WHITE PAPER SharePoint Permissions Management Centralized permissions management with SPDocKit ADIS JUGO
Content About Adis... 2 Introduction to SharePoint Permission Management... 3 Centralized Permission Management with SPDocKit... 4 Batch permissions managment with SPDocKit... 4 On-the-fly permissions managment with SPDocKit... 15 Permissions reporting and forensics with SPDocKit... 21 Conclusion... 28 SPDocKit - Ultimate SharePoint admin tool... 29 Page 1 of 31
About Adis ADIS JUGO, SHAREPOINT MVP Adis Jugo is a software architect with 20 years of professional experience in creating software solutions that make users' lives easier. His is passionate about improving all the aspects and phases of the software development process. In addition to his two decades of experience in software development and architecture he is a certified Professional Scrum Master (PSM), with extensive experience in agile project management. He is currently working as a Director of Advisory for deroso Solutions, Microsoft Gold Partner based in Germany and he has been a speaker at various Microsoft conferences and User Groups meetings. In January 2012, he received the Microsoft Most Valuable Professional (MPV) award for Microsoft SharePoint Server. Page 2 of 31
Introduction to SharePoint Permission Management One of the strengths of SharePoint, and one of the main reasons the platform became so popular in the first place is permissions. It does not matter whether permissions are governed centrally, or whether site owners can grant permissions themselves: the powerful permission management in SharePoint helped the platform s popularity skyrocket. Everyone can set up permissions in his or her own way but that is the problem with SharePoint. Because this is possible and because everyone (who has rights) can do it, SharePoint s greatest strength very often turns out to be its greatest weakness. SharePoint has never been good at centralized permission management. Everything is fine as long as you only have a couple of site collections. However, when an IT Administrator needs to add/delete/change users on several hundred, or even several thousand, site collections, things get interesting. Sure, you can write short PowerShell scripts for such tasks, but when you need to do so on a daily basis, things become more difficult. In addition, tracing the history of the permissions can be challenging in SharePoint environments that are not tightly governed. Built-in permissions forensics in SharePoint are on a very basic at best, and permissions reporting is virtually nonexistent. Strangely enough, there aren t that many third party tools that would close this gap with SharePoint permissions. My favorite tool and the one that I recommend to inhouse administrators, is SPDocKit which was one of the first tools to offer permissions reporting. Page 3 of 31
Centralized Permission Management with SPDocKit SPDocKit makes day-to-day permissions management much less painful job because it includes a wizard-like centralized permissions management tool. I will outline some key permissions management tasks based on cases with which I was confronted during my career and explain how SPDocKit can be used to automate these tasks (almost) completely. Batch permissions managment with SPDocKit One of the most common cases in permissions management involves batch permissions management. Think about adding a new audience (users) to existing SharePoint content. This is fairly easy when you only have to deal with a few site collections, but what happens when you have hundreds, or thousands of them? This was exactly the case we faced with a customer who had over 20,000 automatically provisioned SharePoint site collections one site collection per customer project. The site collections had almost identical structures: the same lists and libraries, an identical predefined folder structure in the libraries and a complex permissions structure. In all, we were faced with 24 SharePoint groups per site collection, times 20,000. At one point, an auditing process was going on, and we had to give external auditors permissions to review documents in certain libraries that were present in all 20,000 site collections. The auditors did not have access to any other content in the SharePoint farm, except for those libraries. The process included the following tasks: Breaking permissions inheritance for the Reports libraries, Creating the permission level Auditing Permissions, Creating a SharePoint group for the auditors, Adding users to that group, Page 4 of 31
Giving Auditing Permissions to the Auditors group for the Reports library. This had to be done for all 20,000 of the site collections. Clearly, one could not do this task manually, and using PowerShell meant opening the door to a potentially large error margin. For that reason, our tool of choice to implement these requirements was SPDocKit. SPDocKit has a wizard-style interface used to execut permissions-related batch operations. You can find everything you would expect in the interface, including breaking and restoring permission inheritance on multiple levels, batch creating/editing/deleting SharePoint groups and permissions levels, managing group membership and assigning or revoking rights for principals on different securable objects that all worked intuitively, which did not leave much room for mistakes. Before any batch operations are executed, SPDocKit will conveniently show a preview of the results, so the administrator can decide whether to proceed with the operation, or cancel it. Page 5 of 31
In the case above, we started with the Permission Inheritance Wizard. Image 1: Breaking permissions at all 20,000 instances of the reports library (one in each site collection) Page 6 of 31
The SPDocKit permissions wizard asked us to review and confirm the action to break the inheritance. Image 2: Preview of the changes Once that change was confirmed and applied, SPDocKit iterated through the site collections, and executed the command. In the next step, the SharePoint administrator created the new permission level for auditors using the next wizard Permission Levels Wizard. The administrator chose to choose the name for each new permission level, and its base permissions. After a review and confirmation, every site collection received the new permission level: Auditing Permissions. Page 7 of 31
Image 3: Creating the new permission level for auditors Page 8 of 31
Image 4: Choosing base permission Using the Group Management Wizard, our SharePoint administrator followed the same procedure to create a new SharePoint group ( Auditors ). After setting the group name, description, and owner, and then reviewing the changes, the Auditors group was created in all site collections. Page 9 of 31
Image 5: Creating a new SharePoint group Auditors Next, the administrator assigned the Auditing Permissions level to the Auditors group on the Reports document library, for all 20,000 site collections using the Manage Permissions Wizard. Page 10 of 31
Image 6: Selecting principals and objects to change Page 11 of 31
Image 7: Assigning the Auditing Permissions level to the Auditors group on the Reports document library After these steps, we had a document library named Reports with broken permissions inheritance in all site collections, and a SharePoint group named Auditors, with the assigned custom permission level Auditing permissions for that library. Of course, all 20,000 of the Auditors SharePoint groups (one per site collection) were empty at first. Using the SPDocKit Group Membership Wizard, we easily populated the groups with standard auditors. Page 12 of 31
Image 8: Adding users to specific groups Page 13 of 31
Image 9: Defining SharePoint group membership changes A few minutes and five wizards later, we had broken the permissions inheritance on 20,000 document libraries, created 20,000 SharePoint groups and custom permission levels, assigned the necessary custom permissions for those libraries, and populated the newly created SharePoint groups. SPDocKit made this job much easier. Writing custom PowerShell scripts would have taken considerably more time, and the process would have been more prone to errors. Executing those tasks manually through the SharePoint interface was not an option at all. In all the wizards mentioned above, all site collections from a web application were selected, but that is not a limit - admins canchoose which ones to use. For example if auditing is necessary on only 100 projects instead of all 20,000, admins can select the 100 projects for which it is required. The SPDocKit batch permission wizards, allow administrators to do much more. They can revoke permissions or change them, change the base permissions set for each Page 14 of 31
permission level and add or remove members from SharePoint groups. Essentially, when all (or some) of a large set of lookalike SharePoint site collections and sites require a permissions change, SPDocKit permission wizards are your best friend. This is true for all scenarios in which site provisioning is involved: it does not matter whether it is a matter of self-service site provisioning, or site provisioning through a business work flow. These types of sites (project sites, team sites, meeting sites etc.) are usually identical, or at least very similar to each other in structure, and there are usually plenty of such sites (SharePoint is a collaboration platform, after all). SPDocKit s Batch permissions management is very useful when dealing with a large number of site collections; it can be a real lifesaver in that scenario. However, administrators are more likely to deal with permissions inside one site collection. On-the-fly permissions managment with SPDocKit The SharePoint user interface provides all the basic options for dealing with permissions. We can create, edit, and delete groups; manage group memberships; and create and manipulate permission levels. By drilling down through SharePoint securable objects (data structures), we can break and restore permissions and set specific permissions for all objects down to the item level. Even though SharePoint offers many possibilities, much remains open. New sharing capabilities make it easier than ever for users to break permissions on the item or folder level. It is not easy for administrators to identify those items. Cleaning up permissions remains a repetitive, slow task moving users who obtained permissions directly to the appropriate SharePoint groups requires a lot of clicking. Administrators never have a broad overview of the permissions at one particular site. Dealing with permissions and the entire user experience (or rather the admin experience ) does not provide optimal efficiency. Thus, many SharePoint admins handle permissions exclusively through PowerShell. However, PowerShell is a command line tool: therefore is not appropriate Page 15 of 31
for everyone, especially if all an administrator needs to do is perform a few quick actions or get an overview of what is going with permissions on a particular site. This is where SPDocKit comes in. In version 5, we got the Permissions Explorer. Using a familiar, hierarchical tree view of SharePoint securable objects (data structures), administrators can drill down through the site collection objects to do everything SharePoint allows with permissions, and even a bit more. Everyday operations are one click away, including detecting securable objects with unique permissions (broken permissions inheritance); breaking and restoring permissions; creating, editing, and deleting SharePoint Groups and Permission levels; and managing group memberships. This easy access significantly reduces the time needed to perform those repetitive tasks compared to the time required in the standard user interface. Image 10: Permissions Explorer While browsing through the site structure, administrators can easily see who has permissions for the currently selected object. Furthermore, they can filter those permissions based on the principal s status (enabled or disabled), type (SharePoint Page 16 of 31
Group, AD Group, or user), and in an interesting feature history. Each time SPDocKit loads the farm information, it writes the information in the background database. Administrators can then use it as a kind of way back machine for permissions. In addition to browsing and exploring permissions, administrators can define permissions settings on the site collection level for primary and secondary site collection administrators, members of the administrators group and SharePoint Groups and Permission levels. Image 11: Setting the site collection administrators Page 17 of 31
Image 12: Creating a SharePoint Group Image 13. Creating a new Permission Level via the SPDocKit interface Page 18 of 31
While drilling down through the hierarchy, administrators can break and restore permission inheritance at any location and grant or revoke permissions for the currently selected object. Image 14: Breaking permission inheritance Page 19 of 31
Image 15: Granting permissions for the selected object These features help administrators significantly speed up their work on permissions. In addition to speeding up repetitive everyday tasks, SPDocKit offers some useful automations for tasks that would normally require a lot of clicking or scripting. If you look at the Manage Permissions ribbon, you will see Edit, Clone, Transfer, Remove, Move to Group, and Copy to group icons. Image 16: The SPDocKit Manage Permissions ribbon operations Page 20 of 31
While the functions of Edit and Remove are clear (change permission levels or revoke permissions for a principal completely), the other four icons are particularly interesting. Although the SharePoint 2013 Share icon allows users to quickly share content with other users, it creates many (sometimes unnecessary) item level permissions when it would be much better to simply add users in the appropriate SharePoint groups. With SPDocKit, administrators can easily clean that mess up by selecting the loose principals on objects with broken permission inheritances and then copying and moving them to the appropriate SharePoint groups all with one click. Clone and Transfer offer other interesting functions. Administrators often face requirements such as User X needs to have the same permissions as User Y or User Z is being transferred to another division and User W is taking his place. SPDocKit s Clone and Transfer capabilities do exactly that-they give new users the same rights an existing user has or transfer existing rights to a new user and revoke them from the original user. That comes in handy in day-to-day work. Of course, as you would expect for a tool of this caliber, SPDocKit allows administrators to get information about each user in the site collection (e.g., where the user comes from and his or her memberships in SharePoint and AD groups). Overall, this powerful toolset helps administrators perform permissions-related tasks. Permissions reporting and forensics with SPDocKit Permissions reporting and forensics are usually only needed when a problem arises. In these cases, it is important to determine who has permissions on certain securable objects and more importantly, why. SharePoint permissions are serious business, and they must be viewed as having the highest importance. A large amount of sensitive corporate information is stored in SharePoint, and giving unauthorized people access to classified content can pose a big Page 21 of 31
threat. Therefore, it is important to have the ability to report, at any time, who has permissions and through which channels those permissions were given. SharePoint does not offer that ability out of the box, and it is a hassle to code that functionality in PowerShell. At this time, SPDocKit is the only tool on the market that can cover those cases and perform full permissions forensics. In addition to forensics, SPDocKit can help you keep your SharePoint clean by removing unused users and groups. In the Permission Reports section, you can easily detect groups that do not have any permissions in their sites, groups owned by a disabled SharePoint user, or groups containing disabled or orphaned users. You can then easily correct those issues by cleaning up those groups and users or giving them the necessary permissions. Image 17: Report showing SharePoint groups with no permissions Page 22 of 31
Image 18: Report showing orphaned users Image 19: Report showing users with no permissions in the site collection Page 23 of 31
Besides these simple but necessary cleaning tasks, the real strength of SPDocKit permission reports lies in permissions forensics. With these forensics reports, we can easily determine who has access to the data and why. For each SharePoint securable object, including sites, lists, and list items, SPDocKit will tell us who has permissions for those objects and in what way they were given. Image 20: Permissions for a SharePoint site grouped by permission For example, you can use this report to discover that the cleaning lady has Add items permission on the management site and that she got it through her membership in the Cleaning Staff Active Directory group. That group is a member of the Portal Contributors SharePoint group, which has been assigned the Contribute permission level for that particular site. That permission level, of course, contains Add items permission. You can find all that information with just one click. This represents the ultimate governance/compliance report in terms of SharePoint permissions. Page 24 of 31
Of course, you can break this down into numerous other useful reports and information overviews. The next report shows the matrix of Principals (SharePoint Groups and SharePoint users) and permission levels, including the roles each principal has on the site, in a graphically appealing way. Image 21: Principals and permission levels in a subsite Furthermore, one of the most commonly requested reports shows a quick overview of securable objects (i.e., sites, lists, and list items) with broken permission inheritances. You can get this report in one click with SPDocKit. Page 25 of 31
Image 22: Overview of securable objects in SharePoint Farm In addition to securable object and permission level reports, SPDocKit offers important principal-based reports so administrators can easily determine which permissions a SharePoint user or SharePoint group has in one or more site collections. With these user-centric reports, administrators can see which permissions a principal has and the way in which those permissions were given (e.g., through SharePoint Groups, AD Groups, or directly) and act accordingly. Of course, as expected from SPDocKit, each of these reports can easily be saved as a PDF or Word file, manually modified, and included in a larger report. Page 26 of 31
Image 23: Saved report shows the overview of a SharePoint site permissions Page 27 of 31
Conclusion SharePoint s out-of-the-box features are simply not enough for serious governance scenarios and simplified permissions management. Administrators will either write a bunch of PowerShell scripts and avoid the SharePoint user interface completely or find a tool to deal with those issues. Different tools on the market partially cover SharePoint permissions management and reporting. When all or some of a large set of lookalike SharePoint site collections and sites require a permission change, SPDocKit permission wizards are best choice. In my opinion, SPDocKit s permissions toolkit belt does the best job. It offers batch permissions management across site collections, simplified permissions management inside a single-site collection and powerful cleanup, forensic, and reporting options. I often say that SPDocKit s features let SharePoint consultants have the equivalent of a Swiss Army knife in their pockets. Page 28 of 31
SPDocKit - Ultimate SharePoint admin tool What is SPDocKit? Unique tool that allows you to easily administer and manage your SharePoint farm. You can use it to explore and manage SharePoint permissions, keep an eye on your farm health and compare and track changes on your farm in no time. Why SPDocKit? Generate SharePoint Documentation Analyze SharePoint Permissions Manage Permissions Audit Farm Configuration Compare Farms and Track Changes Enforce Governance Policies Monitor SharePoint Farm Health TRY a 30-day free trial More info is available at www.spdockit.com. Page 29 of 31