- Do follow the Principle of Least Privilege: Give people the lowest permission levels they need to perform their assigned tasks.
- Do give people access by adding them to standard, default SharePoint groups (such as Members, Visitors, and Owners). Make most people members of the Members or Visitors groups and limit the number of people in the Owners group.
- Do use permissions inheritance to create a clean, easy-to-visualize hierarchy. That is, avoid granting permissions to individuals, instead work with SharePoint groups. Where possible, have sub-sites simply inherit permissions from your team site, rather than having unique permissions.
- Do organize your content to take advantage of permissions inheritance: Consider segmenting your content by security level – create a site or a library specifically for sensitive documents, rather than having them scattered in a larger library and protected by unique permissions.
- Do always assign a group as the group owner. The default group owner is whomever created the site or group. Assign the site collection owner or site owner group as the group owner to minimize issues when a user account may become deleted.
- Do use AD and SharePoint permission groups to grant permissions.
- SharePoint Groups – Site owners can manage the site permissions by adding people to groups within just their site.
- Active Directory Distribution Groups – Can be re-used for other services and when a user needs to be added to a group, you only need to add them once to the appropriate Directory groups.
- Do not give Full Control to everyone. Ensure the user is properly trained on SharePoint, verify what the SharePoint governance policy dictates for providing this permission to users, and consider other permission levels that may fulfill the user requirements (e.g. Design, Contribute, etc.).
- Do not assign permissions to individual users or grant them item level permissions. Instead, always use SharePoint permission groups to grant user permissions. Item level permission management is a manual process and may be laborious in addition to leading to negative permissions issues.
Example SharePoint Permission Scenario
A possible SharePoint permissions scenario is to restrict certain users’ capabilities to file transfers where they cannot create Site collections, edit page layout, and other tasks beyond file transfers.
A recommendation would be to create a new SharePoint site collection permission level that is copied from the “Contribute” permission level. This will allow users granted this permission level the capabilities to add, edit, delete, and open files without the capabilities to create sub-sites, change the site design, and manage permissions.
Edit this new permission level and uncheck the following boxes to limit what’s allowed.
- Use Self-Service Site Creation
- Add/Remove Personal Web Part
- Update Personal Web Part
|NOTE: This new permission level will need to be created at each site collection.|
Here are some helpful links related to the topics covered in this article: