Strategies for Managing Permissions in SharePoint 2010

 

When a company is deploying a new SharePoint 2010 environment or migrating from an existing SharePoint farm to a new SharePoint 2010 farm, one of the topics that is sure to come up is how to manage permissions within the new farm.  Companies who are new to SharePoint are often unsure where to start.  Companies who have worked with SharePoint in the past will frequently use the transition period from one SharePoint version to another to review their current permissions strategy and make adjustments and review tools that are available to help meet the goals of their strategy.

There are many blog articles on the web regarding managing permissions within SharePoint.  Most however either look at using the out-of-the-box SharePoint groups or using 3rd party tools to manage the permissions within SharePoint.  While both of these approaches have their merit, many companies today are using SharePoint to fulfill multiple functions and a combination of approaches is needed to effectively manage permissions in their environment.

Typically there are 3 main approaches to managing permissions in a SharePoint:

1.  Using SharePoint groups and individual permissions on all sites

2.  Using Active Directory groups on all sites

3.  A hybrid approach using a mixture of SharePoint groups and AD groups

Which approach is best suited for each situation depends on the type of sites involved and how they are being used.  Sites that frequently have users added to and removed from the permissions work best with the use of SharePoint groups, so there is the flexibility for the site owners to make permissions changes as needed.  Portal sites or top-level sites that are frequently open to the entire company as read-only will likely have less changes to the site permissions, so the use of Active Directory groups makes more sense.

Another thing to keep in mind is how often users will be added and removed from permissions to sites.  Using SharePoint Groups requires a user to either manually add new users to each site they require permissions to or to use a 3rd party tool to automate this process.  Using AD groups will automatically remove the users permissions from all sites the AD group is being used as soon as the AD account is disabled.

Making the decision of which permissions model will work best for your environment is the easy part.  Next you need to decide who will manage these permissions and what tools they can use to manage them.

If you are using all SharePoint Groups and individual permissions, then the responsibility to managing the permissions would either reside with the site collection owners (preferred) or in smaller environments the responsibility may reside with the SharePoint Administrators.  If you have dedicated Site Collection Owners that actively manage the permissions in their sites then you are off to a good start.  But what happens when somebody wants to audit the permissions of a specific site or site collection?  There are ways to gather this information with out-of-the-box tools in SharePoint 2010, but it is rather cumbersome and the reporting is not very robust.  Most companies will turn to 3rd party tools made by companies like Axceler, AvePoint, or Quest to manage the permissions in their environment.  These tools work great to manage SharePoint permissions and often have additional functionality to create policies, move content, and generate storage reports, but of course there is an added cost.

If you decide to manage you environment using only Active Directory groups, then ultimately the burden of account creation and management lies with your Active Directory group.  If you have a larger SharePoint environment this responsibility is often more then the AD team will be willing to take on.  There are ways to automate AD account management, either through tools like Forefront Identity Manager (FIM) or also through 3rd party tools such as Imanami.  Whether or not these tools can be used in your organization will depend greatly on the sensitivity of the data stored in your SharePoint environment and the policies enforced by your Security group. 

Most companies I have seen will use the hybrid approach and use AD groups for the top-level portals and have the AD group manage those groups and then for the majority of the sites in the SharePoint farm SharePoint groups are used and the permissions are managed by Site Collection Owners.  One of the core benefits of SharePoint over most other collaboration products is the ability to delegate permissions management down to individual site owners and business users.  This lessens the overall management burden on the SharePoint Admins (IT) and helps engage business users to manage their sites.  Which approach to use should be evaluated very closely by each company and should not be entered lightly, as it is very difficult to change course one a method has been used for some time.