The second presentation in the 'Governance Rules!' series for the European SharePoint community, focusing on the important role permissions play in building your SharePoint governance strategy.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Why Permissions Drive your Governance Strategy
1.
2.
3. Christian Buckley, Director of Product Evangelism at Axceler
• Microsoft MVP for SharePoint Server
• Most recently at Microsoft, part of the Microsoft Managed Services
team (now Office365-Dedicated) and then Advertising Operations
• Prior to Microsoft, was a senior consultant, working in the
software, supply chain, and grid technology spaces focusing on
collaboration
• Co-founded and sold a collaboration software company to Rational
Software. At another startup (E2open), helped design, build, and
deploy a SharePoint-like collaboration platform (Collaboration
Manager), onboarding numerous high-tech manufacturing
companies, including Hitachi, Matsushita (Panasonic), and Seagate
• Co-authored „Microsoft SharePoint 2010: Creating and Implementing
Real-World Projects‟ link (MS Press, March 2012) and 3 books on
software configuration management.
• Twitter: @buckleyplanet Blog: buckleyplanet.com Email: cbuck@axceler.com
4. Just released from Microsoft Press
Order your copy at http://oreil.ly/qC4loT
Tackle 10 common business problems with proven
SharePoint solutions
• Set up a help desk solution to track service requests
• Build a modest project management system
• Design a scheduling system to manage resources
• Create a site to support geographically dispersed teams
• Implement a course registration system
• Build a learning center with training classes and
resources
• Design a team blog platform to review content
• Create a process to coordinate RFP responses
• Set up a FAQ system to help users find answers quickly
• Implement a cost-effective contact management system
5. Improving Collaboration since 2007
Mission: To enable enterprises to simplify, optimize, and
secure their collaborative platforms
Delivered award-winning administration and migration
software since 1994, for SharePoint since 2007
Over 2,000 global customers
Dramatically improve the management
of SharePoint
Innovative products that improve security, scalability,
reliability, “deployability”
Making IT more effective and efficient and lower the total
cost of ownership
Focus on solving specific SharePoint
problems (Administration & Migration)
Coach enterprises on SharePoint best practices
Give administrators the most innovative tools available
Anticipate customers’ needs
Deliver best of breed offerings
Stay in lock step with SharePoint development and market trends
6.
7. What do your permissions
look like in SharePoint?
8.
9. • You deployed SharePoint out-of-the-box
• You had no specific plan for permissions
• The business grew and evolved
• People came and went
• Projects came and went
• And suddenly you found yourself with a bit of a mess
10. Governance is about taking action to
help your organization
organize, optimize, and manage
your systems and resources.
11. • SharePoint out of the box is a powerful platform
• But many organizations don‟t think they have the
time, money, people to spend on planning
• The same can be said for governance
• The result?
o Site sprawl
o Unfettered content
o Process lawlessness
12. • Central to your governance implementation is
understanding roles and responsibilities within
your SharePoint environment
• Understanding how the organization uses SharePoint
• Identifying secure content within the environment
• Determining who needs access
• Creating policies that secure and protect, but are also
flexible enough to meet the growing demands of your
organization to collaborate
13.
14. It starts with a plan
• How granular do you need to control access
to your content?
• Who manages all the different parts of your
SharePoint farm?
• How do you want to manage
your users?
22. A SharePoint environment must support user
accounts that can be authenticated by a trusted
authority
How do you authenticate your users?
23. Windows Authentication
• NT LAN Manager (NTLM):
• Microsoft security protocol, users authenticated by using the
credentials on the running thread
• Simple to implement – but SharePoint will not be integrated with
other applications
• Kerberos
• If your SharePoint sites use external data
• Credentials passed from one server to another (“double hop”)
• Faster, more secure, and can be less error prone then NTLM
• Anonymous Access
• No authentication needed to browse the site
24. • Authentication based on user account and
password from AD
• This works well for Windows environments
• However, do you need support for
internal, partner, or cloud-based computing
models?
25. Planning for Extranets
• Credentials stored in:
• Lightweight Directory Access Protocol (LDAP) data store
(Novell, Sun)
• AD DS
• SQL or other database
• Custom or third-party membership and role providers
• In SharePoint 2010, forms-based authentication
is only available when you use claims-based
authentication
26. • Usually for external customers or partners
• Defined at the web application level
• An outside identity provider authenticates
users
• A claim is just a piece of information
describing a user: name, email, age, hire
date, etc. used to authenticate the user
27. Integration with Facebook, Google, Live ID, etc. is
becoming more and more common. A scenario:
1. “I‟d like to access the Axceler Microsoft technology partners site.”
2. “Not until you can prove to me that you are in the Axceler Microsoft
technology partners group.”
3. “Here is my Live ID and password.”
4. “Hi, Steve. I see you are in the Axceler Microsoft technology partners
group. Here is a token you can use.”
5. “I‟d like to access the Axceler Microsoft technology partner
document, and here‟s proof I have access to it!”
28. How do we make
permissions management part of
our governance plan?
29.
30. Sub-site
Site
Sub-site
Site
Site
Collection
Web App Site Sub-site
Site
Site
Farm Collection
Site
Site
Web App
Collection
Site Sub-site
31. Lists/Libraries Lists/Libraries
Site Sub-Sites
Site
Lists/Libraries Lists/Libraries
Collection
Site Sub-site
33. Sub-site
Site
Sub-site
Site
Site
Collection
Web App Site Sub-site
Site
Site
Farm Collection
Site
Site
Web App
Collection
Site Sub-site
Define the role:
• Assigned in Central Admin and has permission to all
servers and settings in the farm
• Central Administration access, create new web
apps, manage services, stsadm/PowerShell command
• Can take ownership of content, and make themselves
Site Collection Administrators
34. Sub-site
Site
Sub-site
Site
Site
Collection
Define the role:
Site Sub-site
• Given full control over all sites in a site collection
• Access to settings pages: Manage users, restores
items, manage site hierarchy
• Cannot access Central Admin
35. Other Permission Levels
Define the roles:
• Site Admins, Team Leads, Power Users, End Users
• Collections of permissions that allow users to
perform a set of related tasks
• Defined at the site collection level
36. A group of users that are defined at the site collection level
for easy management of permissions
• The default SharePoint groups are Owners,
Visitors, and Members, with Full Control, Read,
and Contribute as their
default permission
levels respectively
• Anyone with Full
Control permission
can create custom
groups
37. The default permission levels are Full
Control, Design, Contribute, Read, and Limited
Access
• What does “Read” mean to
your organization?
38. Permissions are applied on objects:
1. Directly to users
2. Directly to domain groups (visibility warning)
3. To SharePoint Groups
39. SharePoint 2010 lets administrators Check
Permissions to determine a user or group‟s
permissions on all content
40. Inheritance
If all sites and site content inherit those
permissions defined at the site
collection, what‟s so hard about managing
permissions if they are defined so high in the
hierarchy?
41. Fine Grained Permissions
Sites, lists, libraries, folders, documen
ts, and items can all
have unique security
…but that doesn‟t men they should
42. • Copies groups, users, and permission levels
from the parent object to the
child object
• Changes to parent
object do not affect
the child
43. “If you use fine-grained permissions
extensively, you will spend more time
managing the permissions, and users will
experience slower performance when they
try to access site content”
~Planning site permissions, technet http://bit.ly/InKv9i
As a result, permissions management
(additions, deletions, edits) is done one
securable object at a time!
44. Performance is reduced once 1000 objects have
broken inheritance in a list or library
• Sites, lists, and libraries need to build security trimmed navigation
• List load time increases
*Apply unique permissions to folders if need be*
45. Deleted and disabled Active Directory users
are not updated in SharePoint
• Permissions
• User Profiles
• My Sites
48. • Train your admins and power users!
“I didn‟t know that restoring inheritance would remove
our unique security model!” ~Countless well intentioned site admins
• Manage power users through the “Owners”
SharePoint groups
• Limit the members to only those users you
trust to change the structure, settings, or
appearance of the site
49. Make most users members of the Members or Visitors groups
• Members group can contribute to the site by adding or
removing items or documents, but cannot change the
structure, site settings, or appearance of the site.
• Visitors group has read-only access to the site, which
means that they can see pages and items, and open
items and documents, but cannot add or remove
pages, items, or documents.
50. If you do break inheritance, Microsoft recommends
using groups to avoid having to track individual users
• People move in and out of teams and change
responsibilities frequently
• Tracking those changes and updating the permissions
for uniquely secured objects would be time-consuming
and error-prone.
51. • Arrange sites and sub-sites, and lists and libraries
so they can share most permissions
• Separate sensitive data into their own
lists, libraries, or sub-site
• Microsoft provides a permissions worksheet
(Excel file) http://bit.ly/SK0bP6
57. Christian Buckley
cbuck@axceler.com
+1 425-246-2823
@buckleyPLANET
www.buckleyPLANET.com
and http://info.axceler.com
Order your copy at http://oreil.ly/qC4loT
Additional Resources available
Permissions Worksheet (Microsoft) http://bit.ly/SK0bP6
Developing and Enforcing SharePoint Governance Policies
with Axceler ControlPoint http://bit.ly/SJVq8a
What to Look for in a SharePoint Management Tool http://bit.ly/l26ida
The Five Secrets to Controlling Your SharePoint
Environment http://bit.ly/kzdTjZ
Hinweis der Redaktion
Who do you trust to manage all the different parts of your SharePoint farm?
- Kerberos: Less traffic between servers, clients, and domain controllers- uses tickets instead of tokens so it doesn’t have to do a double hop to AD with each requestMuch more planning needed Anonymous: Instead, add the all Authenticated users security instead. This way actions can be traced to users.
Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches. An Active Directory domain controller is a server that is running AD DS.Used for many things in your organization besides SharePointThe potential for SharePoint to be used and accessed by people outside your organization…2010 makes it easier!
Organization don’t want external user accounts within their internal domains so forms based authentication is used.
Less user management
Seeing more and more login pages with “use facebook or twitter to log in”
We’re going to be talking mostly about securing intranet content- not an extranet
Break the inheritance and customize the Read permission level for a subsite to define what “read” really means to your organization
Still hard to manage at lower levels
More work! Harder to manage!
There designed to make your life easier…I swear!
If you restore inherited permissions, the child object will inherit its users, groups, and permission levels from the parent again, and you will lose any users, groups, or permission levels that were unique to the child object.