Permissions: Designed to Scale

Jamie Aliperti

jamie.aliperti@axceler.com@jaliperti

SharePoint Saturday PortlandMay 19th, 2012

About MeSales Engineering Manager Axceler

based out of the Los Angeles office, and spend most of my time providing consultancy, training and support to current and future customers.  I have over 7 years experience with Microsoft technologies, and lead the Los Angeles Sales Engineering team.

Email: Jamie.Aliperti@axceler.comTwitter: @jaliperti

Improving SharePoint Collaboration Since 2007 Mission: To enable enterprises to simplify, optimize, and

secure their collaborative platforms Delivered award-winning administration and migration

software since 1994 Over 2,000 global customers

Dramatically improve the management of SharePoint Innovative products that improve security, scalability,

reliability, “deployability” Making IT more effective and efficient and lower the total

cost of ownership

Focus on solving specific SharePoint problems (Administration & Migration) Coach enterprises on SharePoint best practices Give administrators the most innovative tools available Anticipate customers’ needs Deliver best of breed offerings Stay in lock step with SharePoint development and

market trends

About Axceler

Where to Start?

Anyone have any ideas?

SharePoint Security

Governance is about taking action to help your organization

organize, optimize, and manage your systems and

resources.

Design Permissions as part of Governance

How is your organization using SharePoint?

Is there secure content in your SharePoint environment?

Who is responsible for SharePoint Security?

04/09/2023

Questions to Ask

How granular do you need to control access to content?

Who manages all the different parts of your SharePoint farm?

How do you want to manage your users?

Plan!

Assigned in Central Admin and has permission to all servers and settings in the

farm

Central Administration access, create new web apps, manage services, stsadm/PowerShell commandCan take ownership of content: make

themselves Site Collection Administrators04/09/2023

Farm Administrators Group

A SharePoint environment must support user accounts that can be

authenticated by a trusted authority

How do you authenticate your users?

Authentication Methods

NTLM: Users authenticated by using the credentials on the running

thread Simple to implement

SharePoint will not be integrated with other applications

Kerberos If your SharePoint sites use external data

Credentials passed from one server to another (“double hop”) Faster, more secure, and can be less error prone then NTLM

Anonymous Access No authentication needed to browse the site

Windows Authentication

Defined at the web application level

SharePoint Authentication

Claims-based authentication mode: use any supported authentication method or else you will support only Windows authentication

04/09/2023

Who Needs to Access SharePoint?

Quick way to apply permissions across web applications

Only part of SharePoint where users can be explicitly denied access

Set in Central Admin

04/09/2023

Web Application Policies

Given full control over all sites in a site collection

Access to settings pages Manage users, restores items,

manage site hierarchyCannot access Central Admin

04/09/2023

Site Collection Administrators

What can we secure?SiteLibrary or ListFolderDocument or Item

Securable Objects

If all sites and site content inherit those permissions

defined at the site collection, what’s so hard about managing permissions if they are defined

so high in the hierarchy?

Inheritance

Structure/ArchitectureFarm

Web App

Site Collection

Site

Sub-site

Sub-site

Site

Site

Sub-site

Site Collection

Site

Web App

Site Collection

Site

Site

Sub-site

Collections of permissions that allow users to perform

a set of related tasks

Permission levels are defined at the site collection level

Permission Levels

The default permission levels are Full Control, Design, Contribute, Read, and

Limited Access

What does “Read” mean to your organization?

04/09/2023

Customizing Permission Levels

A group of users that are defined at site collection level for easy management of

permissions

The default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectively

Anyone with Full Control permission can create custom groups

04/09/2023

SharePoint Groups

Permissions are applied on objects:1. Directly to users2. Directly to domain groups

(visibility warning)

3. To SharePoint Groups

The Basics: Permissions

Make most users members of the Members or Visitors groups

Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site.

Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.

04/09/2023

Best Practice

Arrange sites and subsites, and lists and libraries so they can share most

permissions

Separate sensitive data into their own lists, libraries, or subsite

Permission worksheet:http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409

04/09/2023

Plan for Permission Inheritance

If you do break inheritance, Microsoft recommends using groups to avoid having to

track individual users

People move in and out of teams and change responsibilities frequently

Tracking those changes and updating the permissions for uniquely secured objects would be

time-consuming and error-prone.04/09/2023

Stick to the Plan

Go back and refine

Questions and Answers

Contact me: jamie.aliperti@axceler.com

Twitter@jaliperti

Contact us for more info