SharePoint Obses Rerum primario / Vitare Commune foveisque

UPDATE 12/18/07: Videre Paulus Liebrand scriptor articulum technicas consequatur tollendum aut inflexo in default coetus nomina (videre comment infra ut bene).

Overview:

SharePoint security is easy to configure and manage. Autem, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Fateor me ad hoc problema). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Maximus Nota:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email me. I’ll make corrections post haste.

Fundamentalum:

Usibus hoc overview, quattuor sunt rationes fundamentales securitatem: users / coetibus, securable objecta, licentiam gradus et hereditátem.

Users et Groups ut effringerent:

  • Singulorum users: Traxit ab agente creato album vel directe in SharePoint.
  • Coetibus: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" ad speciem obiecti securable.

Securable objecta saltem ut effringerent:

  • Situs
  • Documento bibliothecis
  • Libelli et singula in scripto bibliothecis
  • Folders
  • Variis occasus BDC.

Ibi alia obiecta securable, sed vos adepto picture.

Licentiam campester: Fasciculus granular / low level access rights that include such things as create/read/delete entries in lists.

Hereditas: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Users et coetus securable obiecta pertinent ad gradus per licentiam et hereditátem.

Maxime intelligere Obses Regulis, umquam :

  1. Coetus simpliciter sunt collectiones users.
  2. Coetus intra global collection site (i.e. Nulla eu nibh ut aliquid definire amet).
  3. Coetus nomen non obstantibus, non convivia, et in se, have any particular level of security.
  4. Groups have security in the context of a specific securable object.
  5. Permittente vobis tribuat diversis ordinibus eidem group omne obiectum securable.
  6. Textus applicatio ex hoc omnes policies tubć (vide infra).

Securitatem administratione coetus in mari perierunt et user amet semper inniti haec axiomata praeesse intelligit, et securitati suae conformatione.

Commune foveisque:

  • Coetus falso nomina important permissu: Ex arca archa, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" coetus potest non conferre ad omnes, sed tantum legere, (enim). This would not be a good idea, Manifestum, cum esset valde turbatio.
  • Coetus non definitur ad aliquid site gradum. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" link. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
  • Coetus sociari non variantur per site (i.e. coetus ubivis sit amet): Consider the group "Owner" et duo sites, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, Obvius ut populus, et per HR site links Groups, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. In facto, I’m removing her from the global Owners group. Hilarity ensues.
  • Defecto nominare coetus fundatur in speciei partes: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Ego creavi duo novum Sodalicium: "HR Owners" and "Logistics Owners" et assignamus pro cuiusque gradus sensibilis licentia requiritur summam minimam et pro users ut faciat opus suum.

Alius utilis References:

Si secundum hoc fecistis:

Please let me know your thoughts via the comments or email me. If you know other good references, idem placeat facere!

Technorati Tags:

8 cogitationes on "SharePoint Obses Rerum primario / Vitare Commune foveisque

  1. Perry

    Magis foveisque:

    * Sunt quaedam peculiaribus licentiis praesto alibi in ssp et non appareat in coetibus populi sectio: "Personalization services permissions"and "Business Data Catalog permissions"

    * Me legisse quod sunt permissiones etiam metienda sunt praesto in aliquo speciali SharePoint arcanorum xml sepultus intus html alicubi.

    * In primarium et secundarium administratores locum Collection tenentur alibi Collection occasus Site, et non exstent in populus et adipiscing sectio.

    * Certis rationibus magicales (specialis) Facultates quidquid vides in populo plagam Groups: Membra constructum-in Administratorum coetus servientibus in Tela, Ratio autem rustico et Service.

    (PS: Per deleting spam esset emendare legibility ineo hic.)

  2. Johannes Wright
    Hoc est ipsum post. Ego hanc fraudem incidi in paucis occasiones. Securitatem administratione compositum possit cum coeperis permixtio methodis authenticas et securitatem coetus diversis modis,. Hoc oportet quod sit pars processus hendrerit ignorari non oportet.
  3. Scripsit Marcus Tullius Cicero:
    (Nota a Paulo: Mark interrogavit me ad parva mutatio ad comment vivunt spatia comments Duis nec possum sic Ive 'added nuo cum immutatione et delevimus hic originalis).
    Paulus,
    In summary aditus deferendi hoc venit off, optime info. I especially liked the "Pitfalls" sectio, ipse cum paucis incidit in Aenean.
    Aliud dixistis domum ledo: die Lune cognita non ex necessitate vult quod youll 'memini Friday. I’m glad someone besides me is using their blog as a "tickler" non ea ratione quae in a ordinarius basis amet.
    Opus bonum,.
    Adtinet,
    Animadverte
    EndUserSharePoint.com

    November 27 9:04 AM
    (http://www.EndUserSharePoint.com)

  4. Paulus Galvin
    EGO reputo suus 'forsit Annum utilem vitae removere, especially Contributor and Owner. They are overbroad and easily confused. I prefer to use "All Authenticated Users" in place of a "Visitor" group as well. If a specific set of users should only read-only access then I’d recommend creating an AD group or SharePoint group with an appropriately descriptive name, e.g. "Logistics Visitors".
    –Paulum G

Aliquam

Tua inscriptio electronica non editis. Velit sunt insignis *