Desired Solution: Come up with a model for our permissions and then implement it.
Goals:
- Centralize the management of people's access to various lists/sites within a site
- Allow administrative assistant(s) to manage access for their subdepartments' users' access
- Allow the SharePoint support staff full access and control over everything
- Use SharePoint groups based on the roles of every user in the department and subdepartments
- Create an Excel spreadsheet of all the new groups and their assigned permissions on the different sites we have
- Create SharePoint Support Team group which will have full control of everything and have an email address attached to it so that users could contact them when needed
- Create a "SharePoint Group Managers" group that will "own" the other groups
- Set the owner of the SharePoint Group Managers to be the SharePoint support team
- Differentiate the proposed SharePoint groups and roles by how sensitive the position is
- All lower level position groups are managed by the SP Group Managers group and the higher level positions are managed by the SharePoint Support Team
- Create custom permission levels for this department
- Audit - Read + ability to create their own views
- Restricted Contribute - contribute without the ability to delete or create personal views
- Contribute without Views - well, it's contribute without personal views
- Reset permissions inheritance on the entire site and all subsites
- Work for a few hours and set all the groups with their appropriate permissions on each list/site. Many of our lists ended up with broken inheritance but quite a few didn't. We often set all users of a department as having read or a modified contribute on the site and just tweaked certain lists
- Go to the top-level site and edit the group quick launch so that all of the groups managed by the SharePoint managers are alphabetized and first before the groups managed by the SharePoint Support Team
- Give instructions to admin assistants/other group managers on how to manage the memberships of their groups (and noone but the SharePoint Support Team has full control on ANYTHING)