SPFest Chicago: Dan Holme on SharePoint 2013 Sharing and Security

In his SharePoint Fest Chicago session, SharePoint 2013 Sharing and Security, Dan Holme set out to demystify security and sharing providing some best practice guidelines. In front of a standing-room-only crowd, Dan opened the session with a quick review of the fundamental components that are involved in providing users with security authorization:

  • Users – Objects at the site collection level linked to identity in the authentication provider.
  • Permissions levels – Most Common: Full Control, Design, Contribute, Read.
  • Security Scope – What is the securable object? Site, Library or List, Folder, Item.
  • Role Assignment – Association between the security scope, permission, and the user.
  • Groups – Collections of users who have common access requirements to a specific security scope. Owners, Members, and Visitors are the default groups.

With the high-level review complete, Dan went into a deeper examination of the nuances associated with each of these security components.


User objects are created at the root of the site collection and are created when:

  1. An administrator or group owner adds users to a group
  2. A user requests access to a site
  3. A user is granted direct permissions
  4. A user with access through an AD group makes a change to the site, such as uploading a document, that requires the user to be associated with something in the Content Db.

A list of the user objects can be accessed by clicking into any group on your site collection and modifying the query string to change the membership ID to 0.


While the option to Delete Users from the Site Collection is provided, Dan emphasized the point that deleting users from the site collection can break a number of things, including Created By references that read the user object.


Regardless of where they are created, group objects reside at the root of the site collection. It is also very important to understand when “To Nest” or “Not to Nest” groups. The conversation started with a look at the advantages:

  • Easy to grant users permissions
  • Centralized role-based management

And, the disadvantages:

  • If users are in an Active Directory group and that group is added to a SharePoint group to gain access to the securable object, there will be no visibility in SharePoint that the user has access to the site if the user has not made a change that resulted in the creation of a user object.
  • Potential loss of functionality (the extent of functional loss is dependent on environment configuration etc.) with People picker controls, Alerts, Task Assignment, etc. until a user object is created.

Having shared the advantages and disadvantages associated with nesting groups, Dan provided guidance by looking at the extremes at both ends of the spectrum.

Intranet sites
Add the AD group’s Domain user to the SharePoint group for easy access management.

Collaboration sites
Add users directly to SharePoint groups.

  • This provides visibility to site owners and members as to who has access to the site and supports collaboration functionality.

For everything in between those extremes, decisions will need to be made based on visibility and functionality requirements and ease of management requirements.


SharePoint 2013 comes with the new Edit permission level that is the default for Members groups created with team sites.

Edit = Contribute + Manage Lists

This could easily provide users more permissions on your site, so knowing the new default is critical for any Site Administrator. However, as Dan pointed out, not all Member groups will have the Edit permission
level. If the site was originally created in a SharePoint 2010 environment, the Members group associated with that site will maintain the Contribute permission level.

Dan also addressed how permissions work with the SharePoint 2013 Sharing interface. Sharing can, and often will break inheritance. However, SharePoint 2013 is smart enough that if the user with whom the item is shared already has a membership to a group that has permission to the item, the inheritance will not be broken.

After dispensing an impressive amount of information to an appreciative audience, including us here at Bamboo, Dan reminded everyone to “Say ‘No’ to Full Control,” and like everything else that Dan imparted, it is information well worth remembering.

SharePoint Online

The cloud parts are functional components that extend your SharePoint Online environment in Microsoft 365.

Supports Classic and Modern sites for SharePoint Online/Microsoft 365

Small Business Pricing and Discounts


Top SharePoint Online Products

Experience greater power and savings by bundling our SharePoint apps and cloud parts.

Calendar Plus


Employee Directory Plus

Org Chart Plus

Simple Search


Tree View


On-Premises Only

These web parts extend SharePoint beyond its out-of-the-box capabilities by tailoring it to your requirements with Bamboo Solution’s growing portfolio of SharePoint Web Parts.

SharePoint 2016, 2019, 2022 – Classic Pages Only


Top On-Premises Only Products

Experience greater power and savings by bundling our SharePoint apps and web parts.

Calendar Plus

Data Viewer

Password Change

Password Expiration

Password Reset


Our team of Microsoft 365 Technology Consultants helps you get the most out of your Microsoft technology, we have the best Microsoft 365 talent to streamline your organization.

Consulting to Streamline Your Department

M365 Plus

Managed Services

Microsoft 365

Consulting to Streamline Your Department

Human Resources

Information Technology

Marketing Campaigns




Our Consultants Have What You Need

Federal Contractors