SharePoint Saturday permissions planning session.

1. Permissions: Designed to Scale
Jamie Aliperti
jamie.aliperti@axceler.com
@jaliperti
SharePoint Saturday Portland
May 19th, 2012

2. About Me
Sales Engineering
Manager
Axceler
based out of the Los Angeles
office, and spend most of my time
providing consultancy, training and
support to current and future
customers. I have over 7 years
experience with Microsoft
technologies, and lead the Los
Angeles Sales Engineering team. Email: Jamie.Aliperti@axceler.com
Twitter: @jaliperti

3. About Axceler
Improving SharePoint Collaboration Since 2007
Mission: To enable enterprises to simplify, optimize, and
secure their collaborative platforms
Delivered award-winning administration and migration
software since 1994
Over 2,000 global customers
Dramatically improve the management
of SharePoint
Innovative products that improve security, scalability,
reliability, “deployability”
Making IT more effective and efficient and lower the total
cost of ownership
Focus on solving specific SharePoint problems
(Administration & Migration)
Coach enterprises on SharePoint best practices
Give administrators the most innovative tools available
Anticipate customers’ needs
Deliver best of breed offerings
Stay in lock step with SharePoint development and
market trends

4. SharePoint Security
Where to Start?
Anyone have any ideas?

5. Design Permissions as part of
Governance
Governance is about taking action to
help your organization
organize, optimize, and manage your
systems and resources.

6. Questions to Ask
How is your organization using
SharePoint?
Is there secure content in your
SharePoint environment?
Who is responsible for SharePoint
Security?
5/30/2012

7. Plan!
How granular do you need to control access to
content?
Who manages all the different parts of your
SharePoint farm?
How do you want to manage your users?

8. Farm Administrators Group
Assigned in Central Admin and has permission to
all servers and settings in the farm
Central Administration access, create new web
apps, manage services, stsadm/PowerShell
command
Can take ownership of content: make
themselves Site Collection Administrators
5/30/2012

9. Authentication Methods
A SharePoint environment must
support user accounts that can be
authenticated by a trusted authority
How do you authenticate your users?

10. Windows Authentication
 NTLM:
 Users authenticated by using the credentials on the running thread
 Simple to implement
 SharePoint will not be integrated with other applications
 Kerberos
 If your SharePoint sites use external data
 Credentials passed from one server to another (“double hop”)
 Faster, more secure, and can be less error prone then NTLM
 Anonymous Access
 No authentication needed to browse the site

11. SharePoint Authentication
Defined at the web application
level

12. Who Needs to Access SharePoint?
Claims-based authentication mode: use any supported
authentication method or else you will support only
Windows authentication
5/30/2012

13. Web Application Policies
Quick way to apply permissions across web
applications
Only part of SharePoint where users can be explicitly
denied access
Set in Central Admin
5/30/2012

14. Site Collection Administrators
Given full control over all sites in a site
collection
Access to settings pages
Manage users, restores
items, manage site hierarchy
Cannot access Central Admin
5/30/2012

15. Securable Objects
What can we secure?
Site
Library or List
Folder
Document or Item

16. Inheritance
If all sites and site content inherit
those permissions defined at the
site collection, what’s so hard
about managing permissions if
they are defined so high in the
hierarchy?

17. Structure/Architecture
Sub-site
Site
Sub-site
Site
Site
Collection
Web App Site Sub-site
Site
Site
Farm Collection
Site
Site
Web App
Collection
Site Sub-site

18. Permission Levels
Collections of permissions that
allow users to perform a set of
related tasks
Permission levels are defined at the
site collection level

19. Customizing Permission Levels
The default permission levels are Full
Control, Design, Contribute, Read, and Limited Access
What does “Read” mean to
your organization?
5/30/2012

20. SharePoint Groups
A group of users that are defined at site collection level
for easy management of permissions
The default SharePoint groups are
Owners, Visitors, and Members, with Full
Control, Read, and Contribute as their default
permission levels respectively
Anyone with Full Control permission can create custom
groups
5/30/2012

21. The Basics: Permissions
Permissions are applied on objects:
1. Directly to users
2. Directly to domain groups (visibility warning)
3. To SharePoint Groups

22. Best Practice
Make most users members of the Members or
Visitors groups
 Members group can contribute to the site by adding or
removing items or documents, but cannot change the
structure, site settings, or appearance of the site.
 Visitors group has read-only access to the site, which
means that they can see pages and items, and open items
and documents, but cannot add or remove pages, items, or
documents.
5/30/2012

23. Plan for Permission Inheritance
Arrange sites and subsites, and lists and libraries
so they can share most permissions
Separate sensitive data into their own
lists, libraries, or subsite
Permission worksheet:
http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409
5/30/2012

24. Stick to the Plan
If you do break inheritance, Microsoft recommends
using groups to avoid having to track individual users
People move in and out of teams and change
responsibilities frequently
Tracking those changes and updating the permissions
for uniquely secured objects would be time-consuming
and error-prone.
5/30/2012

25. Go back and refine

26. Questions and Answers

27. Contact us for
more info
Contact me: jamie.aliperti@axceler.com
Twitter@jaliperti