Best Practices For Designing SharePoint 2010 Site Permissions In Plain English

A friend, after a conference call this morning asked me to write this out since the client was still all confuddled.

Planning access control designs for the multitude of SharePoint assets available in the 2010 version is vital to implement during the planning stages of your SharePoint implementation. This includes incorporating both permission inheritance schemes as well as more fine grained permissions in order to procure the most effective scheme for relating permissions to particular scopes.

As in previous versions of SharePoint, in order to grant access to both sites as well as content within SharePoint containers permissions are applied in an orthodox manner. There are several things to take into consideration when beginning the designing process. Firstly, you have to consider how strongly security should be applied. For example, some SharePoint instances can simply lean on heavy inheritance schemes, others may have various restrictions on pieces of sensitive content and their respective containers. Secondly, permission design must heavily consider how groups and users are going to be leveraged. A group is simply a container, this is important to remember. As a container, the group really has little relevance until there is permission levels attached to the groups.

Before getting started, there are a couple pieces of inbuilt security objects in SharePoint that must be considered throughout the designing process. Firstly, there are the individual permissions and their associated permission levels. By assigning permissions to a user, you are essentially saying that a user can perform a specific action. Developers will recall these as the members of the SPBasePermissions enumeration. For example, the SPBasePermissions.BrowseDirectories and SPBasePermissions.AddDelPrivateWebParts permissions, etc. etc. etc.. Therefore, when designing the permission levels it is essential to consider the predefined permissions in SharePoint that coordinate to the related tasks that the user can perform. Since individual permissions can contain multiple permission levels, it is important to consider all the relevant actions for each user and group. In order to manage permission levels, a user must have the Manage Permissions permission, or the SPBasePermissions.ManagePermissions member.

Users and groups have to be seriously considered when designing permission schemes. Groups in SharePoint are contained and administered at the site collection level, and can either be a Windows security or SharePoint group. Groups in SharePoint have an associated default permission level, but the default permission levels are easily modified. Similiar to how managing permissions requires the SPBasePermissions.ManagePermissions member, creating groups requires the SPBasePermissions.CreateGroups member. Groups only contain utility when users are placed within the group. It is considered a best practice to use groups whenever possible and in only particular circumstances assign individual permissions to particular content.

In terms of the “things” that a user wants to access, each object is considered to be a securable object or an ISecurableObject object. This can be a list, library, document, list item, etc. By default content within the site will natively inherent the site permissions but there is lower level assignment that is always available, such as list level (container level) or item level (content level).

Understanding and designing the SharePoint security relational assignments is crucial when considering the holistic SharePoint environment. Particular securable objects can have a user or group assigned a permission level for it. On securable objects within the site, as stated before, will by default inherit the permissions from the site by default. This design can be extended by implementing unique, fine grained permissions for each securable object in SharePoint in order to more finely tailor user actions for particular content. This approach needs to be approached with the aggregate design in mind, since assigning a multitude of individual permissions can natively cause a very, very complex design. This paradigm of complexity means that the implemented design must mutually consider the permission inheritance scheme as well as the individual permission assignment scheme. As a best practice, when breaking inheritance you should try to use groups as much as possible in order to decrease the complexity of the security designs. Individual accounts, for individually assigned items can be very, very difficult to track and can cause highly visible maintenance problems.

Managing sites, as a best practice, should use inheritance as much as possible due to the trickle-down inheritance that happens by default with the permissions of all the associated items within the site. It both lessens security design complexity and makes push down changes much more effective and impacting. Under this design however, the persons with the rights to manage sub site permissions must be strongly controlled since the sets are shared. This can natively cause problems with users accessing content and both site and the sub site level. As a best practice, commonly accessed content should use a shared inheritance scheme as much as possible while sensitive content that has few associated users and groups can be broken.

From what we have talked about thus far, it is clear that determining the balance between the simplicity of managing the security for an instance as well as performance versus the need to separate sensitive content. There are a few takeaways to consider as best practices. Firstly, always follow the principles of least privilege where a user only has the required minimum permissions to execute their assignments. Since several of the inbuilt functions of SharePoint as well as the API has hooks that use the standard groups, it is best to exploit the default groups as much as possible. As stated previously, it is best as much as possibly to lean on inheritance schemes. Always carefully choose whom you elevate about the permissions of members of visitors since these correlate to the common actions of limited contribution and view rights on objects. Furthermore, members of the Owners group should be tightly controlled and monitored since they have elevated rights to execute actions such as modifying the site structure. It is important to remember that permissions and permission levels are flexible in SharePoint, permission levels for particular objects can be customized as required.


Department Of Defense SharePoint Architecture Guide (DSAG) Part 7 Secured Availability

The various Department of Defense activities that are offered allow for decisions to be made based on various types of information. Security is as much of a priority as availability. The network of information may have various threats that take place. Some of them can be internal but others are external including threats from terrorists or criminals.

Hacking is also a concern and so a line of defense has to be in place to help offset such problems. The information has to be maintained through the information assurance which is a foundation for addressing these various concerns. By delivering information on the Department of Defense net centric visions there is place of ability here. The sharing of the information around the various government organizations is only one of them. The partnerships shouldn’t be compromised and so efforts have to be in place to continually counteract such threats that may exist.

Secured availability makes sure that the challenges of the department are met continuously in that net centric environment. The idea is for protection and security to be essential parts of the criteria offered. The IT infrastructure allows for data to be exchanged and for the authentication of the GIG information to be secured for all of the transactions.

This same process makes it possible for securely respond to any types of events that will threaten the operations of the GIG. The Department of Defense has to make a transition to the net centric environment that is in place. There will be a variety of rules and principles in place here. The shift will be towards the entire enterprise though so that solutions within the program work across the board.

When you implementing the secure availability in the net centric environment there needs to be the addition of new technology as well as new policies. All of this will be collaborated in the department. This will affect it on local, state, and Federal levels. It will also affect the various coalition partners that they have in place. Successfully implementing the abilities of the secured availability will result in the Department of Defense covering a variety of key elements. These include:

Managing identities for all users and services so that they can function in a dynamic environment. This also will allow for them to share information across the various networks of organizations out there, even though various levels of trust will be found among them.

To permanently bind the metadata so that it is done at the time that an object is created. This is going ensure that the data is visible as well as properly handled. The risks and threats out there will be carefully assessed in regards to the software, hardware, and services available. The level of trust will be determined by the IT managers.

The modification of resources quickly and effectively should be a priority. This includes bandwidth, storing, and processing. This covers the entire span of the enterprise and all of the policies that are in place.

Making improvements to the management of the security services that are offered within the infrastructure. This includes the encrypted information, the identity, and the security configurations of the management. An audit should also be conducted in that system for effective control in the area of checks and balances.

The reality of it is that the threat to security is one that can be constant. Therefore the community needs to have methods in place to counter any and all threats within the Department of Defense systems. Effectively assessing the security of the changes is important. It will ensure that even with new technology coming along that the environment can be modified as needed in order to make sure the level of security remains constant for the Department of Defense.

There are initiatives though that require solutions to offer an immediate return on such investments. At the same time they have to be able to both expand on and maintain the quality of the computer network defense abilities. This is a huge advantage which is offered through the net centric operations. The GIG has to be able to fight and to continue to move forward in spite of such attacks. It is critical that everything continues to operate before, during, and after such attempts have been made.

The priorities of the department mean that it is very likely for features to be offered in order to adequately represent the progress of the security. It can be implemented as it needs to be across the entire net centric environment. There are a variety of commitments that need to have such high levels of protection in place while the data is being transferred.

The department has to ensure that all of the parts of the mission will be addressed as part of the overall risk assessment that is being done by the Department of Defense. The framework of policies, procedures, and initiatives that are in place will help to offset any concerns of violations occurring.

The Department of Defense has information programs and applications in place for the various computer networks. This is a way for all of the data to be protected while it is being transferred. The level of confidentiality that is in place will help to determine this. The mission assurance and level of exposure also influence this information.

The infrastructure of the applications and services need to have boundaries that are able to be configured for the operations. This all has to be in compliance with the various policies. Those policies have to adequately address different types of systems within the enterprise. This means the community is able to have an interest and to support the operational needs of the mission.

The Department of Defense also offers services for various computer networks so that they can be monitored. This is all in compliance with the different detections and reactions to any possible intrusions. The goal is to limit the interruption of service due to any threats that may be in progress against the department of defense.

The roles of management and administration need to be very clear to so that the security of the operation can be maintained. The provisions that need to be made for training various users in the area of security operations have to be clearly defined as well.

The information technology that is used can be on a global scale. The international aspect of the hardware and software need to be in place due to the increasing need for global providers. The IT communications and services here do introduce some new challenges when it comes to security. The resources of the GIG have to be managed and protected at all times so that there aren’t any breaches to this level of security.

The assets of the GIG have to establish a mission assurance ability that allows the hardware and software to be supplied adequately. This is all done through the engineering of the program. Assessments have to be done in order to reduce vulnerability.

Next >> Department Of Defense SharePoint Architecture Guide (DSAG) Part 8 Shared Computing Infrastructure


Department Of Defense SharePoint Architecture Guide (DSAG) Part 4 Applying Principles and Rules

The Department of Defense requires the use of resources, assets, and procedures for information to be effectively used. The advantage of being able to share such information across all entities within the department as well as the partners is very effective. The information has to be managed by the department and their IT team. This will occur over the entire life of the use of the DIEA.

Risk management assessments have to be conducted in association with the way the information is going to be allocated. That way the Department of Defense is able to successfully accomplish the various functions and missions they have goals for. There will be many different activities that take place so the design of the program has to allow for them to all be accessible and operational.

Various types of information resources also need to be evaluated. They include the overall security system, personnel files, funding concerns, the equipment that will be used by the department, and the IT. There are many standards that have to be in place for all of these common process to be governed over successfully. Someone has to be monitoring them as well as responding to them.

There are guidelines in place for the various principles that need to be followed within the organization. This is what will allow them to be able to successfully complete the outlined mission. The principles have to express what the organization intends to do. That allows the design as well as the decisions made to be based on something that all will be able to understand. There are business rules in place that ensure operations within the system will always adhere to the set policies.

The Department of Defense has established principles and rules that are in place. It is important to understand that the DIEA supports all of them when it comes to the missions they have outlines. Even with the capabilities changing at times there is an evolution process that can be tied into it though the IT team. They will be able to navigate the system to look for obstacles and then resolve them.

Some of the common situations that may have to be evaluated including limited amounts of bandwidth, the latency of the information, and control over emissions. It isn’t practical though expect all of the rules to be achieved when you are talking about an emission control environment as the network. The Public Key Infrastructure (PKI) always requires for a two way type of communication to take place.

With most battle space systems you have to consider even the milliseconds that take place. With an IP though that is up to date with the best of technology though you can focus on the seconds rather than the milliseconds and that is a huge benefit in terms of a seamless operation system.

The laws of physics can’t be overridden when it comes to any type of architectural design. The needs of those that command the operations also have to be taken a look at on an individual level. The rules of DIEA are going to result in you always being connected though. The boundaries of the GIG still have to be considered but you will have the cutting edge of technology on your side. You can use them to secure all of the missions of the department.

With the use of DIEA 1.0 there is the ability to help everyone. This includes those that make the policies all the way up to those that create the systems and programs. Understanding the principles of the program and the business rules make this possible. They have to be in place to obtain solutions that are common and that are consistent with the policies of the Department of Defense.

The ability to get information into the environment that is valuable is very important. However, with the DIEA 1.0 you do have to change your mindset about how the information will be looked at. The support that is used for storing the information is hidden and greedily protected with the way things are right now.

However, if you want to meet the needs of those users now as well as when they change in the future you need to offer information that is visible and that is freely being shared. Keep in mind that information is going to offer power to those that are able to successfully use it. Use the leveraging abilities from that power to your advantage.

With the vision of net centric information in place you will have an environment where that type of sharing takes place. The data will be successfully available where it needs to be rather than hidden. At the same time it will be trusted across the spectrum of the GIG. The context of the information will be easy to understand too and the services offered will be used for specific purposes.

All of the data will be visible. That will eliminate problems with being able to find information. It will also prevent users from not being able to decipher what the information has to offer them. This can ensure better decisions are made by users and that they can make them in less time.

Users will be happy when they know they can get the information they need. Too often with the current structure the mission is held up due to a lack of being able to get access to elements that are necessary to complete it successfully. The fact that the user can access the information from various locations makes it much more convenient.

The priority for the department is to take on the challenges that may occur during the changes. When they take on a new approach and change from the current system to the DIEA 1.0 there will be rules and principles that have to change. They will serve as the method of guidance through the net centric implementation.

Next >> Department Of Defense SharePoint Architecture Guide (DSAG) Part 5 Initiating The SharePoint Environment For Data And Services