SharePoint Site hierarchy and permissions provide simplified security management
When Microsoft SharePoint permissions are setup correctly the SharePoint Administrator should not have to touch them again. If as a SharePoint Administrator you find yourself constantly having to management permissions in the Farm then something is not setup correctly. Over time, with many changes, permissions can get very convoluted and actually increase the likelihood of security breaches. So how can we structure a Site Collection and Site hierarchy such that we set permission once and then leave them alone? In our previous post we explained how permission work in Microsoft's object oriented world. We further explained the reasons why using Local SharePoint groups within an Object's Discretionary Access Control List is so important. Let's now apply that knowledge to building a secure yet easy to management SharePoint Site Collection and Site hierarchy.
Many organizations structure their Site Collections on a one per department basis. Well, that is at least how I recommend they do it for technical reasons I won't go into here. In our hypothetical Learning Tree International company we will use the Finance Department as our example Site Collection. After consulting with the Chief Financial Officer here are the objectives:
- Top level root site must be accessible by all employees and contractors in the organization at a Read Only level.
- The CFO's Assistant should have Full Control Access to the top level root time.
- The First level subsite will be the Team Collaboration site for the Finance employees. Everyone should have contribute permissions.
- Under the Team Collaboration site will be two Second level subsites - one for Accounts Payable and one for Accounts Receivable. The employees of each sub group shall only have Contribute permissions to their own subsite and No Access to the other sub group subsite. In fact, when they go to the Team Collaboration menu for subsites they should only see the subsite they respectively belong to. That is to say that Accounts Payable employees should only see Accounts Payable subsite menu selection.
- Permissions should be setup once and not touched thereafter.
Permissions can be Secure yet Simple to Manage
As we mentioned in the previous post one of the keys to a secure yet performance driven SharePoint Site Collection and Site hierarchy is to use Local SharePoint Groups to assign permissions to Objects like Sites and Document Libraries. So armed with the knowledge we will start at the Top level root site and great a few Local SharePoint Groups base on desired access levels. But wait, all the Local SharePoint Groups we need have already been created for us:
Site Owner = Full Control
Site Member = Contribute
Site Visitor = Read Only
Site Collection and Site Hierarchy
Site Collection Hierarchy with Local SharePoint Groups
The above site hierarchy using Local SharePoint Groups to assign access permissions to SharePoint objects means that no changes are required within SharePoint as new employees join or leave the Finance Department. All the changes are made by the Active Directory Administrators.
It's a beautiful thing when you can let others do the work!