Wednesday, March 23, 2011

Fixing crazy SharePoint permissions

Situation:  SharePoint grew organically and we ended up with permissions craziness.
Desired Solution:  Come up with a model for our permissions and then implement it.
  1. Centralize the management of people's access to various lists/sites within a site
  2. Allow administrative assistant(s) to manage access for their subdepartments' users' access
  3. Allow the SharePoint support staff full access and control over everything
Final Solution model:
  1. Use SharePoint groups based on the roles of every user in the department and subdepartments
  2. Create an Excel spreadsheet of all the new groups and their assigned permissions on the different sites we have
  3. Create SharePoint Support Team group which will have full control of everything and have an email address attached to it so that users could contact them when needed
  4. Create a "SharePoint Group Managers" group that will "own" the other groups
    1. Set the owner of the SharePoint Group Managers to be the SharePoint support team
  5. Differentiate the proposed SharePoint groups and roles by how sensitive the position is
    1. All lower level position groups are managed by the SP Group Managers group and the higher level positions are managed by the SharePoint Support Team
  6. Create custom permission levels for this department
    1. Audit - Read + ability to create their own views
    2. Restricted Contribute - contribute without the ability to delete or create personal views
    3. Contribute without Views - well, it's contribute without personal views
  7. Reset permissions inheritance on the entire site and all subsites
  8. Work for a few hours and set all the groups with their appropriate permissions on each list/site.  Many of our lists ended up with broken inheritance but quite a few didn't.  We often set all users of a department as having read or a modified contribute on the site and just tweaked certain lists
  9. Go to the top-level site and edit the group quick launch so that all of the groups managed by the SharePoint managers are alphabetized and first before the groups managed by the SharePoint Support Team
  10. Give instructions to admin assistants/other group managers on how to manage the memberships of their groups (and noone but the SharePoint Support Team has full control on ANYTHING)
Result:  We have an administrative assistant who goes to the People and Groups page on the top site and clicks on the role a user plays whenever she processes new employees or shifting employees.  We are still watching this but all looks well enough to deploy to each department as we progress.  This ends up with a lot of groups but works for our environment because we don't have several hundred groups accessing the same information.  This pretty much follows my previous posts on permissions architecture.

Wednesday, March 9, 2011

Outlook View Dynamic Date Filter

This is an oldie but a goodie.  Refer to this article to see where I got this.  Situation:  I need to see emails that are older than 60 days in Outlook 2007 or 2010 so that I can delete them; so, I go in Outlook and I create a "view" of my inbox.  If you haven't ever done this before, in 2010 you click your inbox and then click the "View" tab and click "View Settings" on the left.  You will be presented with a box to modify your current view.  I just click the Filter... button, click on "Advanced", choose "Date/Time Field" -> "Received" for the field to check; then I click "on or before" for the middle dropdown; and type in any date for the Value and click "Add to List".  Then, go to the SQL tab and click the "Edit these criteria directly" checkbox.  At the end of what displays should be your actual date in single quotes...delete that and replace it with today(S) where S is the number of seconds you would like to offset from today and this can be a negative number to go backwards. So, I calculated that 60 days is 5184000 seconds before today so my SQL tab used to look like this:
"urn:schemas:httpmail:datereceived" <= '1/1/2011 12:00 AM'

and by using today(S) I converted it into this:

"urn:schemas:httpmail:datereceived" <= today(-5148000)

And that's it.  This will filter to only show items that are 60 days old or older.