TechEd 2010: SharePoint Security – Permissions, Identities & Objects…Including a ‘Gotcha’ that Breaks Security Trimming

Dan Holme presents at TechEd 2010

This afternoon at TechEd, I attended the SharePoint Security: Permissions, Identities and Objects session presented by Dan Holme.  Dan is Director of Training and Consulting at Intelliem but, as he explained, his "job really is to help the [SharePoint] community."  In his session today, Dan set out to dive into the SharePoint 2010 security model, "looking at the object model security in SharePoint."

Noting that authentication is done at the Web application level, Dan began his demo-centric session with the Web Application Management page in SharePoint, explaining that there are two claim types: Classic mode and Claims-based authentication.  You can choose one or the other, but Dan stressed that the entire industry is moving toward claims-based authentication; as a consequence, Classic mode only supports Windows authentication.

After reviewing the Group-level permissions in SharePoint, Dan moved on to the list- and library-level permissions, mentioning that options are for permissions to either be inherited from the parent site or be set uniquely at the list/library level.  In order to set unique permissions, however, you need to break inheritance of necessity.  One nice new feature in 2010 is that when inheritance has been broken anywhere in a given site, there's a band at the top of the site that alerts you to that fact (and which also allows you to re-inherit permissions).  Dan mentioned that folder- and item-level permissions function just as do list- and library-level permissions.

One gotcha that Dan demonstrated is that "SharePoint is security trimmed, which is nice … except there's a place that it doesn't apply."  Dan explained that defaults take care of this exception but that since it's possible to reintroduce the issue with unique permissions, you should be aware of it.  The issue is that if a library is added to a Web Part page, it will show up in a user search of the site, even if a given user doesn't have permission to access that particular library.   The user won't be able to see the contents of the library, but if they can see that it's there at all, you could have a problem.  Dan said that "Once you break inheritance on anything in the site, this [potential issue] kicks in."  There is a setting that you can apply to circumvent the issue though, and it's a radio button selection that says, "Do not index Web Parts if this site contains fine-grained permissions."

Since permission levels are defined at the site collection level, one problem that can occur is that if a user checks out a document then leaves on vacation with that object checked out, no one is able to access it.  To address this, Dan recommends creating a custom permission level via the new SharePoint 2010 feature Add a permission level (in Site Settings).  You can create a permission level called, say, "Override Check-Out," create a group to assign the permission to, and define the securable object you're given that permission to, and you'll be all set.

In addressing a question from the audience on the subject of using SharePoint groups or Active Directory (AD) groups, Dan said that "You can create a group [in SharePoint] that allows group membership management," which you can't do in AD, but Dan pointed out that AD does have the advantage of giving you "centralized management security."  Dan recommends using AD for broadly accessed sites and SharePoint for lower-level collaborative sites.

Regarding administrative groups, Dan pointed out that since Windows admins can perform all of the functions of a farm admin and then some, you should "Be very careful about who's a [Windows] administrator."

Dan explained that anonymous access is "disabled by default for security reasons," but that if necessary it can be enabled via Central Admin, then authorizing it at the site level through Site Settings.

Regarding Web application security, Dan said that though you need farm-level access in order to do so, security policies can be set up directly within SharePoint.  These farm-level admin rights include the ability to "Create new permission policy levels" with granular permissions.

Dan closed his session by discussing audit settings and records management.  Regarding audit settings (available via Site Settings), he said that you're able to specify which types of changes you wish to be tracked in SharePoint 2010.  Dan also explained that the audit log reports show you what's happened, including what was viewed and by whom.

Regarding records management, Dan said that they provide the "ability to declare records in place."  This functionality must be enabled at the site level using the Site Collection Administration and the Library Declaration Settings.  Once records management has been enabled, however, you're able to use the Declare as Record feature and, once so declared, an item is locked and is no longer available for editing (by anyone).

Bamboo Nation's complete coverage of TechEd 2010:

SharePoint

Applications

SharePoint apps are stand-alone applications that perform specific tasks on a SharePoint site. Apps can perform functions such as managing a discussion board or knowledge base, performing project management or time tracking tasks, or doing other workflow operations.

SharePoint

Product Suites

Experience greater power and savings by bundling our SharePoint apps and web parts.


Essentials


Essentials Plus


Bamboo Premier


Project Management Suite


Knowledge Management Suite


External User Manager


SharePoint

Web Parts

Extend SharePoint beyond its out-of-the-box capabilities by tailoring it to your requirements with Bamboo Solution’s growing portfolio of Web Parts. Web Parts are the building blocks of pages on a SharePoint site that can be used to customize the user interface and content of a site page. 

SharePoint

Product Suites

Experience greater power and savings by bundling our SharePoint apps and web parts.


Essentials


Essentials Plus


Bamboo Premier


Project Management Suite


Knowledge Management Suite


External User Manager


Office 365

Cloud Parts

Cloud Parts are functional components that extend your SharePoint environment whether it’s hosted, on-premises, or part of Microsoft Office 365. More than mere ports of existing software to the cloud, our Cloud Parts have been built from the ground up to take advantage of the best that the cloud has to offer.

SharePoint

Product Suites

Experience greater power and savings by bundling our SharePoint apps and web parts.


Cloud Parts Suite for O365/SP Onl.


Featured Services

SharePoint Health Check

A SharePoint Health Check will identify the causes of issues and risks associated with your specific environment, and is custom tailored to provide you with the best recommendations to optimize your SharePoint environment.

SQL Health Check

Document recommendations relating to performance, stability, availability, or a specific focus you request of your SQL Server database instances.

My SharePointXperts

The truth is that each SharePoint skill may not be a full time job for many organizations, and it is nearly impossible for one person to do everything you need – so augment your team with SharePointXperts; providing the skill sets you need when you need them!