Plan your SharePoint permissions strategy

by Byron
(Atlanta)

Most SharePoint Web sites are created speedily, with the aim of solving a particular problem or getting a specific set of information to people who need it quickly.

That’s good, but often, the structure of the SharePoint site that you start with to meet specific needs ends up being the default structure as your site collection grows and is required to meet other kinds of needs. This can result in permissions settings chaos, where everyone in the organization has full control over sub-sites, or, every individual has to be granted permissions for every new site they need to use.

A good permissions strategy can catch these problems before they get started.

An effective permissions strategy gains you control in three main areas:

Manageability and performance. The permissions settings you choose have long-term consequences for how much work it takes to manage your sites, and how speedily your sites respond to user commands.
Data governance. A planned permissions strategy can help you ensure compliance with your organization's data governance policies, which may be unique to your company, or may be an essential part of complying with financial and accounting disclosure and retention legislation, such as Sarbanes-Oxley.
Cost of maintenance. A strategy that takes advantage of SharePoint 2010 built-in efficiency tools, such as SharePoint groups, permission levels, and permissions inheritance will enhance ease of use for your site users, and minimize the requests for individual access that permissions managers have to respond to during the life of the site.
6 tips for an effective permissions strategy
Keep these tips in mind


to help create a simple, easy-to-maintain permissions strategy.

When you give people access, add them to standard, default SharePoint groups (such as Members, Visitors, and Owners).
Follow the principle of least privilege.
Give people the lowest permission levels they need to perform their assigned tasks.
Make most people members of the Members or Visitors groups.
People in the Members group can add or remove items or documents, but they cannot change the site structure, site settings, or site appearance.
People in the Visitors group have read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.
Limit the number of people in the Owners group.
Only people you trust to change the structure, settings, or appearance of the site should be in the Owners group.
Use permissions inheritance to create a clean, easy-to-visualize hierarchy.
Managing permissions becomes more difficult and time-consuming when some lists within a site have fine-grained permissions, and when some sites have sub-sites with unique permissions and others with inherited permissions. If you use
fine-grained permissions extensively, users may experience slower performance when they try to access site content.

It is much easier to manage and explain permissions when there is a clear hierarchy of permissions and inherited permissions.
Organize your content to take advantage of permissions inheritance.
Consider segmenting your content by security level – create a site or a library specifically for sensitive documents, rather than having them scattered in a larger library and protected by unique permissions.