Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Why Do SharePoint Permissions Cause So Much Trouble?

SharePoint permissions can be the stuff of nightmares.  At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying...
Brian Vecci
2 min read
Published January 6, 2012
Last updated June 9, 2023

SharePoint permissions can be the stuff of nightmares.  At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying to manage user permissions. SharePoint’s a useful collaboration platform—and Microsoft’s fastest selling product ever—but helping to ensure proper permissions and access control is probably not its strongest suit.

Get a Free Data Risk Assessment

The first challenge with SharePoint permissions is that, like file servers, SharePoint has “local” or SharePoint-specific groups that can contain AD groups and users. Unlike file shares, however, where server local groups are rarely used on the shared folders, SharePoint local groups are much more common.  This adds a layer of complexity, especially in large organizations where the SharePoint administrative team may be completely separate from the group managing Active Directory.

Next, the actual permissions themselves are more complicated. NTFS file systems are usually Full, Modify, Read & Execute, List, Read and Write. With SharePoint, you get 12 permissions types for lists, 3 for “personal” actions like views and 18 different types for sites themselves. These permission types can be grouped into “permission levels.” For example, the default “Contributor” site permission level contains 8 of the 12 permission types. In addition to the handful of built-in permission levels, Administrators can create custom permission levels. To top it off, a given user, group, or SharePoint group can be granted multiple permission levels on a given list or site, so it can quickly become very difficult to understand what a given user or group can actually do with the data they’ve been granted access to.

Even though SharePoint permissions can be confusing even for technology teams, Microsoft is designed to allow non-technical folks to manage permissions directly. Prior to SharePoint 2010, there was even a built-in button to easily grant access to all Authenticated Users, or everyone in the organization that’s logged into the domain. What ended up happening is that business users would use this as a short-cut to get people access when needed, rather than managing permissions in a more secure way. With more and more sensitive data being shared on SharePoint servers, this represents a significant area of risk.

The good news is that Varonis DatAdvantage for SharePoint helps organizations make sense of SharePoint permissions by providing intelligence and unobtrusive metadata collection for SharePoint, as it has for years for file systems and (more recently) for Exchange. The SharePoint permissions nightmare ends as critical data governance questions can finally be answered: Who has access to a SharePoint site and what level of access do they have? What have they been accessing? Which SharePoint sites are exposed and contain sensitive data? Most importantly, how do we fix them without disrupting business? SharePoint can be a powerful collaboration tool, but it’s important to understand the data that’s there, who’s using it and what permissions are in place and how those controls are changing.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

best-practices-for-sharepoint-permissioning
Best Practices for SharePoint Permissioning
SharePoint is Microsoft’s enterprise-class environment for sharing content: documents, presentations, spreadsheets, notes, images, and more. While SharePoint has many advantages over a raw file system in terms of content management,...
sharepoint-permissions-cheat-sheet
SharePoint Permissions Cheat Sheet
Complexity is dangerous in the security world.  The harder something is to understand, the harder it is to protect.  SharePoint falls squarely into this category.  Configuring permissions in SharePoint can...
fixing-the-open-shares-problem
Fixing the Open Shares Problem
I recently spoke with an IT administrator who had started a manual open share cleanup project—finding and locking down folders and SharePoint sites open to global access groups like Everyone,...
open-shares
Open Shares
In my post last week, Share Permissions, I promised I’d write a follow up post on “open shares.” Open shares, in a nutshell, are folders that are accessible to all…