionsUse SharePoint inheritance, whenever possible (it should be the standard, not the exception)
Scrutinize requests for custom permissionsAvoid item-level permissions unless it is a clear use case / need (financials, product roadmap)
Do you best to get more visibility into user accessPermissions reporting is critical to your business for a number of reasons – from regular auditing, to maintaining accurate user access, to troubleshooting functionality problems that, commonly, stem from end users trying to perform a task without having the correct permissions.
In Summary….
Contact me
Order your copy at http://oreil.ly/qC4loT
Christian [email protected]+1 [email protected] and http://info.axceler.com
Additional Resources availablePermissions Worksheet (Microsoft) http://bit.ly/SK0bP6 Developing and Enforcing SharePoint Governance Policies with Axceler ControlPoint http://bit.ly/SJVq8aWhat to Look for in a SharePoint Management Tool http://bit.ly/l26ida The Five Secrets to Controlling Your SharePoint Environment http://bit.ly/kzdTjZ