SharePoint Does Not Provide “Who Has Access” Reports

UPDATE 01/28/08: This codeplex project addresses this issue: http://www.codeplex.com/AccessChecker.  I have not used it, but it looks promising if this is an issue you need to address in your environment.

UPDATE 11/13/08: Joel Oleson wrote up a very good post on the larger security management issue here: http://www.sharepointjoel.com/Lists/Posts/Post.aspx?List=0cd1a63d%2D183c%2D4fc2%2D8320%2Dba5369008acb&ID=113.  It links to a number of other useful resources.

Forum users and clients often ask a question along these lines: "How do I generate a list of all users with access to a site" or "How can I automatically alert all users with access to list about changes made to the list?"

There is no out of the box solution for this.  If you think about it for a moment, it’s not hard to understand why.

SharePoint security is very flexible.  There  are at least four major categories of users:

  • Anonymous users.
  • SharePoint Users and Groups.
  • Active Directory users.
  • Forms Based Authentication (FBA) users.

The flexibility means that from a security perspective, any given SharePoint site will be dramatically different from another.  In order to generate an access list report, one needs to ascertain how the site is secured, query multiple different user profile repositories and then present it in a useful fashion.  That’s a hard problem to solve generically.

How are organizations dealing with this?  I’d love to hear from you in comments or email.

</end>

7 thoughts on “SharePoint Does Not Provide “Who Has Access” Reports

  1. Kenneth Kolk

    HELP SOMEONE PLEASE MUST HAVE THE ANSWER. Ive been blogging for days looking for the golden key that will unlock the safe. I am attempting to write a report in Performance Point Server that will utilize the login id for sharepoint to filter data on the report.. sounds easy right…WRONG… I have been virtually unlucky in getting anyone who remotely has the idea of how this can be done. Sure I know I could create a report folder for each individual that I have a need to report on, thats kind of messy. However, getting closer to the only solution I have so far. Please if you have a solution or know someone who might be able to help out email me at ken.kolk@medcor.com Thanks in advance.

    Reply
  2. txcraig

    Another "Who Has Access" solution to consider is Idera’s Security Reporter http://www.idera.com/Products/Tours/Images/Pointadmintoolset12.jpg, part of the Idera Point admin toolset. It is different from other solutions in that it does not modify your SharePoint user interface. The reporting tool runs standalone on your desktop and talks to SharePoint via a web service that is easily installed to any Web Front End. It can output to XML or PDF.

    The toolset also has a tool called Permissions Analyzer http://i40.tinypic.com/ac68ev.png which does the inverse of "Who Can Access What" – you specify a user, and for each SharePoint site, list, doclib, etc. it will show you the resulting effective permissions, including details on each of the 33 SPBasePermissions including exactly which roles and web application policies affected each permission. You can select which zone to consider when evaluating web application polices (intranet, internet, etc). This tool is very handy in a helpdesk scenario when you are trying to figure why a user cannot access particular content. Price is very reasonable, check at http://www.idera.com (full disclosure – I’m part of the team that created the toolset).

    Reply
  3. Paul Schaeflein
    I work on the team that built DeliverPoint, which has a Discover Permissions page. The Discover Permissions page, accessible from a site, list and list item, will show who has access to the item. It will "explode" group membership to provide the complete picture.
    Reply
  4. Sarah Roth
    I’m in the process of building a webpart that first reads sharepointusers with the ride to change content, then queries against the AD groups to find the users which are granted the change ride because of their ad membership. Works with Standart LDAP now, but I have no clue how to user LDAPS (which we unforuntatly use).
    Reply
  5. Chris
    Paul,
     
    This is a good question to address early on in the implementation. There is a way to check security for individual roles in SharePoint, but there is no built in way to be able to display all security settings across an implementation. In our implementation, we are handling security on the provisioning of a site collection by keeping this as a central operation instead of using self-service creation of these collection. Then the responsibility of security is the responsibility of the site owner group. This means we had to establish a strong governance structure with plenty of policies explaining the impact of sites that are not properly secured.
     
    However, this brings to light a needed capability within a SharePoint implementation — a tool that will create security reports that can be reviewed, at minimum, by the site owners.
     
    Great post… now I’m going to end up spending the day thinking about security (and it’s a Saturday!)
     
    Chris
    Reply
  6. Derek Goodridge
    Hi Paul
     
    I saw a product the other day called Universal SharePoint Manager 2007 which looks like it includes lots of security analysis reports.  I haven’t had a chance to look closely yet, but it could be worth investigating.  $4,495 license price though…. 
    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *