[Video] Webinar – SharePoint permissions management with SPDocKit

Managing SharePoint permissions can be a very challenging and daunting task, especially because the built-in SharePoint tools in some areas are lacking some of the features that SPDocKit, as a third-party tool, provides. It helps you to be more efficient, create reports that are not available as out-of-the-box SharePoint reports, and to perform tasks that would otherwise take very long time.

 

This is why we have prepared this webinar: to present all of these SPDocKit capabilities and show how you can make permissions management painless and much more simple. The slide deck is available at our SlideShare.

We encourage you also to take a look at the webinar recording of Toni Frankola’s session for the European SharePoint Conference on “SharePoint Permissions Management via SharePoint UI – Best Practices”.

Table of contents:
0:27 Acceleratio and Products intro
4:01 SPDocKit – Features Overview
7:23 SharePoint Permissions by SPDocKit – Overview
18:19 Permissions – Event Log
18:43 Product Demo and Use Cases
49:09 Permissions Management Best Practices

 


Video Summary

In this webinar we will show you how you can manage SharePoint permissions using our tool SPDocKit. SPDocKit is a SharePoint administration tool created by SysKit. We have been present in the market since 2009 and during those 7 years have gathered more than 2000 customers all over the globe. Explore our other tools: SysKit Monitor for server performance, SysKit Insights for Sharepoint performance monitoring, and SysKit Security Manager for Office 365 security.

SPDocKit – Features Overview

SPDocKit is a SharePoint administration, management, and governance tool that helps with your day-to-day tasks and operations.

  • Its key feature is the ability to generate SharePoint farm documentation. It provides a detailed overview of all the farm, system, and configuration settings.
  • Monitor farm health, track changes, compare farms, web applications, and Site Collections, create numerous content and usage reports.
  • SharePoint Best Practices reports help you audit farm configuration and optimize your farm performance according to the best practices of Microsoft and the community (SharePoint 2016 supported).
  • Easily set up SharePoint rules to enforce your SharePoint governance policies across a SharePoint farm.

SharePoint Permissions Governance – SPDocKit

When it comes to permissions we can talk about two components:

  • Reporting: The tool can gather all the permissions settings for every object (document library, site, list item, etc.). You can generate permission reports for users and groups, export, and explore.
  • Managing: You can perform simple tasks that are also available via SharePoint UI (e.g. create groups and grant permissions), but you can also do more complex procedures such as cloning or transferring permissions.

SharePoint Permissions Explorer

You can use our built-in tool, Permissions Explorer, to dig deep and get information about all users and sites in one place. Drill down and review permissions to the list-item level. You can view permissions in real time or for a specific date or date range. Get a great visual overview of your Site Collection structure. When exploring different levels you will see a small red square next to some objects. This means that this object doesn’t have permissions inherited from its parents but has some unique permissions.

You can easily see all of your users, their group memberships, and groups (SharePoint and Active Directory). When it comes specifically to the Active Directory, you are only able to view members, not to change their membership in AD groups or similar: these changes have to be made in the Active Directory. Users that have been disabled in the AD will also be listed, so you can use this to keep your SharePoint clean and uncluttered.

SharePoint Permissions Reports

There are many levels and sections of reports in SPDocKit. We decided to divide them in this way because our clients said that they would like to print out the results. Sometimes the reports are very long, so this structure simplifies the analysis of gathered information. You can export the reports as Excel or PDF files. Below you can see a full list of reports in SPDocKit UI:

  • Unique Permissions: If you are performing any kind of audit, use this report to visualize whether there are any broken permissions and check if all is how it should be.
  • Site and User Specific Reports: All the user or SharePoint site permissions you need can be displayed on one page.
  • Hierarchical Permissions: Get a detailed overview of three and leaf connections so you can reduce clutter – check Site Collection, Subsite, and List hierarchy.
  • Cleanup Reports: Knowing which groups have no users, and which are orphaned or have no permissions, can take hours of work in SharePoint.

List of all Permissions Reports by SPDocKit

SharePoint Permissions Management

SPDocKit offers many built-in actions to manage SharePoint permissions and there are many different options:

  • Inheritance: Break or restore parent-child relations.
  • Grant: Assign permissions to a user or a group on a selected SharePoint.
  • Manage: Modify assigned permission levels for SharePoint groups or individual users.
  • Clone or transfer permissions between principals.
  • Remove: Delete user or group, remove users from group.
  • Manage SharePoint Online permissions.
  • Manage Site Collections.

For some more complex actions, you can use our Wizard. In certain situations, such as when you need to grant permissions to a user or group of users, for a number of different Site Collections etc., in SharePoint UI you would have to go Site Collection by Site Collection giving individual permissions. We can help: you can start a Wizard, choose a user, and grant them permissions to a number of different Site Collections to speed things up.

You can also easily manage Site Collection Administrators. You can change primary and secondary admins and manage the membership of this group of people who have full control over your Site Collection. This is something you need to maintain regularly.

Some of the Wizard actions are listed below, you can manage:

  • Permission inheritance: Break and restore parent–child relations between SharePoint items.
  • SharePoint groups: Delete, create, rename, edit groups. Add or remove users to and from specific groups.
  • SharePoint users: Manage, clone, and transfer permissions between principals.
  • Site Collections: Clean up the Site Collection from unwanted principals, configure its admins, create specific permissions levels.
  • SharePoint Online permissions: Management On Premises and Online.

Note: Everything that SPDocKit does is logged in the Event Log, so you will be able to trace how the tool changes permissions and be sure that everything is correct. This is essential if you have compliance in your company and have to track everything.

SharePoint Online Permissions Management

We can also offer you the ability to connect to SharePoint Online if you use our Workstation licensing model. If you’d like to manage your permissions in both SharePoint Online and Office 365, we recommend you to use our other tool – SysKit Security Manager.

Compare SharePoint Permissions

Once the tool gathers all the information regarding permissions and structure in a snapshot, you will be able to compare them. If someone calls you and says, “you know, John had permissions to access the site yesterday, but today he is getting an access-denied message: what happened?”, you will be able to easily compare the two snapshots and ascertain what has changed.

  • Compare permissions between sites, lists, and list items.
  • Check differences in your permissions at different points of time.
  • See which permissions should be granted or removed from users, when compared with another site.

SharePoint Permissions Management Best Practices

To finalize, we have prepared some general best practices on SharePoint permissions management. To learn more about this, feel free to check Toni’s most recent webinar on the ESPC website.

  • Use AD Groups or Azure AD Groups when possible.
  • Be careful because management might be difficult in the long run.
  • Define SharePoint groups at the Site Collection level.
  • Use Groups instead of giving direct access.
  • Remove unused groups when possible.
  • Remove orphaned users.
  • Break permissions at the ideal spot: Site >> List >> Folder >> List Item.
  • Make sure not to cross-define SharePoint boundaries.
  • When creating a new site with unique permissions use existing groups when possible.
  • Try to reduce the number of custom permission levels.
  • When creating a new permission level, start by copying an existing one.
  • Be careful when restoring permissions inheritance on a site (it will restore the entire chain downwards).

Q&A Session Transcript

As a recap, we have prepared this Q&A transcript.


Q: When cloning permissions, are rights added additively only, or could rights be removed from the person whom you want to have the same permissions as the clone source?
A: When you are cloning permissions, the permissions of the destination user are completely removed and the new privileges are added.


Q: Is it also possible to manage / read / compare Project Server permissions?
A: You can manage permissions on SharePoint sites that are being used for Project Server. We don’t have built-in support for Project Server in the current release.


Q: Is it possible to restore all the permissions of a site from its history / snapshot?
A: The tool currently does not allow you to restore permissions from a snapshot, but stay tuned as that is something we working for future releases.


Q: We are using an older version and our complaint is that it takes SPDocKit some time to retrieve all the permissions from large farms. Has there been any improvement on this?
A: Our team is constantly working to improve the load times for large farms. In version 6, we have added the ability for you to control how much resources you are going to dedicate for the actual load. So by committing more CPU resources, your load will finish sooner. We always recommend our largest customers to schedule snapshots to be performed during off hours (e.g., during the night) so you can get fresh reports each morning without having to wait for data to be gathered from SharePoint.


Q: When we do user audits, SPDocKit does not show users’ email addresses in the report. This makes it difficult to identify users from different companies and agencies who have access to our SharePoint, since email address is the only way for us to distinguish users.
A: The new version, which will be released in late October, will solve this problem.


Q: Can I get a report of all objects (sites, sub sites, list, libraries, list items, documents) that a certain user or group has been granted permission to AND a list of all users with full control of those objects (site owners)? We need this for our audit team – they want to know what “everyone” has been granted access to and need to be able to contact the site owners (full control) to let them know that they need to either remove that group or provide business justification. We are currently doing this with a custom script.
A: Yes, you can! You just need to configure a filter to show what you need and you can be done in no time. Once you have the report you like, you can easily schedule this to be delivered via email to your audit team.


Q: Is there a webinar planned for the governance functionality, or is a recording available?
A: We are planning a webinar dedicated to SharePoint governance later this year; we are going to send email invites soon.


Q: If you remove orphaned users, does that remove the users’ names from SP for created by, modified by, etc.?
A: No, we are only removing entries about these users from your SharePoint groups and SharePoint objects (like Sites, Lists, Items, etc.). All the metadata, such as Created By and Modified By, is going to remain intact.


Q: Using this tool, can you tell me that total unique users last logged-in per site collection or for total farm?
A: Sure – we provide this information via SharePoint Analytics features, and you can find these reports under Content & Usage Reports > Usage Reports.


Q: Does cloning permissions work for AD groups – as in, if we give a new user the same permissions as an existing user, will they be added to the groups of existing users? Even if the group is not part of a SharePoint site?
A: Yes, you can clone permissions of AD froups too.


Q: How can I use Permissions Reporting to list all users who have access to a specific site and what specific permissions each one has on the SP Site?
A: You can use a combination of filters to achieve that. Just choose your desired Site Collection and the Permission you need, or just list all the permissions.


Q: Should I always start with a snapshot, or can I go live after opening SPDocKit?
A: When you are doing reporting, you should always create a snapshot first, as we need a snapshot to produce data for most of the reports. When you are managing permissions you have to “go live,” as that’s the only way to manage permissions.


Q: How many SPDocKit instances can your workstation product be connected to?
A: There is no limit to the number of workstations.


Q: What happens when Microsoft sends out a patch or publishes a change that dramatically changes the interface and offers new functionalities? How soon can you update your software offering?
A: We always try to release an updated version on the same day that Microsoft ships its RTM versions. In many cases, we will even deliver a new version while a new SharePoint version is still in the preview phase.


Q: Are these reports available to end users in a self-service format, i.e., is it possible to look at permission changes WITHOUT having to be logged on to a SharePoint Server in the farm?
A: Yes, you would have to use our Workstation for that.


Q: Is the Workstation version available at a discount for Microsoft MVPs?
A: We offer all MVPs our Consultant Subscription, which has the same features as our Workstation edition.


Q: Any way to provide site owners some reports to be able to control their permissions?
A: For Site Owners – users who are managing site collections and are not Farm Administrators – you should install Workstation for them on their PCs. Your primary SPDocKit administrator can then configure SPDocKit in such a way as to allow them to access and manage only those site collections they manage in SharePoint.


Q: For SharePoint Online – can we manage external users?
A: You can manage the permissions of external Users, but you would still have to initially invite them via the built-in SharePoint Online UI because Office 365 needs to provision their identity.


Q: Is there an option to consolidate data from multiple farms with SPDocKit?
A: Yes, you can connect all these farms to a single SPDocKit database.


Q: What’s the significance of the whale logo?
A: SPDocKit was formerly known as Documentation Toolkit for SharePoint. As its functionalities grew, we decided to rename it SPDocKit. With the new name comes a new logo, which features a whale. In English, “kit” means a set of useful tools for a specific purpose, while in our Croatian language, “kit” means “whale.” Since we are located on the beautiful Adriatic coast, we thought it was a perfect fit.


Q: How is SPDocKit workstation licensed? Can it check and manage permissions?
A: SPDocKit Workstation requires a separate license that can be purchased for USD 299 per workstation. Ideally, you would combine your workstation with existing farm licenses, i.e., connect it to the same SPDocKit database. With this setup, you can use the workstation to its full extent with all reports being available. On top of that, you can use the workstation to manage permissions on all your licensed on-premises farms and up to one SharePoint online tenant.

 

SPDocKit Free Trial