Governance points for SharePoint permissions

Did you know there’s actually a right and wrong way of setting permissions within SharePoint?

Many companies take advantage of SharePoint’s excellent features for knowledge management, but it’s not always obvious how to control permissions to avoid letting the wrong people compromise your data.

Companies need to apply governance in SharePoint to give users correct access to folders, without inappropriately assigning administrator control. SharePoint admins should understand how business rules inform conventions for access control of their company’s information.

Read on for some great tips on how to manage your SharePoint access simply and appropriately.

SharePoint permission settings:

Some typical governance points for SharePoint permissions are:

1. Know your permission levels. Full Control, Design, Edit, Contribute, Read, Limited Access and View-Only are the defaults.
2. Use your OOTB (Out Of The Box) permission groups – Owners (full control), Member (edit) and Visitors (read).
3. Avoid assigning permissions directly. Try to add AD Groups into SharePoint Groups – it’s much easier to manage AD groups than big lists of individuals!
4. Limit the number of admins. Have key Global, SharePoint then Site Administrators. Site Owners should maintain ownership of their own site. Each site can have more than one owner to prevent single points of failure, but don’t let site ownership proliferate to unmanageable levels.
5. Avoid custom permissions levels unless necessary, or if creating custom permission levels, name them explicitly e.g. “Edit, not delete”.
6. Create custom groups at the top SharePoint level and use them on sub-sites.
7. Restrict the company process for who should create groups (and custom permission levels). Be ruthless about standardizing a group naming convention and a process of approval or request for new SharePoint groups.
8. Limit requirements for unique permissions. Always aim to break inheritance at the highest point possible. For example, instead of breaking permission inheritance on four libraries in one site, consider putting them into their own site and breaking permissions once. This minimizes the number of places SharePoint has unique permissions, reducing complexity. The same applies to folders. Aim to split libraries that require unique permissions, instead of breaking inheritance for a single folder or file.
9. Build permission trees from the top down. What’s the maximum allowed permission for every single user? Then work on the exceptions to this rule, which should be minimized. This is much simpler than trying to fix ad hoc permissions  from the bottom up.
10. Know your external sharing options and decide what the maximum level of external sharing should be. Can users share external links? Can all users share externally or only members of a specific group?
11. When sharing, consider sharing with “Everyone” vs “Everyone except external users”.
12. Your work’s not done even when you’re all set up. To maintain security hygiene on your SharePoint installation you need to schedule permissions audits. Review your AD groups, remove individuals in favour of groups and consolidate excessive numbers of groups where possible. Find and remove orphaned permissions and unused groups.