SPFest Chicago: Dan Holme on SharePoint 2013 Sharing and Security

SPFest Chicago: Dan Holme on SharePoint 2013 Sharing and Security

by | Dec 10, 2014 | The Bamboo Team Blog

In his SharePoint Fest
Chicago session, SharePoint 2013 Sharing and Security, Dan Holme set out
to demystify security and sharing providing some best practice guidelines.
In front of a standing room only crowd, Dan opened the session with a quick
review of the fundamental components that are involved in providing users with
security authorization:
  • Users – Objects at the site collection level linked to identity in
    the authentication provider.
  • Permissions levels – Most Common:
    Full Control, Design, Contribute, Read.
  • Security Scope – What is the securable object? Site, Library or
    List    , Folder, Item.
  • Role Assignment – Association between the security scope,
    permission and the user.
  • Groups – Collections of users who have common access requirements
    to a specific security scope. Owners,
    Members and Visitors are the default groups.

With the high-level review
complete, Dan went into a deeper examination of the nuances associated with
each of these security components.

Users

User objects are created at the
root of the site collection and are created when:

  1. An administrator or group owner adds users to a group
  2. A user requests access to a site
  3. A user is granted direct permissions
  4. A user with access through an AD group makes a change to the site,
    such as uploading a document, that requires the user to be associated with
    something in the Content Db.

A list of the user objects can be
accessed clicking into any group on your site collection, and modifying the
query string to change the membership ID to 0.

/_layouts/15/people.aspx?MembershipGroupId=0

While the option to Delete
Users from the Site Collection is provided, Dan emphasized the point that
deleting users from the site collection can break a number of things, including
Created By references that read the user object.

Groups

Regardless of where they are
created, group objects reside at the root of the site collection. It is also very important to understand when
“To Nest” or “Not to Nest” groups.

The conversation started with a
look at the advantages:

  • Easy to grant users permissions
  • Centralized role-based management

And, the disadvantages:

  • If users are in an Active Directory group and that group is added
    to a SharePoint group to gain access to the securable object, there will be no
    visibility in SharePoint that the user has access to the site if the user has
    not made a change that resulted in the creation of a user object.
  • Potential loss of functionality (the extent of functionally loss
    is dependent on environment configuration etc.) with People picker controls,
    Alerts, Task Assignment, etc. until a user object is created.

Having shared the advantages and
disadvantages associated with nesting groups, Dan provided the guidance
looking at the extremes at both ends of the spectrum.

Intranet sites
Add AD group’s Domain user to the
SharePoint group for easy access management.

Collaboration sites
Add users directly to SharePoint
groups.

  • This provides visibility to site owners and members as to who has
    access to the site, and supports
    collaboration functionality.

For everything in between those
extremes, decisions will need to be made based on visibility and functionality
requirements and ease of management requirements.

Permissions

SharePoint 2013 comes with the
new Edit permission level that is the default for Members groups created
with team sites.

Edit = Contribute + Manage Lists

This could easily
provide users more permissions on your site, so knowing
the new default is critical for any Site Administrator. However, as
Dan pointed out, not all Members groups will have the Edit permission
level. If the site was originally
created in a SharePoint 2010 environment, the Members group associated with
that site will maintain the Contribute permission level.

Dan also addressed how permissions work with the SharePoint 2013 Sharing interface. Sharing can, and often will, break
inheritance. However, SharePoint 2013 is smart enough that if the user with
whom the item is shared already has membership to a group that has
permission to the item, inheritance will not be broken.

After dispensing an impressive
amount of information to an appreciative audience, Dan reminded everyone to
“Say ‘No’ to Full Control,” and like everything else that Dan
imparted, it is information well worth remembering.

Get a Demo
Contact Us
Newsletter Signup

SharePoint Online

The cloud parts are functional components that extend your SharePoint Online environment in Microsoft 365.

Supports Classic and Modern sites for SharePoint Online/Microsoft 365

View All Products
SharePoint

Top SharePoint Online Products

Experience greater power and savings by bundling our SharePoint apps and cloud parts.

Calendar Plus

Chart Plus

Knowledge Base

Project Management Central

Simple List Search

 

View More

On-Premises Only

These web parts extend SharePoint beyond its out-of-the-box capabilities by tailoring it to your requirements with Bamboo Solution’s growing portfolio of SharePoint Web Parts.

SharePoint 2013, 2016, 2019 – Classic Pages Only

View All Products
SharePoint

Top On-Premises Only Products

Experience greater power and savings by bundling our SharePoint apps and web parts.

Calendar Plus

Data Viewer

Password Change

Password Expiration

Password Reset

 

View More

Our team of Microsoft 365 experts help you get the most out of your Microsoft technology, we have the best Microsoft 365 talent to streamline your organization.

Streamline Your Department

View All Services
Microsoft 365

Streamline Your Department

Human Resources

Information Technology

Marketing Campaigns

Healthcare

Sales

 

View More

We Have What You Need

View All Services
Microsoft 365

We Have What You Need

Microsoft 365 Enablement

Migration to Microsoft 365

Microsoft Teams

Power Automate

Power Apps

 

View More
Bamboo Solutions

About

Blogs

Webinar & Events

Twitch

Culture & Diversity

 

 

Bamboo Solutions

Tools

Resources

Bamboo Installer

 

Featured Services

SharePoint Health Check

A SharePoint Health Check will identify the causes of issues and risks associated with your specific environment, and is custom tailored to provide you with the best recommendations to optimize your SharePoint environment.

SQL Health Check

Document recommendations relating to performance, stability, availability, or a specific focus you request of your SQL Server database instances.

My SharePointXperts

The truth is that each SharePoint skill may not be a full time job for many organizations, and it is nearly impossible for one person to do everything you need – so augment your team with SharePointXperts; providing the skill sets you need when you need them!

Bamboo Services

Office 365 and SharePoint Consulting

SharePoint Health Check

SQL Health Check

Office 365 Migration Planning

My SharePointXPerts (On Demand)

Government Solutions

Business Solutions