As most readers of this blog will agree, SharePoint is a great tool for enabling effective organizational capability and productivity; employees can better achieve their daily tasks collaboratively using functionalities like document management, enterprise content management and knowledge management, to name a few.
However, bringing all members of an organization together to drink from the fountain of enterprise productivity tools isn't without its problems. There's a strong need for the monitoring and control of these users, to ensure they can all work together in unison in SharePoint.
When it comes to permissions, a common means of controlling productive collaboration, users are granted differing controls of Sites, Folders, Lists or List Items - collectively known as objects. Such permissions can be granted directly to individual user accounts, or to a collective group of users, or by Active Directory Groups which may or may not be nested within a SharePoint group.
User permissions are categorized into Sites, Lists and personal Permissions, while at the site collection level sits a set of predefined permission levels that enable users perform a collection of tasks.
Default permission levels are defined based on functional requirements and security considerations but while they're mostly predefined, some of them can also be customized.
In this post, we hope to share some helpful tips about good practices around planning, managing and reviewing SharePoint dependent permissions for admins.
Dependent SharePoint Permissions
Administrator users need to understand how some permissions are dependent on other permissions; when permissions with dependent permissions are modified, all other dependent permissions are automatically modified too. For example, the Manage Lists permission used to create, edit or delete lists and manage public views of a list has the following dependent permissions:
- View Items
- View Pages
- Manage Personal Views
List permissions are inherited from the parent site in which the lists are contained unless the permission inheritance is broken, allowing the admin to grant new permissions to the list without affecting the parent site.
When we look at groups, things get a little more complicated. Adding users to a group within a list with broken permission inheritance doesn't restrict them from inheriting permissions to other objects within that group. Each object account within a site collection has an Access Control List which contains the assignment of Permissions to each object; this Access Control List is then inherited from the parent object whenever a new object is created within that site.
Standardize Your SharePoint Permissions
Creating a permission plan for all sites or site collections helps the SharePoint admin avoid the need to think about permissions at a very granular level. A detailed knowledge about permissions provides the admin with reassurances regarding control of the SharePoint environment, but a standardized approach where permissions are grouped at a higher level could be a good way to go.
Understanding user groups with regards to their area of focus, business challenges and desires can lead to defining different approaches to user permission because building a solution without considerations to the diverse and complex employee work patterns can be a recipe for disaster.
For example, Lee Reed, a SharePoint Consultant, has identified 5 distinct SharePoint personality types; this approach can help the admin develop a shared understanding of how employees would use a solution. ROI can therefore
be maximized by standardizing permissions requirements for different groups, based on their personas, ensuring that the scope of features accessible to each group matches their key needs.
Let’s consider a group of employees referred to as the ‘bleeding edge’ personas, for their tendency to leverage cutting edge patterns of work through multi-device interaction, knowledge network building and innovative social collaboration. Managing permissions for this group must take into account their working pattern and behavior to ensure that access to important features that provide business value aren't overlooked.
Groups of the Future
Keeping track of hundreds of users with different levels of permission can become easily manageable using a logical way to organize users into groups, assigning permissions to the groups rather than individual users.
Microsoft has developed the group concept further by introducing Groups for Office 365 which allows admins to easily use Exchange and SharePoint together for managing access to the best tools available in Office 365. SharePoint offers a slightly complicated collaboration and productivity experience requiring a lot of planning, as we have just.
Microsoft however is rapidly improving its products, providing easy to use collaboration tools and access to cutting edge productivity functionality. Groups is certainly one good example. But all of this innovation is built on a solid bedrock of tried and tested features. Dependent SharePoint Permissions is one such feature, and we hope we’ve helped you understand a little more what it is.