Products: SharePoint (All)
As with most features in SharePoint, there are at least two (2) ways to accomplish anything; and, managing user permissions is no exception. And similar to any discussion, there are at least (2) opinions on how to best configure permissions within SharePoint.
The scope of this article will focus on the definitions, features and best practices relative to the following topics:
- Active Directory Groups
- SharePoint Groups
- Active Directory (AD) Groups
– AD is a service implemented on a business network that provides a means of authenticating or validating that specific users are allowed inside the network
– AD Groups provide for users to be organized into groups for additional service and application authentication or authorization purposes
- SharePoint (SP) Groups
– Provide means of organizing users into groups for additional authorization purposes within the SharePoint environment
Before diving in, it is imperative that we understand the WHAT …
- WHAT problem(s) are we trying to solve with permissions (Thesis)
- WHAT problem(s) are we NOT trying to solve with permissions (Antithesis)
In general, the best practice is to push down the responsibilities and accountabilities of site ownership, as well as permission management, to the appropriate level of the organization. If the accountabilities are assigned too high, its considered micro-managing; whereas, if it’s too low, it considered chaos. A healthy balance is required; each organization needs to establish those lines appropriately.
Define The Problem(s) Area(s)
Here are a few of the What conditions that may need to be solved
- we need to understand who has what level of permissions within our environment
- … need to understand who has access to what (sites, content, tools)
- … need to understand who has authority to change permissions
- … need to understand when a permission change occurred
- … need to understand where permissions are being assigned directly to personal accounts or empty groups
- … need to understand what sites and resources are accessible to all employees
- … need to understand the permission inheritance within a site or sub-site
- … need to know how many users will be impacted by a permission change
To properly define the problems, pain points and opportunities, it may also be helpful to understand the larger context of the ecosystem
- the people involved (employees, clients, vendors, etc.)
- the processes involved (how many moving pieces are involved and where does this fit)
- the technology involved (infrastructure, licensing, etc.)
- the pains (what to avoid, what to fix)
- the restrictions (scope, boundaries, priorities)
- the rules (company policy, legislative/legal, security, etc.)
- the opportunities (benefits, long/short-term)
- the strategy (application, development, enterprise, etc.)
Benefits of AD Groups
So, what are the benefits of using AD Groups to manage SharePoint Permissions
- centrally managed by a central entity (i.e.; Help/Support Desk)
* often best to have fewer cooks in the kitchen
* simplifies trouble-shooting
- may re-use existing Distribution Lists as Security Groups
* simply check another box within the UI and now the group is multi-purposed
- simplicity of audits
* quickly identify who has what permissions
- membership may be dynamically managed
* query users into the group based on profile properties
- quality control
* continuous improvement of a repeatable process
- fresh membership
* employees are automatically added, updated or removed by the system
Benefits of SP Groups
So, what are the benefits of using SharePoint Groups to manage SharePoint Permissions
- Site Owners may create, update and remove groups as needed
- Site Owners may assign employees to the groups
- Site Owners are empowered
As can be seen, the benefits of AD Groups are clearly differentiated from that of SharePoint Groups. The use of AD Groups is at a higher enterprise level; while, the SharePoint Groups are about empowering users at a lower site level. Knowing these differences in conjunction with the larger purpose of SharePoint Site Governance/Rules, we can then understand how and where to best use these groups.
Background – Enterprise Sites
Employees expect the top-level enterprise site environment and content, at a minimum, to meet the following qualifications!
- be accessible 24 x 7 x 365 with a minimum of ‘read’ permissions
* via both navigational channels and search
- be trustworthy
* one source of the truth; not 10 pieces of content named similar with various dates that require them to hunt and peck through
The Enterprise Sites are held to a higher standard!
Why? Because the content is not simply available for internal (i.e.; Employee) use but is also used to communicate the Why, Who and What credentials for external (i.e.; prospective clients, businesses, agencies, etc.) use via emails, proposals and contracts.
In other words, we can not ‘assume’ anything in this environment.
We need to be intentional and perform the proper due diligence on an on-going basis to ensure that the rules (i.e.; governance) of the game are being following, that expectations are being met to establish and re-establish ‘Trust’ in the eyes of those to whom this environment serves. Trust is established over time through something called relationships by understanding expected behaviors, attitudes and actions of others over Time.
Trust = Time + Relationship
To ensure Trust is maintained, there must be a single source (i.e.; Director or CIO) or entity (i.e.; Governance Board) of accountability.
To ensure Trust is maintained, the permissions related to Who can do What must be centrally managed for all of the reasons noted above.
To ensure Trust is maintained, the content owners in the Enterprise Sites
- must be properly training in the use of the tool and
- adhere to the rules of the environment
The single most important tenant of an intranet Enterprise Site is Trust. There is no room for assumptions. The ultimate survival of the business depends on accurate information, in a timely manner, in a consumable format at the proper place and in the proper hands of capable employees.
The use of AD Groups in the Enterprise Sites area of an intranet is critical to ensuring that Trust is maintained for the long-term.
A sub-set of roles and responsibilities around permission management may look like the following
- Help/Support Desk manages permissions in a central area
- SharePoint Governance Team defines policies, procedures and processes
- Legal and Regulatory policies are enforced
- Security Groups are kept current with managed group memberships
Background – Non-Enterprise Sites
Employees expect to have more autonomy and control in the lower sites (i.e.; collaboration) that they own; especially, as the scope or audience of their site relates to a smaller set of employees.
For Example …
– if I own a business, I may establish the rules that govern the expectations of the employees and their roles as a whole; but there is still room for each Director or Manager to set their own rules for those employees that they may manage. It is a top-down hierarchy of rules and expectations that shape the behavior and ultimately the actions of others in the space.
– if I own an apartment complex, I may establish the rules that govern the expectations of the tenants as a whole; but there is still room for each tenant to set their own rules for those guests that may visit their apartment space. It is a top-down hierarchy of rules and expectations that shape the behavior and ultimately the actions of others in the space.
– we also see this in government where the hierarchy, and ultimately the governance, flows down through the Federal, State, County and City jurisdictions
The big idea is that those rules and authority not a part of the top-level authorities are delegated to the lower levels where it may be best managed.
In essence, it is necessary to establish the rules of the game at each level of the SharePoint environment to communicate expectations of behavior and service levels.
Let’s say that the rules regarding Enterprise Sites state that the SharePoint/Governance Team manages the branding, navigation and permissions within these sites. These sites also will have visibility within the top-level navigation space.
– If an alleged top-level site owner wants total control over the branding, navigation and permissions relative to their site, then per the rules of the game, they will be provided a collaboration site in the lower levels of the intranet.
– If on the contrary, that top-level site owner agrees to follow the rules of conforming to the enterprise branding, top-level navigation and security provisioning, then the site owner will be granted an enterprise site where the SharePoint Team will work with the owner on information architecture, site structure, managed metadata, search engine optimization and other features that would be beneficial to all employees to fully utilize the content within the context of the larger enterprise environment.
Summary of Best Practices
– Active Directory (AD) groups are best used to enforce governance rules within the scope of Enterprise Sites, Community Sites and other sites that cross the entire enterprise
– Active Directory (AD) group that already has permission in a SharePoint group does not trigger a full crawl of the index to calculate changes in permissions; see below reference regarding the effect of
– SharePoint (SP) Groups are best used within the non-enterprise environments where greater autonomy is required (i.e.; site owners manage permissions) and a smaller audience is involved
References – AD Groups vs. SP Groups
- Five (5) Pillars of SharePoint Governance
- Using Active Directory vs. SharePoint Groups
- Governance Guide for SharePoint 2010
- AD vs SP Groups for User Managment: The Denouement
- AD vs. SP Groups for User Management: A Dilemma
- Effect of Adding Users to AD Groups
References – Dynamic Groups
References – LDAP
As always, feel free to leave feedback and let me know how SharePoint has affected you!