SharePoint 2010 : Planning Your Security Model - Maintaining Your Security Model

5/16/2013 7:26:56 PM
It may be overly ambitious to expect you to keep your security model up to date, but if there is any documentation worth maintaining as you evolve your site design, this is the one to try to maintain. In fact, it may not be a single document but a collection of completed document templates (if you choose to decentralize security management). If you always follow the best practice of assigning users to groups rather than assigning permissions to individuals, maintaining the document won’t be too difficult because you will only need to make an update if you add a new group or a add unique permissions to a securable object. Is it realistic to assume that you can keep the security model document current in a dynamic environment? Probably not. So you will definitely want to take advantage of the ways SharePoint 2010 allows you to “unpack” your security model directly in your site. Here’s what you can do pretty easily:
  • Check the permissions that have been assigned to a group across the entire site collection.

  • On an individual object, display the permission levels and how those permissions were applied (for example, “given directly” or “given through the [Site Name] Members group”).

Here’s what you can’t do with the native interface: check the permissions that have been assigned to an individual across the entire site collection (which should give you the best incentive possible to try to always put users in a group and avoid giving users individual permissions) or audit who has made security changes to various securable objects.

Checking Permissions Assigned to a Group

To examine how permissions have been assigned to a group across a site collection, you must have Full Control privileges. At the root of the site collection, select Site Settings, Users and Permissions, and then “People and groups.” Highlight the group in the quick launch and select Settings/View Group Permissions. You will see a list similar to the image in Figure 1, which enumerates the permissions for the Home Visitors group in a sample site collection. The list shows the URL of each securable object and the permission level that has been assigned to each group. Notice that this group has Read access to the Team Beta blog site, but that they have Contribute permissions to the Comments list. This explicit permission level assignment allows people who only have Read access to the entire site (the default permission for the default SharePoint Visitors Group) to post a comment (Contribute) to the Team Beta blog but not generate a new post.

Figure 1. View Site Collection permissions for a Group

Displaying Permission Levels on an Object

To examine permission levels for an individual object, you have to navigate to the object and look “under the covers” to find out how permissions have been assigned. If you have a very complex security model, you will have to turn over a lot of covers to audit the security across the entire collection.

From the individual object where you want to display permissions, navigate to the settings for that object.

  • For a site, this will be found under Site Settings, Users and Permissions. Click Site permissions to access the Check Permissions button. Note that People and Groups will show individuals and site groups that are available to the entire site collection, not just the current site.

  • For a Document Library, select List Settings and then the Permissions for this list option under Permissions and Management.

When you click the Check Permissions button, you will see the permissions that have been granted for a group or a user of that object. While you cannot check an individual user’s permission across the entire collection, you can check a person’s individual permissions inside a given object. However, you will not be able to identify that user Chris has Contribute permissions for most documents in a document library but only Read for a specific more secure document without examining each document to see where unique permissions have been applied. Save yourself some audit pain—if you are going to secure individual documents or items in a list or library, write down what you did in your security model and keep it current. Better still, put more secure documents in a separate document library with more restricted access. Another best practice tip is to create a test user account and use it for security validation. If you are someone with security application privileges, you automatically have access to the associated content. To verify security changes you make, add the test user as a member of the appropriate security group. Log in as that test user and validate that the content is accessible. Remove the user from the group and test again to ensure content is no longer accessible.

Figure 2 shows the results of the Check Permissions action from the perspective of the Comments list on the Team Beta Blog site shown in Figure 8-6. You can only enter one user or group name at a time when you check permissions. When permissions were “managed” for this list, the Site Owner left the Read permission level checked and then also checked the Contribute permission level, which is why you see that this group has both Contribute and Read permissions. Note that the “highest” set of privileges will always apply. Because the Contribute permission level is the same as the Read permission level with additional permissions to add, edit, and delete items and versions, it would have been OK to uncheck the Read permission level in this example, as shown in Figure 3.

Figure 2. Check permissions for a securable object: one Group at a time

Figure 3. Edit permissions

The concept of “highest” set of privileges will always apply is an important one. This means if a user is a member of two groups, Group A and Group B, where Group A has Read access to a site and Group B has Contribute access, then the user is a contributor. This is sometimes confusing from an administration perspective but can be managed somewhat by limiting the number of security groups applied to a securable object.


This section contains some examples of reported issues and questions with security application in SharePoint and the associated potential resolutions/answers. This list is not exhaustive but is intended to demontrate some additional learning elements associated with Share Point secuity management.

  • “SharePoint is denying me access to a site.” First, it is very important to note that SharePoint handles authorization but not authentication. You can’t get to a SharePoint site without first being authenticated (that is, associated with valid credentials). Once SharePoint knows who you are, it applies security to determine whether you are authorized to see all, some, or none of the content. If a user does not have access rights, a dialog box is presented so alternate credentials may be entered. After three failed attempts, the dialog box is removed, and the user is redirected to an error (or access denied) page. The security model would need to be altered to grant this user the appropriate access.

  • “Certain users can no longer access their team site, and security has not been changed.” There is a scenario worth mentioning here. If a site contributor places an image on the site and the image is located (and secured) in a different location, then that security is applied at the time of page rendering. So in this example, a user may be prompted with the security dialog box because that user does not have access to that image. This is why security must be well-mapped in early stages where, in this case, an openly available image library has the necessary read access.

  • “How do I know if I have site administration rights?” The quickest and simplest indicator is the Site Actions button. If you see it on a site, you have access to the underlying administration pages. If you don’t, then you don’t!

  • “How do I know if I have contribution rights to a library?” Similar to the previous point, if you see the library’s tool bar with the associated contribution actions in the ribbon, then you do.

  •  SharePoint 2010 : Planning Your Security Model - Defining and Documenting SharePoint Security
  •  SharePoint 2010 : Planning Your Security Model - Overview of SharePoint Security Elements
  •  Windows Server 2003 : Securing Network Communication - Securing a Wireless Network
  •  Windows Server 2003 : Securing Network Communication - Deploying IPSec
  •  Windows Server 2003 : Securing Network Communication - Planning an IPSec Implementation
  •  Web Security : Automating with LibWWWPerl - Testing Session Fixation
  •  Web Security : Automating with LibWWWPerl - Checking Session Expiration
  •  Accept Credit Card Payments
  •  Web Security : Automating with LibWWWPerl - Simulating Form Input with POST, Capturing and Storing Cookies
  •  Web Security : Automating with LibWWWPerl - Writing a Basic Perl Script to Fetch a Page, Programmatically Changing Parameters
    Top 10
    Review : Sigma 24mm f/1.4 DG HSM Art
    Review : Canon EF11-24mm f/4L USM
    Review : Creative Sound Blaster Roar 2
    Review : Philips Fidelio M2L
    Review : Alienware 17 - Dell's Alienware laptops
    Review Smartwatch : Wellograph
    Review : Xiaomi Redmi 2
    Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
    Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8