SharePoint Permissions

Management

Centralized permissions management with SPDocKit

ADIS JUGO

WHITE PAPER

Page 1 of 31

Content

About Adis ........................................................................................................................................................... 2

Introduction to SharePoint Permission Management ............................................................................ 3

Centralized Permission Management with SPDocKit .............................................................................. 4

Batch permissions managment with SPDocKit ..................................................................................... 4

On-the-fly permissions managment with SPDocKit.......................................................................... 15

Permissions reporting and forensics with SPDocKit ......................................................................... 21

Conclusion ......................................................................................................................................................... 28

SPDocKit - Ultimate SharePoint admin tool ............................................................................................ 29

Page 2 of 31

About Adis

ADIS JUGO, SHAREPOINT MVP

Adis Jugo is a software architect with 20 years of professional

experience in creating software solutions that make users' lives

easier. His is passionate about improving all the aspects and

phases of the software development process. In addition to his

two decades of experience in software development and

architecture he is a certified Professional Scrum Master (PSM),

with extensive experience in agile project management. He is

currently working as a Director of Advisory for deroso Solutions,

Microsoft Gold Partner based in Germany and he has been a speaker at various Microsoft

conferences and User Groups meetings. In January 2012, he received the Microsoft Most

Valuable Professional (MPV) award for Microsoft SharePoint Server.

Page 3 of 31

Introduction to SharePoint Permission Management

One of the strengths of SharePoint, and one of the main reasons the platform became

so popular in the first place is permissions. It does not matter whether permissions are

governed centrally, or whether site owners can grant permissions themselves: the

powerful permission management in SharePoint helped the platform’s popularity

skyrocket. Everyone can set up permissions in his or her own way but that is the

problem with SharePoint. Because this is possible and because everyone (who has

rights) can do it, SharePoint’s greatest strength very often turns out to be its greatest

weakness.

SharePoint has never been good at centralized permission management. Everything is

fine as long as you only have a couple of site collections. However, when an IT

Administrator needs to add/delete/change users on several hundred, or even several

thousand, site collections, things get interesting. Sure, you can write short PowerShell

scripts for such tasks, but when you need to do so on a daily basis, things become more

difficult. In addition, tracing the history of the permissions can be challenging in

SharePoint environments that are not tightly governed. Built-in permissions forensics

in SharePoint are on a very basic at best, and permissions reporting is virtually

nonexistent.

Strangely enough, there aren’t that many third party tools that would close this gap

with SharePoint permissions. My favorite tool and the one that I recommend to in-

house administrators, is SPDocKit which was one of the first tools to offer permissions

reporting.

Page 4 of 31

Centralized Permission Management with SPDocKit

SPDocKit makes day-to-day permissions management much less painful job because

it includes a wizard-like centralized permissions management tool. I will outline some

key permissions management tasks based on cases with which I was confronted during

my career and explain how SPDocKit can be used to automate these tasks (almost)

completely.

Batch permissions managment with SPDocKit

One of the most common cases in permissions management involves batch

permissions management. Think about adding a new audience (users) to existing

SharePoint content. This is fairly easy when you only have to deal with a few site

collections, but what happens when you have hundreds, or thousands of them?

This was exactly the case we faced with a customer who had over 20,000 automatically

provisioned SharePoint site collections – one site collection per customer project. The

site collections had almost identical structures: the same lists and libraries, an identical

predefined folder structure in the libraries and a complex permissions structure. In all,

we were faced with 24 SharePoint groups per site collection, times 20,000.

At one point, an auditing process was going on, and we had to give external auditors

permissions to review documents in certain libraries that were present in all 20,000 site

collections. The auditors did not have access to any other content in the SharePoint

farm, except for those libraries.

The process included the following tasks:

Breaking permissions inheritance for the ”Reports” libraries,

Creating the permission level “Auditing Permissions”,

Creating a SharePoint group for the auditors,

Adding users to that group,

Page 5 of 31

Giving “Auditing Permissions” to the “Auditors” group for the “Reports” library.

This had to be done for all 20,000 of the site collections. Clearly, one could not do this

task manually, and using PowerShell meant opening the door to a potentially large

error margin. For that reason, our tool of choice to implement these requirements was

SPDocKit.

SPDocKit has a wizard-style interface used to execut permissions-related batch

operations. You can find everything you would expect in the interface, including –

breaking and restoring permission inheritance on multiple levels, batch

creating/editing/deleting SharePoint groups and permissions levels, managing group

membership and assigning or revoking rights for principals on different securable

objects – that all worked intuitively, which did not leave much room for mistakes. Before

any batch operations are executed, SPDocKit will conveniently show a preview of the

results, so the administrator can decide whether to proceed with the operation, or

cancel it.

Page 6 of 31

In the case above, we started with the “Permission Inheritance Wizard”.

Image 1: Breaking permissions at all 20,000 instances of the “reports” library (one in each site collection)

Page 7 of 31

The SPDocKit permissions wizard asked us to review and confirm the action to break

the inheritance.

Image 2: Preview of the changes

Once that change was confirmed and applied, SPDocKit iterated through the site

collections, and executed the command.

In the next step, the SharePoint administrator created the new permission level for

auditors using the next wizard – “Permission Levels Wizard”. The administrator chose

to choose the name for each new permission level, and its base permissions. After a

review and confirmation, every site collection received the new permission level:

“Auditing Permissions”.

Page 8 of 31

Image 3: Creating the new permission level for auditors

Page 9 of 31

Image 4: Choosing base permission

Using the “Group Management Wizard”, our SharePoint administrator followed the

same procedure to create a new SharePoint group (“Auditors”). After setting the group

name, description, and owner, and then reviewing the changes, the “Auditors” group

was created in all site collections.

Page 10 of 31

Image 5: Creating a new SharePoint group “Auditors”

Next, the administrator assigned the “Auditing Permissions” level to the “Auditors”

group on the “Reports” document library, for all 20,000 site collections using the

“Manage Permissions Wizard”.

Page 11 of 31

Image 6: Selecting principals and objects to change

Page 12 of 31

Image 7: Assigning the “Auditing Permissions” level to the “Auditors” group on the “Reports” document library

After these steps, we had a document library named “Reports” with broken permissions

inheritance in all site collections, and a SharePoint group named “Auditors,” with the

assigned custom permission level “Auditing permissions” for that library.

Of course, all 20,000 of the “Auditors” SharePoint groups (one per site collection) were

empty at first. Using the SPDocKit “Group Membership Wizard”, we easily populated

the groups with standard auditors.

Page 13 of 31

Image 8: Adding users to specific groups

Page 14 of 31

Image 9: Defining SharePoint group membership changes

A few minutes and five wizards later, we had broken the permissions inheritance on

20,000 document libraries, created 20,000 SharePoint groups and custom permission

levels, assigned the necessary custom permissions for those libraries, and populated

the newly created SharePoint groups. SPDocKit made this job much easier. Writing

custom PowerShell scripts would have taken considerably more time, and the process

would have been more prone to errors. Executing those tasks manually through the

SharePoint interface was not an option at all. In all the wizards mentioned above, all

site collections from a web application were selected, but that is not a limit - admins

canchoose which ones to use. For example – if auditing is necessary on only 100

projects instead of all 20,000, admins can select the 100 projects for which it is required.

The SPDocKit batch permission wizards, allow administrators to do much more. They

can revoke permissions or change them, change the base permissions set for each

Page 15 of 31

permission level and add or remove members from SharePoint groups. Essentially,

when all (or some) of a large set of lookalike SharePoint site collections and sites

require a permissions change, SPDocKit permission wizards are your best friend. This

is true for all scenarios in which site provisioning is involved: it does not matter whether

it is a matter of self-service site provisioning, or site provisioning through a business

work flow. These types of sites (project sites, team sites, meeting sites etc.) are usually

identical, or at least very similar to each other in structure, and there are usually plenty

of such sites (SharePoint is a collaboration platform, after all).

SPDocKit’s Batch permissions management is very useful when dealing with a large

number of site collections; it can be a real lifesaver in that scenario. However,

administrators are more likely to deal with permissions inside one site collection.

On-the-fly permissions managment with SPDocKit

The SharePoint user interface provides all the basic options for dealing with

permissions. We can create, edit, and delete groups; manage group memberships; and

create and manipulate permission levels. By drilling down through SharePoint

securable objects (data structures), we can break and restore permissions and set

specific permissions for all objects down to the item level.

Even though SharePoint offers many possibilities, much remains open. New sharing

capabilities make it easier than ever for users to break permissions on the item or folder

level. It is not easy for administrators to identify those items. Cleaning up permissions

remains a repetitive, slow task—moving users who obtained permissions directly to the

appropriate SharePoint groups requires a lot of clicking. Administrators never have a

broad overview of the permissions at one particular site. Dealing with permissions and

the entire user experience (or rather the “admin experience”) does not provide optimal

efficiency. Thus, many SharePoint admins handle permissions exclusively through

PowerShell. However, PowerShell is a command line tool: therefore is not appropriate

Page 16 of 31

for everyone, especially if all an administrator needs to do is perform a few quick

actions or get an overview of what is going with permissions on a particular site.

This is where SPDocKit comes in. In version 5, we got the “Permissions Explorer”. Using

a familiar, hierarchical tree view of SharePoint securable objects (data structures),

administrators can drill down through the site collection objects to do everything

SharePoint allows with permissions, and even a bit more. Everyday operations are one

click away, including detecting securable objects with unique permissions (broken

permissions inheritance); breaking and restoring permissions; creating, editing, and

deleting SharePoint Groups and Permission levels; and managing group memberships.

This easy access significantly reduces the time needed to perform those repetitive tasks

compared to the time required in the standard user interface.

Image 10: Permissions Explorer

While browsing through the site structure, administrators can easily see who has

permissions for the currently selected object. Furthermore, they can filter those

permissions based on the principal’s status (enabled or disabled), type (SharePoint

Page 17 of 31

Group, AD Group, or user), and—in an interesting feature—history. Each time SPDocKit

loads the farm information, it writes the information in the background database.

Administrators can then use it as a kind of “way back machine” for permissions.

In addition to browsing and exploring permissions, administrators can define

permissions settings on the site collection level for primary and secondary site

collection administrators, members of the administrators group and SharePoint Groups

and Permission levels.

Image 11: Setting the site collection administrators

Page 18 of 31

Image 12: Creating a SharePoint Group

Image 13. Creating a new Permission Level via the SPDocKit interface

Page 19 of 31

While drilling down through the hierarchy, administrators can break and restore

permission inheritance at any location and grant or revoke permissions for the currently

selected object.

Image 14: Breaking permission inheritance

Page 20 of 31

Image 15: Granting permissions for the selected object

These features help administrators significantly speed up their work on permissions.

In addition to speeding up repetitive everyday tasks, SPDocKit offers some useful

automations for tasks that would normally require a lot of clicking or scripting. If you

look at the Manage Permissions ribbon, you will see “Edit”, “Clone”, “Transfer”,

“Remove”, “Move to Group”, and “Copy to group” icons.

Image 16: The SPDocKit Manage Permissions ribbon operations

Page 21 of 31

While the functions of “Edit” and “Remove” are clear (change permission levels or

revoke permissions for a principal completely), the other four icons are particularly

interesting.

Although the SharePoint 2013 “Share” icon allows users to quickly share content with

other users, it creates many (sometimes unnecessary) item level permissions when it

would be much better to simply add users in the appropriate SharePoint groups. With

SPDocKit, administrators can easily clean that mess up by selecting the “loose”

principals on objects with broken permission inheritances and then copying and

moving them to the appropriate SharePoint groups—all with one click.

“Clone” and “Transfer” offer other interesting functions. Administrators often face

requirements such as “User X needs to have the same permissions as User Y” or “User

Z is being transferred to another division and User W is taking his place.” SPDocKit’s

“Clone” and “Transfer” capabilities do exactly that-they give new users the same rights

an existing user has or transfer existing rights to a new user and revoke them from the

original user. That comes in handy in day-to-day work.

Of course, as you would expect for a tool of this caliber, SPDocKit allows administrators

to get information about each user in the site collection (e.g., where the user comes

from and his or her memberships in SharePoint and AD groups). Overall, this powerful

toolset helps administrators perform permissions-related tasks.

Permissions reporting and forensics with SPDocKit

Permissions reporting and forensics are usually only needed when a problem arises. In

these cases, it is important to determine who has permissions on certain securable

objects and more importantly, why.

SharePoint permissions are serious business, and they must be viewed as having the

highest importance. A large amount of sensitive corporate information is stored in

SharePoint, and giving unauthorized people access to classified content can pose a big

Page 22 of 31

threat. Therefore, it is important to have the ability to report, at any time, who has

permissions and through which channels those permissions were given.

SharePoint does not offer that ability out of the box, and it is a hassle to code that

functionality in PowerShell. At this time, SPDocKit is the only tool on the market that

can cover those cases and perform full permissions forensics.

In addition to forensics, SPDocKit can help you keep your SharePoint clean by removing

unused users and groups. In the Permission Reports section, you can easily detect

groups that do not have any permissions in their sites, groups owned by a disabled

SharePoint user, or groups containing disabled or orphaned users. You can then easily

correct those issues by cleaning up those groups and users or giving them the

necessary permissions.

Image 17: Report showing SharePoint groups with no permissions

Page 23 of 31

Image 18: Report showing orphaned users

Image 19: Report showing users with no permissions in the site collection

Page 24 of 31

Besides these simple but necessary cleaning tasks, the real strength of SPDocKit

permission reports lies in permissions forensics. With these forensics reports, we can

easily determine who has access to the data and why.

For each SharePoint securable object, including sites, lists, and list items, SPDocKit will

tell us who has permissions for those objects and in what way they were given.

Image 20: Permissions for a SharePoint site grouped by permission

For example, you can use this report to discover that the cleaning lady has “Add items”

permission on the management site and that she got it through her membership in the

“Cleaning Staff” Active Directory group. That group is a member of the “Portal

Contributors” SharePoint group, which has been assigned the “Contribute” permission

level for that particular site. That permission level, of course, contains “Add items”

permission. You can find all that information with just one click. This represents the

ultimate governance/compliance report in terms of SharePoint permissions.

Page 25 of 31

Of course, you can break this down into numerous other useful reports and information

overviews. The next report shows the matrix of Principals (SharePoint Groups and

SharePoint users) and permission levels, including the roles each principal has on the

site, in a graphically appealing way.

Image 21: Principals and permission levels in a subsite

Furthermore, one of the most commonly requested reports shows a quick overview of

securable objects (i.e., sites, lists, and list items) with broken permission inheritances.

You can get this report in one click with SPDocKit.

Page 26 of 31

Image 22: Overview of securable objects in SharePoint Farm

In addition to securable object and permission level reports, SPDocKit offers important

principal-based reports so administrators can easily determine which permissions a

SharePoint user or SharePoint group has in one or more site collections. With these

user-centric reports, administrators can see which permissions a principal has and the

way in which those permissions were given (e.g., through SharePoint Groups, AD

Groups, or directly) and act accordingly.

Of course, as expected from SPDocKit, each of these reports can easily be saved as a

PDF or Word file, manually modified, and included in a larger report.

Page 27 of 31

Image 23: Saved report shows the overview of a SharePoint site permissions

Page 28 of 31

Conclusion

SharePoint’s out-of-the-box features are simply not enough for serious governance

scenarios and simplified permissions management. Administrators will either write a

bunch of PowerShell scripts and avoid the SharePoint user interface completely or find

a tool to deal with those issues. Different tools on the market partially cover SharePoint

permissions management and reporting.

When all or some of a large set of lookalike SharePoint site collections and sites require

a permission change, SPDocKit permission wizards are best choice. In my opinion,

SPDocKit’s permissions toolkit belt does the best job. It offers batch permissions

management across site collections, simplified permissions management inside a

single-site collection and powerful cleanup, forensic, and reporting options. I often say

that SPDocKit’s features let SharePoint consultants have the equivalent of a Swiss Army

knife in their pockets.

Page 29 of 31

SPDocKit - Ultimate SharePoint admin tool

What is SPDocKit?

Why SPDocKit?

Generate SharePoint Documentation

Analyze SharePoint Permissions

Manage Permissions

Audit Farm Configuration

Compare Farms and Track Changes

Enforce Governance Policies

Monitor SharePoint Farm Health

TRY a 30-day free trial

More info is available at www.spdockit.com.

Unique tool that allows you to easily administer and manage your

SharePoint farm. You can use it to explore and manage SharePoint

permissions, keep an eye on your farm health and compare and track

changes on your farm in no time.