SharePoint permissions are a very complex subject, mainly because there are so many permission types you can assign throughout your SharePoint environment. For SharePoint admins, IT person or site collection admin, to assign the correct permissions to every user and maintain a high-security level, they must be familiar with all the permissions concepts. Furthermore, each permission type can have different permission levels.
When we talk about SharePoint security and preventing security breaches, things have drastically changed in the past few years—we’re now faced with a greater number of end users with even greater accessibility. Since SharePoint doesn’t have centralized management where a Share-Point admin can keep an eye on permissions, it’s always beneficial to use a third-party tool for permission management and, of course, implement the latest security measures. All of this takes time management and commitment; that’s why we prepared an ebook in which we go over basic SharePoint terminology and some advice on how to minimize the stress when it comes to setting up new SharePoint sites, giving permissions, creating new groups, and keeping your SharePoint environment safe.
Let’s first shortly explain the basic SharePoint terminology and broaden your knowledge about permissions.
The basic SharePoint terminology
A User is a term in the SharePoint terminology that indicates an individual who has access to a certain SharePoint site or other SharePoint securable-like list, library, or list item.
Active Directory (AD) is the key infrastructure component for efficient user management. It stores information about different objects in the network, such as user accounts, computers, groups, and all relevant information regarding SharePoint and Windows credentials. To be able to install and configure SharePoint on-premises installations (raging from SharePoint 2007 to SharePoint 2016) you must have an Active Directory.
Form-Based Authentication (FBA) enables you to create customized web forms that process user logins using the Access System’s authentication and authorization mechanisms.
In some SharePoint versions, such as SharePoint 2010 and later, Microsoft has introduced some additional abilities which allow you to authenticate users that are not in your Active Directory. To do so, you need to have an Active Directory to install SharePoint on a server; however, it’s not necessary to have all the users in the AD. You can configure the system to work in such a way that you have a third-party authentication directory. For instance, you can work with out-of-the-box ASP.Net membership providers or have some other directory that stores information about your users which you can later use to assign them permissions for SharePoint different objects.
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory and identity management service.1 It’s a cloud version of Active Directory in the background of SharePoint Online
Azure AD helps you to authenticate your users and store them in the cloud. The interface looks and feels redesigned—it’s modern compared to the classic AD, but the functionality is basically the same. Some customers might choose to use the on-prem SharePoint but still leverage some of the cool and exciting features provided by SharePoint Online and Office 365 in general. These customers are probably going to configure their environment as hybrid, benefiting from both on-premises and the cloud. Learn more about setting up SharePoint services for a hybrid environments.
An external user is a feature that comes with SharePoint Online. If you use SharePoint on-premises, you need to have each user inside the Active Directory and in SharePoint Online; you can invite people to join you in collaborating on certain projects.
SharePoint group is defined as a group of security principals (Windows user accounts; non-Windows users, such as form-based accounts; external users; and Active Directory security groups) created via a SharePoint interface. A group is the simplest building block when managing and granting SharePoint permissions. However, there is a slight downside: SharePoint groups don’t support nested groups. For example, if you were to create a “Finance” group, you won’t be able to create the “Chicago Finance Team” within the “Finance” group.
The upside is that SP groups are administered inside SharePoint, meaning you don’t need to contact the domain administrator for every single change.
AD groups and Security groups are, in fact, the same thing. In SharePoint on-premises, these groups are called Active Directory groups, while in SharePoint Online, they are referred to as Security Groups. The most notable difference is that these groups can be nested, or, in other words, you can create a group within a group.
As with most things in SharePoint, there are positive and negative aspects. This is the case with these groups as well: you cannot manage group members within SharePoint—as a matter of fact, you can’t even see the members in the SharePoint UI.
A permission level is a collection of individual permissions that allow users to perform a set of related tasks in SharePoint. Default permissions levels are made up of a set of permissions that enable users to perform a collection of related tasks. With these permission levels, you can customize permissions; however, note that you can’t customize the “Full Control” and “Limited Access” permission levels.
You can easily change permissions that should be included in a particular permission level (except for “Limited Access” and “Full Control”), or you can create a custom permission level to contain specific permissions.
In some cases, you might be required to create a new permission level. Individual permissions cannot be granted until they are first grouped into permission levels. Once this is done, you can assign permissions to users and groups.
Security Management Best Practices
Before you start managing SharePoint permissions, you might revise the SharePoint site hierarchy.
A typical server farm contains web applications which contain site collections. From a permissions perspective, a site collection is at the top of the hierarchy; then you have the Site, List or Document Library, Folder, and finally an Item or Document. You can assign permissions anywhere from the site collection which means every object is going to inherit those permissions. However, you can change this and assign different permissions for every SharePoint object if you wish.
In this ebook, we focus not only on broadening your knowledge about permissions but on security best practices as well as ways you can maintain your SharePoint environment and data. We also give an overview of some of the basic things you can do with the most popular SharePoint features.
A few tips on how to easily manage your SharePoint permissions:
- When dealing with SharePoint, make sure you use AD groups or Azure AD groups whenever possible.
- Keep in mind future growth and the possibility that assigning too many permissions can cause chaos in trying to manage them all.
- Groups should be defined on the site collection level, and when assigning permissions, assign permissions to groups rather than giving direct access.
- When creating a new site with unique permissions, use the existing groups whenever possible to prevent having too many new groups.
Which challenges are you dealing with when it comes to keeping your SharePoint secure?