SharePoint permissions can be the stuff of nightmares. At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying to manage user permissions. SharePoint’s a useful collaboration platform—and Microsoft’s fastest selling product ever—but helping to ensure proper permissions and access control is probably not its strongest suit.
The first challenge with SharePoint permissions is that, like file servers, SharePoint has “local” or SharePoint-specific groups that can contain AD groups and users. Unlike file shares, however, where server local groups are rarely used on the shared folders, SharePoint local groups are much more common. This adds a layer of complexity, especially in large organizations where the SharePoint administrative team may be completely separate from the group managing Active Directory.
Next, the actual permissions themselves are more complicated. NTFS file systems are usually Full, Modify, Read & Execute, List, Read and Write. With SharePoint, you get 12 permissions types for lists, 3 for “personal” actions like views and 18 different types for sites themselves. These permission types can be grouped into “permission levels.” For example, the default “Contributor” site permission level contains 8 of the 12 permission types. In addition to the handful of built-in permission levels, Administrators can create custom permission levels. To top it off, a given user, group, or SharePoint group can be granted multiple permission levels on a given list or site, so it can quickly become very difficult to understand what a given user or group can actually do with the data they’ve been granted access to.
Even though SharePoint permissions can be confusing even for technology teams, Microsoft is designed to allow non-technical folks to manage permissions directly. Prior to SharePoint 2010, there was even a built-in button to easily grant access to all Authenticated Users, or everyone in the organization that’s logged into the domain. What ended up happening is that business users would use this as a short-cut to get people access when needed, rather than managing permissions in a more secure way. With more and more sensitive data being shared on SharePoint servers, this represents a significant area of risk.
The good news is that Varonis DatAdvantage for SharePoint helps organizations make sense of SharePoint permissions by providing intelligence and unobtrusive metadata collection for SharePoint, as it has for years for file systems and (more recently) for Exchange. The SharePoint permissions nightmare ends as critical data governance questions can finally be answered: Who has access to a SharePoint site and what level of access do they have? What have they been accessing? Which SharePoint sites are exposed and contain sensitive data? Most importantly, how do we fix them without disrupting business? SharePoint can be a powerful collaboration tool, but it’s important to understand the data that’s there, who’s using it and what permissions are in place and how those controls are changing.