PG&E SharePoint Users Group San Francisco PG&E SharePoint Users Group April 10, 2014
Best Practice- SharePoint Permission Management 2 Best Practice- SharePoint Permission Management
Goals for permission management Easy to understand Self-documenting Secures confidential content Easy to administer Keep track of who changes permissions
Knowledge Assumptions Basic SharePoint Navigation Know how to create groups Know how to add users to groups http://xkcd.com/1339/
SharePoint Permissions Model
SharePoint Permission Model
SharePoint Permission Model
View Permissions Inheritance Access via -> Site Settings -> Site Permissions -> Show these items
Three Levels of Admin Rights In descending order of power Primary/Secondary Site Collection Administrators Can only be changed by Farm Administrators Highest level of admin rights for a site collection Receive system emails for site collection Has admin rights to everything in site collection Site Collection Administrators Can be added/removed by other Site Collection Admins Receive system emails for site collection Cannot remove Primary/Secondary SCAs Has admin rights to everything in site collection Users with Full Control Rights Cannot added/remove SCAs Can control permissions of other users Do not receive system emails for site collection Can delete objects they have full control on This includes the entire site collection if they have rights at the root!
Enable Auditing Access via -> Site Settings -> Configure Audit Settings
Best Practices Keep permissions Safe for Work, no naked IDs Use the default groups whenever possible Create new groups for specific security needs Create new groups at the root of your site collection with read permission, then elevate Document in the group’s description what it provides access to Place more public information at the upper levels of your site Place more secure information at the lower levels of your site Limit the number of users with admin rights If needed, enable auditing
Fixing Permissions Role Based or Hierarchy Based Plan a new group where ever a specific, discrete permission requirement exists Make the group names as descriptive as possible, and/or write out a detailed, plain English narrative of the group’s purpose in the Description field Create all groups at the root of your site collection with Read permissions Elevate these permissions as needed within the site Place users into groups as required
Fixing Permissions Communicate out to your users the date & time you will be switching over to a new permissions management scheme Ensure your users know they should contact you directly if they lose access to anything On the date and time agreed upon, remove all individually assigned users permissions on your site All that should be left are groups on your permissions screens
Questions Source: http://xkcd.com/1349
Thank You Presenter Patrick.Reeves@pge.com