Recommended practices for SharePoint permissions
SharePoint allows/grants access to users by using permissions. This can be done via groups or by assigning permissions directly. In the following blog we will run through our recommended practices for assigning permissions within SharePoint.
At farm level we would suggest just one user with Farm Administrative authority. This means you should only give one person the ability to control the entire system and servers. Having a limited number of people in the role benefits the security you have in place, as these users can adjust/assign permissions to any site collections/web apps within the farm.
Below Farm level you will want to assign permissions to users who control web applications. The web apps consist of site collections where you can apply yet another layer of permissions.
It is recommended this is done with groups as it can help with organization, especially depending on the size of the company. Below is a quick very typical example of how groups can be applied to permissions:
Adding users to these groups can limit the level of access granted, if there is a security breach then groups/permissions can be locked down very quickly.
Below is another diagram of how permissions can be passed down through sites/libraries/lists.
From looking at the image above you can see that each list item, folder, list and subsite can either inherit permissions or have unique permissions. You wouldn’t be able to adjust permissions just for the ‘list item’ because the list item inherits its permissions from the folder, which in turn inherits from the list and once more inherits from subsite 5.
Applying permissions to a user on subsite 5, for example contribute permissions, would allow them to contribute on all, the list, the folder and the list item.
You should avoid assigning permissions directly to AD groups, it is recommended that you add the AD group as members of the SharePoint group.
Depending on the purpose of your site you can use either SharePoint Groups or Active Directory Groups.
Groups within SharePoint can be used to assign the same permissions for multiple users across a site, the main security groups used are visitors, members and owner.
Visitors – Can access the site and view documents but are not able to edit.
Members – Can view and edit documents
Owners – Get full control over the site
Pros of SharePoint Groups:
- Users can manage their own sites easily and do not require an admin to assign a user permission to a site.
- You can easily see people who have access to the site
- You can check a user’s permissions with ease
- SharePoint groups can contain non-employees. A site owner can invite external users to a site such as contractors (should your tenant settings allow external settings)
- Any changes with groups will update instantly
Cons of SharePoint Groups:
- Groups and permissions can become messy and confusing due to owners being able to assign permissions.
Security groups can be used to assign permissions from Active Directory to SharePoint. A user’s permissions are assigned through these groups much like the groups in SharePoint for example we could have groups such as Company-Visitor, Employee-Member and Employee-Owner. You can configure these groups to give different levels of access across SharePoint. These groups can be assigned by default to new Active Directory users, so they will automatically have access to sites with the AD groups.
Pros of Security Groups:
- Maintained by IT department meaning that these groups will be well organized and easy to understand.
- Security groups can contain other security groups within them.
Cons of Security Groups:
- You are unable to see users within a security group in SharePoint.
- Security groups can only contain users from within the company in active directory and no external users.
- Editing security groups will not affect SharePoint instantly, for example adding a user to a group will not reflect in SharePoint straight away
