Security is a topic that is never far from the mind of a good SharePoint administrator. Whether it is planning a new system, or maintaining the integrity of an existing implementation – good security management should always be on the agenda. In this post we are going to look at the flexibility and power of the ‘out of the box’ SharePoint security model, and provide some top tips for implementing and maintaining best practice.
The SharePoint security model
SharePoint takes a very elegant approach to security – based on users, groups and permissions levels. But let’s start at the very top, the SharePoint Farm.
A SharePoint farm includes all the servers in a particular SharePoint system – typically front end, application and database servers. Security at this level is fairly simple and is based on a user role called ‘Farm Admin’. A Farm Admin wields power over SharePoint Central Administration, and in effect has total control over the entire system.
Take your understanding further with more SharePoint security best practices from the pros
1: Appoint very few Farm admins and ensure they’re trained well
At the next level in the SharePoint topology is a Web Application. This is a single instance of SharePoint, often a distinct entity like an Intranet or a Records Management system. A Web Application consists of Site Collections, where we typically have another layer of Administrators.
A Site Collection is a very useful SharePoint entity. Users, permissions, and content in a specific Site Collection are kept separate from any other Site Collections. This makes them good candidate building blocks in terms of the Information Architecture of a SharePoint system.
Each Site Collection has one or more Administrators, defined by the Farm Admin user. The Site Collection Admin carries out all of their activities in SharePoint itself, they do not access the Central Admin tool. This means that Site Collection Admins don’t need to be overly technical, and can come from the power user / business community. This is very helpful for many organizations as Site Collection Admins can be slightly closer to users, to issues ‘on the ground’, and more reactive to problems.
2: Train your best users to act as Site Collection Admins
Below a Site Collection we have the standard SharePoint content units of Sites, Lists, and Items (or documents). It is at this stage that the SharePoint security model really starts to show its flexibility.
First we start with SharePoint Groups. A SharePoint Group is a collection of users. These users are typically pulled from Active Directory and can include Active Directory groups (Though SharePoint Groups cannot contain other SharePoint Groups). A SharePoint Group is then assigned a permission level. The main permission levels in SharePoint 2013 are:
● Read: View content and download documents
● Contribute: Contribute to existing lists and libraries
● Edit: Manage lists and edit content
● Full Control: Ability to create new lists and content items
Each of these levels is made up of a number of specific permissions, and custom levels can be created by mixing and matching these permissions.
3: Stick to out of the box permission levels as much as you can
The final element of the SharePoint security model that we are going to look at is Inheritance. By default permissions in SharePoint flow down from a top level site, and are applied to all content units (Sites, Lists, and Items). This concept of inheritance makes the SharePoint security model easy to setup and deploy. If inheritance is maintained then a top level site in a Site Collection will cascade all of its SharePoint Group permissions downwards to its child content. That is every subsite, list and item will share the same permissions settings.
Inheritance can be broken, if the content dictates that unique rules need to apply. It can be broken at Site, List, or Item level. Once broken SharePoint Groups (or individual users) are set for that unit of content specifically.
4: Maintain permissions inheritance as much as possible
There is one other area to be aware of when it comes to security best practice in SharePoint 2013, and that is the notion of sharing content. The various content units in SharePoint 2013 can be easily ‘shared’ by simply clicking the ‘Share’ button. This uses the same security model we have looked at in this post, but uses a much more simple user interface.
The exception is when using SharePoint Online, part of Office 365. Here it is possible to ‘share’ with parties outside of the organization, who are outside of a given Active Directory. This feature can be enabled, or disabled, at Site Collection level, and these external parties can be required to sign in with their own credentials (such as an Office 365 or Microsoft account) or granted anonymous access to the content.
Clearly any organization will want to be careful about sharing content with these types of users. There are many approaches to protecting content online or as part of Office 365, and careful planning in this area is a must.
5: Don’t enable external sharing by default
This post has looked at a number of tips when it comes to good security management in SharePoint. It is important to remember that security, like many other areas of SharePoint design, requires ongoing care and maintenance. These tips should be considered when both designing a new system, and in the long term as users and content of a system change. There are many third party tools available now that help you manage your environment. At Sharegate, we think that taking care of your SharePoint security is crucial which is why we created a SharePoint Management tool to help you find and fix SharePoint security issues quickly.