0

Table of Contents

About the Author ................................................................................................................... 1

Introduction to SharePoint Permissions Management ..................................................... 2

Centralized Permission Management with SPDocKit ........................................................ 3

Batch permissions managment with SPDocKit ............................................................... 3

On-the-fly permissions managment with SPDocKit ..................................................... 13

Permissions reporting and forensics with SPDocKit ..................................................... 19

Conclusion ........................................................................................................................... 26

SPDocKit - Ultimate SharePoint admin tool ..................................................................... 27

1

About the Author

Adis Jugo is a software architect with 20 years of

professional experience in creating software solutions

that make users' lives easier. His is passionate about

improving all the aspects and phases of the software

development process. In addition to his two decades of

experience in software development and architecture,

he is a certified Professional Scrum Master (PSM), with

extensive experience in agile project management.

He is currently working as a Director of Advisory for Deroso Solutions, Microsoft

Gold Partner based in Germany and he has been a speaker at various Microsoft

conferences and User Groups meetings. In January 2012, he received the Microsoft

Most Valuable Professional (MPV) award for Microsoft SharePoint Server.

2

Introduction to SharePoint Permissions

Management

One of the strengths of SharePoint, and one of the main reasons the platform

became so popular in the first place is permissions. It does not matter whether

permissions are governed centrally, or whether site owners can grant permissions

themselves: the powerful permission management in SharePoint helped the

platform’s popularity skyrocket. Everyone can set up permissions in his or her own

way but that is the problem with SharePoint. Because this is possible and because

everyone (who has rights) can do it, SharePoint’s greatest strength very often turns

out to be its greatest weakness.

SharePoint has never been good at centralized permission management.

Everything is fine as long as you only have a couple of site collections. However,

when an IT Administrator needs to add/delete/change users on several hundred,

or even several thousand, site collections, things get interesting. Sure, you can

write short PowerShell scripts for such tasks, but when you need to do so on a

daily basis, things become more difficult. In addition, tracing the history of the

permissions can be challenging in SharePoint environments that are not tightly

governed. Built-in permissions forensics in SharePoint are on a very basic at best,

and permissions reporting is virtually nonexistent.

Strangely enough, there aren’t that many third party tools that would close this gap

with SharePoint permissions. My favorite tool and the one that I recommend to in-

house administrators, is SPDocKit which was one of the first tools to offer permissions

reporting.

3

Centralized Permission Management with

SPDocKit

SPDocKit makes day-to-day permissions management much less painful job because

it includes a wizard-like centralized permissions management tool. I will outline some

key permissions management tasks based on cases with which I was confronted

during my career and explain how SPDocKit can be used to automate these tasks

(almost) completely.

Batch permissions managment with SPDocKit

One of the most common cases in permissions management involves batch

permissions management. Think about adding a new audience (users) to existing

SharePoint content. This is fairly easy when you only have to deal with a few site

collections, but what happens when you have hundreds, or thousands of them?

This was exactly the case we faced with a customer who had over 20,000

automatically provisioned SharePoint site collections – one site collection per

customer project. The site collections had almost identical structures: the same lists

and libraries, an identical predefined folder structure in the libraries and a complex

permissions structure. In all, we were faced with 24 SharePoin t groups per site

collection, times 20,000.

At one point, an auditing process was going on, and we had to give external auditors

permissions to review documents in certain libraries that were present in all 20,000

site collections. The auditors did not have access to any other content in the

SharePoint farm, except for those libraries. The process included the following tasks:

Breaking permissions inheritance for the ”Reports” libraries,

Creating the permission level “Auditing Permissions”,

Creating a SharePoint group for the auditors,

Adding users to that group,

Giving “Auditing Permissions” to the “Auditors” group for the “Reports” library.

4

This had to be done for all 20,000 of the site collections. Clearly, one could not do

this task manually, and using PowerShell meant opening the door to a potentially

large error margin. For that reason, our tool of choice to implement these

requirements was SPDocKit.

SPDocKit has a wizard-style interface used to execut permissions-related batch

operations. You can find everything you would expect in the interface, including –

breaking and restoring permission inheritance on multiple levels, batch

creating/editing/deleting SharePoint groups and permissions levels, managing group

membership and assigning or revoking rights for principals on different securable

objects – that all worked intuitively, which did not leave much room for mistakes.

Before any batch operations are executed, SPDocKit will conveniently show a preview

of the results, so the administrator can decide whether to proceed with the

operation, or cancel it. In the case above, we started with the “Permission Inheritance

Wizard”.

5

Image 1: Breaking permissions at all 20,000 instances of the “reports” library (one in each site collection)

6

The SPDocKit permissions wizard asked us to review and confirm the action to break

the inheritance.

Once that change was confirmed and applied, SPDocKit iterated through the site

collections, and executed the command.

In the next step, the SharePoint administrator created the new permission level for

auditors using the next wizard – “Permission Levels Wizard”. The administrator chose

to choose the name for each new permission level, and its base permissions. After a

review and confirmation, every site collection received the new permission level:

“Auditing Permissions”.

Image 2: Creating the new permission level for auditors

7

Image 3: Choosing base permission

8

Using the “Group Management Wizard”, our SharePoint administrator followed the

same procedure to create a new SharePoint group (“Auditors”). After setting the

group name, description, and owner, and then reviewing the changes, the “Auditors”

group was created in all site collections.

Image 4 : Creating a new SharePoint group “Auditors”

9

Next, the administrator assigned the “Auditing Permissions” level to the

“Auditors”group on the “Reports” document library, for all 20,000 site collections

using the “Manage Permissions Wizard”.

Image 5 : Assigning the “Auditing Permissions” level to the “Auditors” group on the “Reports” document libr ary

After these steps, we had a document library named “Reports” with broken

permissions inheritance in all site collections, and a SharePoint group named

“Auditors,” with the assigned custom permission level “Auditing permissions” for that

library.

10

Of course, all 20,000 of the “Auditors” SharePoint groups (one per site collection)

were empty at first. Using the SPDocKit “Group Membership Wizard”, we easily

populated the groups with standard auditors.

Image 6: Adding users to specific groups

11

Image 7: Defining SharePoint group membership changes

A few minutes and five wizards later, we had broken the permissions inheritance on

20,000 document libraries, created 20,000 SharePoint groups and custom permission

levels, assigned the necessary custom permissions for those libraries, and populated

the newly created SharePoint groups. SPDocKit made this job much easier.

Writing custom PowerShell scripts would have taken considerably more time, and the

process would have been more prone to errors. Executing those tasks manually

through the SharePoint interface was not an option at all. In all the wizards

mentioned above, all site collections from a web application were selected, but that

is not a limit - admins canchoose which ones to use. For example – if auditing is

necessary on only 100 projects instead of all 20,000, admins can select the 100

projects for which it is required.

12

The SPDocKit batch permission wizards, allow administrators to do much more. They

can revoke permissions or change them, change the base permissions set for each

permission level and add or remove members from SharePoint groups.

Essentially, when all (or some) of a large set of lookalike SharePoint site collections

and sites require a permissions change, SPDocKit permission wizards are your best

friend. This is true for all scenarios in which site provisioning is involved: it does not

matter whether it is a matter of self-service site provisioning, or site provisioning

through a business work flow.

These types of sites (project sites, team sites, meeting sites etc.) are usually identical,

or at least very similar to each other in structure, and there are usually plenty of such

sites (SharePoint is a collaboration platform, after all).

SPDocKit’s Batch permissions management is very useful when dealing with a large

number of site collections; it can be a real lifesaver in that scenario. However,

administrators are more likely to deal with permissions inside one site collection.

13

On-the-fly permissions managment with SPDocKit

The SharePoint user interface provides all the basic options for dealing with

permissions. We can create, edit, and delete groups; manage group memberships;

and create and manipulate permission levels. By drilling down through SharePoint

securable objects (data structures), we can break and restore permissions and set

specific permissions for all objects down to the item level.

Even though SharePoint offers many possibilities, much remains open. New sharing

capabilities make it easier than ever for users to break permissions on the item or

folder level. It is not easy for administrators to identify those items. Cleaning up

permissions remains a repetitive, slow task—moving users who obtained permissions

directly to the appropriate SharePoint groups requires a lot of clicking.

Administrators never have a broad overview of the permissions at one particular site.

Dealing with permissions and the entire user experience (or rather the “admin

experience”) does not provide optimal efficiency. Thus, many SharePoint admins

handle permissions exclusively through PowerShell. However, PowerShell is a

command line tool: therefore is not appropriate for everyone, especially if all an

administrator needs to do is perform a few quick actions or get an overview of what

is going with permissions on a particular site.

This is where SPDocKit comes in. In version 5, we got the “Permissions Explorer”.

Using a familiar, hierarchical tree view of SharePoint securable objects (data

structures), administrators can drill down through the site collection objects to do

everything SharePoint allows with permissions, and even a bit more. Everyday

operations are one click away, including detecting securable objects with unique

permissions (broken permissions inheritance); breaking and restoring permissions;

creating, editing, and deleting SharePoint Groups and Permission levels; and

managing group memberships.

14

This easy access significantly reduces the time needed to perform those repetitive

tasks compared to the time required in the standard user interface.

Image 8: Permissions Explorer

While browsing through the site structure, administrators can easily see who has

permissions for the currently selected object. Furthermore, they can filter those

permissions based on the principal’s status (enabled or disabled), type (SharePoint

Group, AD Group, or user), and—in an interesting feature—history. Each time

SPDocKit loads the farm information, it writes the information in the background

database. Administrators can then use it as a kind of “way back machine” for

permissions.

15

In addition to browsing and exploring permissions, administrators can define

permissions settings on the site collection level for primary and secondary site

collection administrators, members of the administrators group and SharePoint

Groups and Permission levels.

Image 9: Setting the site collection administrators

16

Image 10: Creating a SharePoint Group

Image 11: Creating a new Permission Level via the SPDocKit interface

17

While drilling down through the hierarchy, administrators can break and restore

permission inheritance at any location and grant or revoke permissions for the

currently selected object.

Image 12: Breaking permission inheritance

Image 13: Granting permissions for the selected object

18

These features help administrators significantly speed up their work on permissions.

In addition to speeding up repetitive everyday tasks, SPDocKit offers some useful

automations for tasks that would normally require a lot of clicking or scripting. If you

look at the Manage Permissions ribbon, you will see “Edit”, “Clone”, “Transfer”,

“Remove”, “Move to Group”, and “Copy to group” icons.

Image 14: The SPDocKit Manage Permissions ribbon operations

While the functions of “Edit” and “Remove” are clear (change permission levels or

revoke permissions for a principal completely), the other four icons are particularly

interesting.

Although the SharePoint 2013 “Share” icon allows users to quickly share content with

other users, it creates many (sometimes unnecessary) item level permissions when it

would be much better to simply add users in the appropriate SharePoint groups.

With SPDocKit, administrators can easily clean that mess up by selecting the “loose”

principals on objects with broken permission inheritances and then copying and

moving them to the appropriate SharePoint groups—all with one click.

“Clone” and “Transfer” offer other interesting functions. Administrators often face

requirements such as “User X needs to have the same permissions as User Y” or

“User Z is being transferred to another division and User W is taking his place.”

SPDocKit’s “Clone” and “Transfer” capabilities do exactly that-they give new users the

same rights an existing user has or transfer existing rights to a new user and revoke

them from the original user. That comes in handy in day-to-day work.

Of course, as you would expect for a tool of this caliber, SPDocKit allows

administrators to get information about each user in the site collection (e.g., where

the user comes from and his or her memberships in SharePoint and AD groups).

Overall, this powerful toolset helps administrators perform permissions-related tasks.

19

Permissions reporting and forensics with SPDocKit

Permissions reporting and forensics are usually only needed when a problem arises.

In these cases, it is important to determine who has permissions on certain securable

objects and more importantly, why.

SharePoint permissions are serious business, and they must be viewed as having the

highest importance. A large amount of sensitive corporate information is stored in

SharePoint, and giving unauthorized people access to classified content can pose a

big threat. Therefore, it is important to have the ability to report, at any time, who

has permissions and through which channels those permissions were given.

SharePoint does not offer that ability out of the box, and it is a hassle to code that

functionality in PowerShell. At this time, SPDocKit is the only tool on the market that

can cover those cases and perform full permissions forensics.

Image 15: Report showing SharePoint groups with no permissions

20

In addition to forensics, SPDocKit can help you keep your SharePoint clean by

removing unused users and groups. In the Permission Reports section, you can easily

detect groups that do not have any permissions in their sites, groups owned by a

disabled SharePoint user, or groups containing disabled or orphaned users. You can

then easily correct those issues by cleaning up those groups and users or giving

them the necessary permissions.

Image 16: Report showing orphaned users

21

Image 17: Report showing users with no permissions in the site collection

Besides these simple but necessary cleaning tasks, the real strength of SPDocKit

permission reports lies in permissions forensics. With these forensics reports, we can

easily determine who has access to the data and why.

22

For each SharePoint securable object, including sites, lists, and list items, SPDocKit

will tell us who has permissions for those objects and in what way they were given.

Image 18: Permissions for a SharePoint site grouped by permission

For example, you can use this report to discover that the cleaning lady has “Add

items” permission on the management site and that she got it through her

membership in the “Cleaning Staff” Active Directory group. That group is a member

of the “Portal Contributors” SharePoint group, which has been assigned the

“Contribute” permission level for that particular site. That permission level, of course,

contains “Add items” permission. You can find all that information with just one click.

This represents the ultimate governance/compliance report in terms of SharePoint

permissions.

23

Of course, you can break this down into numerous other useful reports and

information overviews. The next report shows the matrix of Principals (SharePoint

Groups and SharePoint users) and permission levels, including the roles each

principal has on the site, in a graphically appealing way.

Image 19: Principals and permission levels in a subsite

Furthermore, one of the most commonly requested reports shows a quick overview

of securable objects (i.e., sites, lists, and list items) with broken permission

inheritances. You can get this report in one click with SPDocKit.

24

Image 20: Overview of securable objects in SharePoint Farm

In addition to securable object and permission level reports, SPDocKit offers

important principal-based reports so administrators can easily determine which

permissions a SharePoint user or SharePoint group has in one or more site

collections. With these user-centric reports, administrators can see which permissions

a principal has and the way in which those permissions were given (e.g., through

SharePoint Groups, AD Groups, or directly) and act accordingly.

25

Of course, as expected from SPDocKit, each of these reports can easily be saved as a

PDF or Word file, manually modified, and included in a larger report.

Image 21: Saved report shows the overview of a SharePoint site permissions

26

Conclusion

SharePoint’s out-of-the-box features are simply not enough for serious governance

scenarios and simplified permissions management. Administrators will either write a

bunch of PowerShell scripts and avoid the SharePoint user in terface comp letely or

find a tool to deal with those issues. Different tools on the market partially cover

SharePoint permissions management and reporting.

When all or some of a large set of lookalike SharePoint site collections and sites

require a permission change, SPDocKit permission wizards are best choice. In my

opinion, SPDocKit’s permissions toolkit belt does the best job. It offers batch

permissions management across site collections, simplified permissions management

inside a single-site collection and powerful cleanup, forensic, and reporting options. I

often say that SPDocKit’s features let SharePoint consultants have the equivalent of a

Swiss Army knife in their pockets.

27

SPDocKit - Ultimate SharePoint admin tool

What is SPDocKit?

SPDocKit is a unique tool that allows you to easily administer and manage your

SharePoint farm. You can use it to keep an eye on your farm health , generate farm

documentation to prevent errors while migrating to another farm, and compare and

track changes on your farm in no time.

Why SPDocKit?

Generate SharePoint Documentation

Audit Farm Configuration and User Actions

Analyze Farm Modifications down to a Document Level

Analyze Search Terms and Database Growth

Compare Farms and Track Changes

Enforce Governance Policies

Monitor SharePoint Farm Health

Analyze SharePoint Permissions

Manage Permissions

Start with a free trial

More information is available at www.syskit.com.