sharepoint permissions management - spdockit · page 2 of 31 about adis adis jugo, sharepoint mvp...
Post on 13-May-2018
230 Views
Preview:
TRANSCRIPT
SharePoint Permissions
Management
Centralized permissions management with SPDocKit
ADIS JUGO
WHITE PAPER
Page 1 of 31
Content
About Adis ........................................................................................................................................................... 2
Introduction to SharePoint Permission Management ............................................................................ 3
Centralized Permission Management with SPDocKit .............................................................................. 4
Batch permissions managment with SPDocKit ..................................................................................... 4
On-the-fly permissions managment with SPDocKit.......................................................................... 15
Permissions reporting and forensics with SPDocKit ......................................................................... 21
Conclusion ......................................................................................................................................................... 28
SPDocKit - Ultimate SharePoint admin tool ............................................................................................ 29
Page 2 of 31
About Adis
ADIS JUGO, SHAREPOINT MVP
Adis Jugo is a software architect with 20 years of professional
experience in creating software solutions that make users' lives
easier. His is passionate about improving all the aspects and
phases of the software development process. In addition to his
two decades of experience in software development and
architecture he is a certified Professional Scrum Master (PSM),
with extensive experience in agile project management. He is
currently working as a Director of Advisory for deroso Solutions,
Microsoft Gold Partner based in Germany and he has been a speaker at various Microsoft
conferences and User Groups meetings. In January 2012, he received the Microsoft Most
Valuable Professional (MPV) award for Microsoft SharePoint Server.
Page 3 of 31
Introduction to SharePoint Permission Management
One of the strengths of SharePoint, and one of the main reasons the platform became
so popular in the first place is permissions. It does not matter whether permissions are
governed centrally, or whether site owners can grant permissions themselves: the
powerful permission management in SharePoint helped the platform’s popularity
skyrocket. Everyone can set up permissions in his or her own way but that is the
problem with SharePoint. Because this is possible and because everyone (who has
rights) can do it, SharePoint’s greatest strength very often turns out to be its greatest
weakness.
SharePoint has never been good at centralized permission management. Everything is
fine as long as you only have a couple of site collections. However, when an IT
Administrator needs to add/delete/change users on several hundred, or even several
thousand, site collections, things get interesting. Sure, you can write short PowerShell
scripts for such tasks, but when you need to do so on a daily basis, things become more
difficult. In addition, tracing the history of the permissions can be challenging in
SharePoint environments that are not tightly governed. Built-in permissions forensics
in SharePoint are on a very basic at best, and permissions reporting is virtually
nonexistent.
Strangely enough, there aren’t that many third party tools that would close this gap
with SharePoint permissions. My favorite tool and the one that I recommend to in-
house administrators, is SPDocKit which was one of the first tools to offer permissions
reporting.
Page 4 of 31
Centralized Permission Management with SPDocKit
SPDocKit makes day-to-day permissions management much less painful job because
it includes a wizard-like centralized permissions management tool. I will outline some
key permissions management tasks based on cases with which I was confronted during
my career and explain how SPDocKit can be used to automate these tasks (almost)
completely.
Batch permissions managment with SPDocKit
One of the most common cases in permissions management involves batch
permissions management. Think about adding a new audience (users) to existing
SharePoint content. This is fairly easy when you only have to deal with a few site
collections, but what happens when you have hundreds, or thousands of them?
This was exactly the case we faced with a customer who had over 20,000 automatically
provisioned SharePoint site collections – one site collection per customer project. The
site collections had almost identical structures: the same lists and libraries, an identical
predefined folder structure in the libraries and a complex permissions structure. In all,
we were faced with 24 SharePoint groups per site collection, times 20,000.
At one point, an auditing process was going on, and we had to give external auditors
permissions to review documents in certain libraries that were present in all 20,000 site
collections. The auditors did not have access to any other content in the SharePoint
farm, except for those libraries.
The process included the following tasks:
Breaking permissions inheritance for the ”Reports” libraries,
Creating the permission level “Auditing Permissions”,
Creating a SharePoint group for the auditors,
Adding users to that group,
Page 5 of 31
Giving “Auditing Permissions” to the “Auditors” group for the “Reports” library.
This had to be done for all 20,000 of the site collections. Clearly, one could not do this
task manually, and using PowerShell meant opening the door to a potentially large
error margin. For that reason, our tool of choice to implement these requirements was
SPDocKit.
SPDocKit has a wizard-style interface used to execut permissions-related batch
operations. You can find everything you would expect in the interface, including –
breaking and restoring permission inheritance on multiple levels, batch
creating/editing/deleting SharePoint groups and permissions levels, managing group
membership and assigning or revoking rights for principals on different securable
objects – that all worked intuitively, which did not leave much room for mistakes. Before
any batch operations are executed, SPDocKit will conveniently show a preview of the
results, so the administrator can decide whether to proceed with the operation, or
cancel it.
Page 6 of 31
In the case above, we started with the “Permission Inheritance Wizard”.
Image 1: Breaking permissions at all 20,000 instances of the “reports” library (one in each site collection)
Page 7 of 31
The SPDocKit permissions wizard asked us to review and confirm the action to break
the inheritance.
Image 2: Preview of the changes
Once that change was confirmed and applied, SPDocKit iterated through the site
collections, and executed the command.
In the next step, the SharePoint administrator created the new permission level for
auditors using the next wizard – “Permission Levels Wizard”. The administrator chose
to choose the name for each new permission level, and its base permissions. After a
review and confirmation, every site collection received the new permission level:
“Auditing Permissions”.
Page 8 of 31
Image 3: Creating the new permission level for auditors
Page 9 of 31
Image 4: Choosing base permission
Using the “Group Management Wizard”, our SharePoint administrator followed the
same procedure to create a new SharePoint group (“Auditors”). After setting the group
name, description, and owner, and then reviewing the changes, the “Auditors” group
was created in all site collections.
Page 10 of 31
Image 5: Creating a new SharePoint group “Auditors”
Next, the administrator assigned the “Auditing Permissions” level to the “Auditors”
group on the “Reports” document library, for all 20,000 site collections using the
“Manage Permissions Wizard”.
Page 11 of 31
Image 6: Selecting principals and objects to change
Page 12 of 31
Image 7: Assigning the “Auditing Permissions” level to the “Auditors” group on the “Reports” document library
After these steps, we had a document library named “Reports” with broken permissions
inheritance in all site collections, and a SharePoint group named “Auditors,” with the
assigned custom permission level “Auditing permissions” for that library.
Of course, all 20,000 of the “Auditors” SharePoint groups (one per site collection) were
empty at first. Using the SPDocKit “Group Membership Wizard”, we easily populated
the groups with standard auditors.
Page 13 of 31
Image 8: Adding users to specific groups
Page 14 of 31
Image 9: Defining SharePoint group membership changes
A few minutes and five wizards later, we had broken the permissions inheritance on
20,000 document libraries, created 20,000 SharePoint groups and custom permission
levels, assigned the necessary custom permissions for those libraries, and populated
the newly created SharePoint groups. SPDocKit made this job much easier. Writing
custom PowerShell scripts would have taken considerably more time, and the process
would have been more prone to errors. Executing those tasks manually through the
SharePoint interface was not an option at all. In all the wizards mentioned above, all
site collections from a web application were selected, but that is not a limit - admins
canchoose which ones to use. For example – if auditing is necessary on only 100
projects instead of all 20,000, admins can select the 100 projects for which it is required.
The SPDocKit batch permission wizards, allow administrators to do much more. They
can revoke permissions or change them, change the base permissions set for each
Page 15 of 31
permission level and add or remove members from SharePoint groups. Essentially,
when all (or some) of a large set of lookalike SharePoint site collections and sites
require a permissions change, SPDocKit permission wizards are your best friend. This
is true for all scenarios in which site provisioning is involved: it does not matter whether
it is a matter of self-service site provisioning, or site provisioning through a business
work flow. These types of sites (project sites, team sites, meeting sites etc.) are usually
identical, or at least very similar to each other in structure, and there are usually plenty
of such sites (SharePoint is a collaboration platform, after all).
SPDocKit’s Batch permissions management is very useful when dealing with a large
number of site collections; it can be a real lifesaver in that scenario. However,
administrators are more likely to deal with permissions inside one site collection.
On-the-fly permissions managment with SPDocKit
The SharePoint user interface provides all the basic options for dealing with
permissions. We can create, edit, and delete groups; manage group memberships; and
create and manipulate permission levels. By drilling down through SharePoint
securable objects (data structures), we can break and restore permissions and set
specific permissions for all objects down to the item level.
Even though SharePoint offers many possibilities, much remains open. New sharing
capabilities make it easier than ever for users to break permissions on the item or folder
level. It is not easy for administrators to identify those items. Cleaning up permissions
remains a repetitive, slow task—moving users who obtained permissions directly to the
appropriate SharePoint groups requires a lot of clicking. Administrators never have a
broad overview of the permissions at one particular site. Dealing with permissions and
the entire user experience (or rather the “admin experience”) does not provide optimal
efficiency. Thus, many SharePoint admins handle permissions exclusively through
PowerShell. However, PowerShell is a command line tool: therefore is not appropriate
Page 16 of 31
for everyone, especially if all an administrator needs to do is perform a few quick
actions or get an overview of what is going with permissions on a particular site.
This is where SPDocKit comes in. In version 5, we got the “Permissions Explorer”. Using
a familiar, hierarchical tree view of SharePoint securable objects (data structures),
administrators can drill down through the site collection objects to do everything
SharePoint allows with permissions, and even a bit more. Everyday operations are one
click away, including detecting securable objects with unique permissions (broken
permissions inheritance); breaking and restoring permissions; creating, editing, and
deleting SharePoint Groups and Permission levels; and managing group memberships.
This easy access significantly reduces the time needed to perform those repetitive tasks
compared to the time required in the standard user interface.
Image 10: Permissions Explorer
While browsing through the site structure, administrators can easily see who has
permissions for the currently selected object. Furthermore, they can filter those
permissions based on the principal’s status (enabled or disabled), type (SharePoint
Page 17 of 31
Group, AD Group, or user), and—in an interesting feature—history. Each time SPDocKit
loads the farm information, it writes the information in the background database.
Administrators can then use it as a kind of “way back machine” for permissions.
In addition to browsing and exploring permissions, administrators can define
permissions settings on the site collection level for primary and secondary site
collection administrators, members of the administrators group and SharePoint Groups
and Permission levels.
Image 11: Setting the site collection administrators
Page 18 of 31
Image 12: Creating a SharePoint Group
Image 13. Creating a new Permission Level via the SPDocKit interface
Page 19 of 31
While drilling down through the hierarchy, administrators can break and restore
permission inheritance at any location and grant or revoke permissions for the currently
selected object.
Image 14: Breaking permission inheritance
Page 20 of 31
Image 15: Granting permissions for the selected object
These features help administrators significantly speed up their work on permissions.
In addition to speeding up repetitive everyday tasks, SPDocKit offers some useful
automations for tasks that would normally require a lot of clicking or scripting. If you
look at the Manage Permissions ribbon, you will see “Edit”, “Clone”, “Transfer”,
“Remove”, “Move to Group”, and “Copy to group” icons.
Image 16: The SPDocKit Manage Permissions ribbon operations
Page 21 of 31
While the functions of “Edit” and “Remove” are clear (change permission levels or
revoke permissions for a principal completely), the other four icons are particularly
interesting.
Although the SharePoint 2013 “Share” icon allows users to quickly share content with
other users, it creates many (sometimes unnecessary) item level permissions when it
would be much better to simply add users in the appropriate SharePoint groups. With
SPDocKit, administrators can easily clean that mess up by selecting the “loose”
principals on objects with broken permission inheritances and then copying and
moving them to the appropriate SharePoint groups—all with one click.
“Clone” and “Transfer” offer other interesting functions. Administrators often face
requirements such as “User X needs to have the same permissions as User Y” or “User
Z is being transferred to another division and User W is taking his place.” SPDocKit’s
“Clone” and “Transfer” capabilities do exactly that-they give new users the same rights
an existing user has or transfer existing rights to a new user and revoke them from the
original user. That comes in handy in day-to-day work.
Of course, as you would expect for a tool of this caliber, SPDocKit allows administrators
to get information about each user in the site collection (e.g., where the user comes
from and his or her memberships in SharePoint and AD groups). Overall, this powerful
toolset helps administrators perform permissions-related tasks.
Permissions reporting and forensics with SPDocKit
Permissions reporting and forensics are usually only needed when a problem arises. In
these cases, it is important to determine who has permissions on certain securable
objects and more importantly, why.
SharePoint permissions are serious business, and they must be viewed as having the
highest importance. A large amount of sensitive corporate information is stored in
SharePoint, and giving unauthorized people access to classified content can pose a big
Page 22 of 31
threat. Therefore, it is important to have the ability to report, at any time, who has
permissions and through which channels those permissions were given.
SharePoint does not offer that ability out of the box, and it is a hassle to code that
functionality in PowerShell. At this time, SPDocKit is the only tool on the market that
can cover those cases and perform full permissions forensics.
In addition to forensics, SPDocKit can help you keep your SharePoint clean by removing
unused users and groups. In the Permission Reports section, you can easily detect
groups that do not have any permissions in their sites, groups owned by a disabled
SharePoint user, or groups containing disabled or orphaned users. You can then easily
correct those issues by cleaning up those groups and users or giving them the
necessary permissions.
Image 17: Report showing SharePoint groups with no permissions
Page 23 of 31
Image 18: Report showing orphaned users
Image 19: Report showing users with no permissions in the site collection
Page 24 of 31
Besides these simple but necessary cleaning tasks, the real strength of SPDocKit
permission reports lies in permissions forensics. With these forensics reports, we can
easily determine who has access to the data and why.
For each SharePoint securable object, including sites, lists, and list items, SPDocKit will
tell us who has permissions for those objects and in what way they were given.
Image 20: Permissions for a SharePoint site grouped by permission
For example, you can use this report to discover that the cleaning lady has “Add items”
permission on the management site and that she got it through her membership in the
“Cleaning Staff” Active Directory group. That group is a member of the “Portal
Contributors” SharePoint group, which has been assigned the “Contribute” permission
level for that particular site. That permission level, of course, contains “Add items”
permission. You can find all that information with just one click. This represents the
ultimate governance/compliance report in terms of SharePoint permissions.
Page 25 of 31
Of course, you can break this down into numerous other useful reports and information
overviews. The next report shows the matrix of Principals (SharePoint Groups and
SharePoint users) and permission levels, including the roles each principal has on the
site, in a graphically appealing way.
Image 21: Principals and permission levels in a subsite
Furthermore, one of the most commonly requested reports shows a quick overview of
securable objects (i.e., sites, lists, and list items) with broken permission inheritances.
You can get this report in one click with SPDocKit.
Page 26 of 31
Image 22: Overview of securable objects in SharePoint Farm
In addition to securable object and permission level reports, SPDocKit offers important
principal-based reports so administrators can easily determine which permissions a
SharePoint user or SharePoint group has in one or more site collections. With these
user-centric reports, administrators can see which permissions a principal has and the
way in which those permissions were given (e.g., through SharePoint Groups, AD
Groups, or directly) and act accordingly.
Of course, as expected from SPDocKit, each of these reports can easily be saved as a
PDF or Word file, manually modified, and included in a larger report.
Page 27 of 31
Image 23: Saved report shows the overview of a SharePoint site permissions
Page 28 of 31
Conclusion
SharePoint’s out-of-the-box features are simply not enough for serious governance
scenarios and simplified permissions management. Administrators will either write a
bunch of PowerShell scripts and avoid the SharePoint user interface completely or find
a tool to deal with those issues. Different tools on the market partially cover SharePoint
permissions management and reporting.
When all or some of a large set of lookalike SharePoint site collections and sites require
a permission change, SPDocKit permission wizards are best choice. In my opinion,
SPDocKit’s permissions toolkit belt does the best job. It offers batch permissions
management across site collections, simplified permissions management inside a
single-site collection and powerful cleanup, forensic, and reporting options. I often say
that SPDocKit’s features let SharePoint consultants have the equivalent of a Swiss Army
knife in their pockets.
Page 29 of 31
SPDocKit - Ultimate SharePoint admin tool
What is SPDocKit?
Why SPDocKit?
Generate SharePoint Documentation
Analyze SharePoint Permissions
Manage Permissions
Audit Farm Configuration
Compare Farms and Track Changes
Enforce Governance Policies
Monitor SharePoint Farm Health
TRY a 30-day free trial
More info is available at www.spdockit.com.
Unique tool that allows you to easily administer and manage your
SharePoint farm. You can use it to explore and manage SharePoint
permissions, keep an eye on your farm health and compare and track
changes on your farm in no time.
top related