UPDATE 01/28/08: This codeplex project addresses this issue: http://www.codeplex.com/AccessChecker. I have not used it, but it looks promising if this is an issue you need to address in your environment.
UPDATE 11/13/08: Joel Oleson wrote up a very good post on the larger security management issue here: http://www.sharepointjoel.com/Lists/Posts/Post.aspx?List=0cd1a63d-183c-4fc2-8320-ba5369008acb&ID=113. It links to a number of other useful resources.
Forum users and clients often ask a question along these lines: "How do I generate a list of all users with access to a site" or "How can I automatically alert all users with access to list about changes made to the list?"
There is no out of the box solution for this. If you think about it for a moment, it’s not hard to understand why.
SharePoint security is very flexible. There are at least four major categories of users:
- Anonymous users.
- SharePoint Users and Groups.
- Active Directory users.
- Substructio formae authenticas (FBA) users.
The flexibility means that from a security perspective, any given SharePoint site will be dramatically different from another. In order to generate an access list report, one needs to ascertain how the site is secured, query multiple different user profile repositories and then present it in a useful fashion. That’s a hard problem to solve generically.
How are organizations dealing with this? I’d love to hear from you in comments or email.
</finem>
Salve
Microsoft has just published a SharePoint Admin Toolkit which contains a permission reporting tool. It gives you everithing what you feel is missing. I have described the tool on my blog – http://datapolis.blogspot.com/2009/09/permission-reporting-tool-for.html
HELP SOMEONE PLEASE MUST HAVE THE ANSWER. Ive been blogging for days looking for the golden key that will unlock the safe. I am attempting to write a report in Performance Point Server that will utilize the login id for sharepoint to filter data on the report.. sounds easy right…WRONG… I have been virtually unlucky in getting anyone who remotely has the idea of how this can be done. Sure I know I could create a report folder for each individual that I have a need to report on, thats kind of messy. Autem, getting closer to the only solution I have so far. Please if you have a solution or know someone who might be able to help out email me at ken.kolk@medcor.com Gratias in progressus.
Another "Who Has Access" solution to consider is Idera’s Security Reporter http://www.idera.com/Products/Tours/Images/Pointadmintoolset12.jpg, part of the Idera Point admin toolset. It is different from other solutions in that it does not modify your SharePoint user interface. The reporting tool runs standalone on your desktop and talks to SharePoint via a web service that is easily installed to any Web Front End. It can output to XML or PDF.
The toolset also has a tool called Permissions Analyzer http://i40.tinypic.com/ac68ev.png which does the inverse of "Who Can Access What" – you specify a user, and for each SharePoint site, album, doclib, etc. it will show you the resulting effective permissions, including details on each of the 33 SPBasePermissions including exactly which roles and web application policies affected each permission. You can select which zone to consider when evaluating web application polices (intranet, internet, etc). This tool is very handy in a helpdesk scenario when you are trying to figure why a user cannot access particular content. Price is very reasonable, check at http://www.idera.com (full disclosure – I’m part of the team that created the toolset).