Best practices to manage SharePoint Permissions


Remember when you stored all confidential files on flash drive in your pocket?  Nobody had access to your pants, so you didn’t even think about file permissions. I’m guessing that’s not the case you woke up to this morning. All your docs are residing in the cloud, well protected with dozens of security systems. Maybe overprotected? Have you ever tried to share one of the confidential document to your colleague?  If you are managing information in a medium or large organization, then you should know the pain of confidentiality issues.

SharePoint is a great tool for effective structuring information

SharePoint has excellent features to share or restrict access to different structural elements. When it comes to permissions, a common means of controlling productive collaboration, users can be granted different levels of control of Sites, Lists/Libraries, Folders or List Items/Documents, known as objects.

Such permissions can be granted directly to individual user accounts, or to a group of users, or by Active Directory groups. You can grant access to the whole site, restrict access to a specific library and configure unique permissions for certain items to share them for everyone. Or split information in different folders of one library and share their content to different groups of users in your organization. Or, maybe, you invented a more complex way to fit crazy needs of your boss?

Sounds great and it works impressive in demos, but..

.. does it really work in practice?

I have been working with different SharePoint solutions for years. Every customer has specific requirements that aren’t always compliant with SharePoint capabilities. Very often customers are so fascinated about security in SharePoint, that they don’t realize how insidious this game can be. Many times, we tried to fulfil these specific needs, and it turned into pain, that enforced us to review initial requirements.

Do you want to step on the same rake?

I completely understand how you feel. Well, be aware and follow my best practices to avoid it.

There are five level of permissions:
1. Site collection
2. Site
3. List / Document library
4. Folder
5. List Item / Document

Permissions can be inherited from the top level to bottom, so you can share access to a site for a group and all users from that group will be able to manage documents in any library of this site. However, on any level, you can break inheritance and configure unique permissions, that will be in force on this level and all nested objects below this level. And this is the place where the nightmare begins.

Imagine you have a library with hundreds of folders. Everything worked great until somebody broke the inheritance of permissions in a certain folder and configured it to be available to a specific group of users. Some user complains, that (s)he cannot find a document located in that folder. How easy will be to find this folder and grant permissions for that user?  What if you decided to revoke access from some folder?  Permission management is a weak place of SharePoint UI, so you, most likely, will be frustrated very soon. I’d be frustrated too.

Permission management is a weak place in SharePoint

Don’t worry, I often make that mistake myself. But are there good practices for managing permissions and still keeping control of it? Yes, there are! And this is simple – you should plan in advance. This is exactly the case, where you can say that fail to plan is planning to fail. If you want to keep your system maintainable, follow these simple rules:

1. Creating a permission plan is necessary if you manage multiple objects with different permissions in a site collection.
It looks simple until you decide to restrict access to some site or document library. You break inheritance of permissions, configure access rights and everything goes well… As long as your admin is at work. It may become a big surprise for a new admin. Building a solution without considerations to the diverse and complex employee work patterns can be a recipe for disaster.

A detailed permission plan provides the admin with knowledge about site structure and permissions. A standardized approach where permissions are grouped at a higher level could be a good way to go. Understanding user groups with

regards to their area of focus and activities can lead to defining different approaches to user permission.

2. Grant permissions on higher levels. Avoid breaking inheritance of permissions than more, than deeper object level is.
You are able to grant specific permissions on a folder, that is located on the third level of subfolders in a document library. But try to find a problem in a year, when somebody complains, that the content of this folder is not visible. Yes, permission plan may help if you keep it always up to date. However, in a big structure, there is always room for a mistake. Just avoid complexity and sleep calmly.

3. Use SharePoint security and explicit group membership for managing site members.
If you need to use Active Directory groups, include them into a Sharepoint security group.

4. Avoid item level permissions.
This may work good with automation, but it is not maintainable manually. If anything goes wrong, you have almost no chance to identify the problem, because of documents can be just not visible for you.

Simplicity is the key to success

SharePoint is a powerful tool to build your complex informational system. But always keep the things simple!

Just remember the one golden rule – “order and simplification are the first steps toward the mastery of a subject” (Thomas Mann).

Find more info about the permissions:

Overview: best practices for managing how people use your team site

Understanding permission levels in SharePoint

Customize permissions for a SharePoint list or library

Still having doubts? Ask experts in Cloudriven. We are always happy to help you!
Thank you for reading, and if you have any questions, please ask below.

Contact Form

Want to know more about our products or services? Fill out the form and we'll be in touch as soon as possible.