Why Permissions Drive your Governance StrategyChristian BuckleyAxcelercbuck@axceler.com

Some of the questions we’ll ask during this webinar:• How important are permissions to your

overall SharePoint governance strategy?• How should I plan for permissions?• What can I do out-of-the-box?• What are the permissions best practices?

AboutChristian Buckley, Director of Product Evangelism at Axceler• Microsoft MVP for SharePoint Server• Most recently at Microsoft, part of the Microsoft Managed

Services team (now Office365-Dedicated) and then Advertising Operations

• Prior to Microsoft, was a senior consultant, working in the software, supply chain, and grid technology spaces focusing on collaboration

• Co-founded and sold a collaboration software company to Rational Software. At another startup (E2open), helped design, build, and deploy a SharePoint-like collaboration platform (Collaboration Manager), onboarding numerous high-tech manufacturing companies, including Hitachi, Matsushita (Panasonic), and Seagate

• Co-authored ‘Microsoft SharePoint 2010: Creating and Implementing Real-World Projects’ link (MS Press, March 2012) and 3 books on software configuration management.

• Twitter: @buckleyplanet Blog: buckleyplanet.com Email: cbuck@axceler.com

Get the Book

Just released from Microsoft PressOrder your copy at http://oreil.ly/qC4loT

Tackle 10 common business problems with proven SharePoint solutions• Set up a help desk solution to track service

requests• Build a modest project management system• Design a scheduling system to manage resources• Create a site to support geographically dispersed

teams• Implement a course registration system• Build a learning center with training classes and

resources• Design a team blog platform to review content• Create a process to coordinate RFP responses• Set up a FAQ system to help users find answers

quickly• Implement a cost-effective contact management

system

Axceler Overview

Improving Collaboration since 2007Mission: To enable enterprises to simplify, optimize, and secure their collaborative platforms

Delivered award-winning administration and migration software since 1994, for SharePoint since 2007Over 2,000 global customers

Dramatically improve the management of SharePoint

Innovative products that improve security, scalability, reliability, “deployability”Making IT more effective and efficient and lower the total cost of ownership

Focus on solving specific SharePoint problems (Administration & Migration)

Coach enterprises on SharePoint best practicesGive administrators the most innovative tools availableAnticipate customers’ needsDeliver best of breed offeringsStay in lock step with SharePoint development and market trends

Definitions

What do your permissions look like in SharePoint?

Overview / introductionHow to Successfully Move to 2010

Before / Now – clean up your 2007 environmentChallenges with SharePoint AdministrationHow Axceler ControlPoint can help

During – right tools to reduce risks, errors and ensure successful moveChallenges with SharePoint Migration / UpgradesHow Davinci Migrator for SharePoint can help

After – ongoing management and administrationCustomer success storiesAbout Axceler

Draft Outline of presentation

How did that happen?• You deployed SharePoint out-of-the-box• You had no specific plan for permissions• The business grew and evolved• People came and went• Projects came and went• And suddenly you found yourself with a bit of a

mess

Governance is about taking action to help your organization organize, optimize, and manage your systems and resources.

• SharePoint out of the box is a powerful platform

• But many organizations don’t think they have the time, money, people to spend on planning

• The same can be said for governance• The result?

o Site sprawlo Unfettered contento Process lawlessness

Why are we talking about governance?

• Central to your governance implementation is understanding roles and responsibilities within your SharePoint environment• Understanding how the organization uses

SharePoint• Identifying secure content within the environment• Determining who needs access• Creating policies that secure and protect, but are

also flexible enough to meet the growing demands of your organization to collaborate

Why are we talking about permissions?

Planning your Permissions

It starts with a plan • How granular do you need to control

access to your content?

• Who manages all the different parts of your SharePoint farm?

• How do you want to manage your users?

Within SharePoint 2010, reports on permissions are not easily generated out of the box, but there are a few features to review permissions:

PowerShell commands can be written to find users that have access to a siteA Feature called “Check Permissions” provides Administrators the ability to check what permissions a user has to a siteYes – that’s pretty limited. But you can write custom reports using the SharePoint object modelAnd there are a lot of 3rd party tool options

Building reports on permissions is a manual process that can involve compiling all of your site and permissions data into a spreadsheet just to make it usablePermissions reporting is critical to your business for a number of reasons:

Auditing, Compliance, TransparencyMaintaining accurate user access to troubleshooting functionality problems that, commonly, stem from end users trying to perform a task without having the correct permissions

What is missing from SharePoint 2010 is more centralized management and reporting of all permissionsAs an Administrator, you need to be able to see who has access to what and how they got that access

Securable Objects• What can we secure?

• Site• Library or List• Folder• Document or Item

Permissions By Site

Permissions By User

Authentication

Authentication MethodsA SharePoint environment must support user accounts that can be authenticated by a trusted authority

How do you authenticate your users?

Windows Authentication• NT LAN Manager (NTLM):

• Microsoft security protocol, users authenticated by using the credentials on the running thread

• Simple to implement – but SharePoint will not be integrated with other applications

• Kerberos• If your SharePoint sites use external data

• Credentials passed from one server to another (“double hop”)• Faster, more secure, and can be less error prone then NTLM

• Anonymous Access• No authentication needed to browse the site

Active Directory Domain Services (AD DS) 

• Authentication based on user account and password from AD

• This works well for Windows environments

• However, do you need support for internal, partner, or cloud-based computing models?

Planning for Extranets• Credentials stored in:

• Lightweight Directory Access Protocol (LDAP) data store (Novell, Sun)

• AD DS• SQL or other database• Custom or third-party membership and role providers

• In SharePoint 2010, forms-based authentication is only available when you use claims-based authentication

Claims-Based Authentication (SharePoint 2010)

• Usually for external customers or partners• Defined at the web application level• An outside identity provider authenticates

users• A claim is just a piece of information

describing a user: name, email, age, hire date, etc. used to authenticate the user

So Much Potential…Integration with Facebook, Google, Live ID, etc. is becoming more and more common. A scenario:

1. “I’d like to access the Axceler Microsoft technology partners site.”2. “Not until you can prove to me that you are in the Axceler Microsoft

technology partners group.”3. “Here is my Live ID and password.”4. “Hi, Steve. I see you are in the Axceler Microsoft technology partners

group. Here is a token you can use.”5. “I’d like to access the Axceler Microsoft technology partner document,

and here’s proof I have access to it!”

Now That We’ve Authenticated Our Users….

How do we make permissions management part of

our governance plan?

Organizing Permissions

Understand your structure

Farm

Web App

Site Collection

SiteSub-site

Sub-siteSite

Site Sub-site

Site Collection Site

Web App Site Collection

Site

Site Sub-site

Understand your content

Site Collection

Site Sub-Sites

Site Sub-site

Lists/Libraries

Lists/Libraries

Lists/Libraries

Lists/Libraries

..and then plan for your user roles

Farm Administrators Group

Farm Administrators

Define the role:• Assigned in Central Admin and has permission to all

servers and settings in the farm• Central Administration access, create new web apps,

manage services, stsadm/PowerShell command• Can take ownership of content, and make

themselves Site Collection Administrators

Farm

Web App

Site Collection

SiteSub-site

Sub-siteSite

Site Sub-site

Site Collection Site

Web App Site Collection

Site

Site Sub-site

Site Collection Administrators

Define the role:• Given full control over all sites in a site

collection• Access to settings pages: Manage users,

restores items, manage site hierarchy• Cannot access Central Admin

Site Collection

SiteSub-site

Sub-siteSite

Site Sub-site

Other Permission LevelsDefine the roles:

• Site Admins, Team Leads, Power Users, End Users

• Collections of permissions that allow users to perform a set of related tasks

• Defined at the site collection level

SharePoint GroupsA group of users that are defined at the site collection level for easy management of permissions

• The default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectively

• Anyone with Full Control permission can create custom groups

Customizing Permission LevelsThe default permission levels are Full Control, Design, Contribute, Read, and Limited Access

• What does “Read” mean to your organization?

Permissions are applied on objects:1. Directly to users2. Directly to domain groups (visibility

warning)

3. To SharePoint Groups

Check Permission ButtonSharePoint 2010 lets administrators Check Permissions to determine a user or group’s permissions on all content

Inheritance

If all sites and site content inherit those permissions defined at the site collection, what’s so hard about

managing permissions if they are defined so high in the hierarchy?

Fine Grained PermissionsSites, lists, libraries, folders,

documents, and items can all have unique security

…but that doesn’t men they should

Inheritance -- what exactly is happening?• Copies groups, users, and permission levels

from the parent object to the child object

• Changes to parent object do not affect the child

The Problem with exceptions

“If you use fine-grained permissions extensively, you will spend more time managing the permissions, and users will experience slower performance

when they try to access site content”~Planning site permissions, technet http://bit.ly/InKv9i

As a result, permissions management (additions, deletions, edits) is done one

securable object at a time!

Performance is Affected too!Performance is reduced once 1000 objects have broken inheritance in a list or library

• Sites, lists, and libraries need to build security trimmed navigation

• List load time increases

*Apply unique permissions to folders if need be*

Orphaned Domain UsersDeleted and disabled Active Directory users are not updated in SharePoint

• Permissions• User Profiles• My Sites

Following Best Practices

Distributed AdministrationSharePoint is designed to have

site administrators and power users

Be Careful!• Train your admins and power users!“I didn’t know that restoring inheritance would remove our unique security model!” ~Countless well intentioned site admins

• Manage power users through the “Owners” SharePoint groups

• Limit the members to only those users you trust to change the structure, settings, or appearance of the site

You’re Not SpecialMake most users members of the Members or Visitors groups

• Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site.

• Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.

Stick to the PlanIf you do break inheritance, Microsoft recommends using groups to avoid having to track individual users

• People move in and out of teams and change responsibilities frequently

• Tracking those changes and updating the permissions for uniquely secured objects would be time-consuming and error-prone.

Plan for Permission Inheritance• Arrange sites and sub-sites, and lists and

libraries so they can share most permissions • Separate sensitive data into their own lists,

libraries, or sub-site• Microsoft provides a permissions worksheet

(Excel file) http://bit.ly/SK0bP6

It’s SharePoint’s Fault!Administrators can audit permission changes by going to the site collection’s settings page

Best Practices

Planning is keyUtilize your established PM methodologyFollow these simple, and universal, guidelines for planning:

Understand your business objectivesUnderstand your end user expectationsUnderstand your governance modelTake feedback, iterate on your planMake your efforts transparent

Keep It SimpleYour governance plan should specify policies for how to manage access to sites and content, defining group, role, and user permissionsKeep your policies simple – so people understand them, and are more likely to follow themThe more complex you make your permissions, the more difficult it becomes to determine who has access to what – increasing the risk of information security breaches and the exposure of confidential information

Use groups to manage membershipsBuild SharePoint groups from Active Directory (AD) groups

They are more flexible than using AD groups alone, which may be out of your control and become a bottleneck

Use role-based permissionsUse SharePoint inheritance, whenever possible (it should be the standard, not the exception)

Scrutinize requests for custom permissionsAvoid item-level permissions unless it is a clear use case / need (financials, product roadmap)

Do you best to get more visibility into user accessPermissions reporting is critical to your business for a number of reasons – from regular auditing, to maintaining accurate user access, to troubleshooting functionality problems that, commonly, stem from end users trying to perform a task without having the correct permissions.

In Summary….

Contact me

Order your copy at http://oreil.ly/qC4loT

Christian Buckleycbuck@axceler.com+1 425-246-2823@buckleyPLANETwww.buckleyPLANET.com and http://info.axceler.com

Additional Resources availablePermissions Worksheet (Microsoft) http://bit.ly/SK0bP6 Developing and Enforcing SharePoint Governance Policies with Axceler ControlPoint http://bit.ly/SJVq8aWhat to Look for in a SharePoint Management Tool http://bit.ly/l26ida The Five Secrets to Controlling Your SharePoint Environment http://bit.ly/kzdTjZ