Wednesday, March 23, 2011

Fixing crazy SharePoint permissions

Situation:  SharePoint grew organically and we ended up with permissions craziness.
Desired Solution:  Come up with a model for our permissions and then implement it.
Goals:
  1. Centralize the management of people's access to various lists/sites within a site
  2. Allow administrative assistant(s) to manage access for their subdepartments' users' access
  3. Allow the SharePoint support staff full access and control over everything
Final Solution model:
  1. Use SharePoint groups based on the roles of every user in the department and subdepartments
  2. Create an Excel spreadsheet of all the new groups and their assigned permissions on the different sites we have
  3. Create SharePoint Support Team group which will have full control of everything and have an email address attached to it so that users could contact them when needed
  4. Create a "SharePoint Group Managers" group that will "own" the other groups
    1. Set the owner of the SharePoint Group Managers to be the SharePoint support team
  5. Differentiate the proposed SharePoint groups and roles by how sensitive the position is
    1. All lower level position groups are managed by the SP Group Managers group and the higher level positions are managed by the SharePoint Support Team
  6. Create custom permission levels for this department
    1. Audit - Read + ability to create their own views
    2. Restricted Contribute - contribute without the ability to delete or create personal views
    3. Contribute without Views - well, it's contribute without personal views
  7. Reset permissions inheritance on the entire site and all subsites
  8. Work for a few hours and set all the groups with their appropriate permissions on each list/site.  Many of our lists ended up with broken inheritance but quite a few didn't.  We often set all users of a department as having read or a modified contribute on the site and just tweaked certain lists
  9. Go to the top-level site and edit the group quick launch so that all of the groups managed by the SharePoint managers are alphabetized and first before the groups managed by the SharePoint Support Team
  10. Give instructions to admin assistants/other group managers on how to manage the memberships of their groups (and noone but the SharePoint Support Team has full control on ANYTHING)
Result:  We have an administrative assistant who goes to the People and Groups page on the top site and clicks on the role a user plays whenever she processes new employees or shifting employees.  We are still watching this but all looks well enough to deploy to each department as we progress.  This ends up with a lot of groups but works for our environment because we don't have several hundred groups accessing the same information.  This pretty much follows my previous posts on permissions architecture.