UPDATE 12/18/07: See Paul Liebrand’s article for some technical consequences of removing or modifying the default group names (see his comment below as well).
SharePoint security is easy to configure and manage. However, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (I admit to having this problem myself). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.
This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email me. I’ll make corrections post haste.
For the purposes of this overview, there are four fundamental aspects to security: users/groups, securable objects, permission levels and inheritance.
Users and Groups break down to:
- Individual users: Pulled from active directory or created directly in SharePoint.
- Groups: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" to a specific securable object.
Securable objects break down to at least:
- Document libraries
- Individual items in lists and document libraries
- Various BDC settings.
There other securable objects, but you get the picture.
Permission levels: A bundle of granular / low level access rights that include such things as create/read/delete entries in lists.
Inheritance: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.
Users and groups relate to securable objects via permission levels and inheritance.
The Most Important Security Rules To Understand, Ever 🙂 :
- Groups are simply collections of users.
- Groups are global within a site collection (i.e. there is no such thing as a group defined at a site level).
- Group name not withstanding, groups do not, in and of themselves, have any particular level of security.
- Groups have security in the context of a specific securable object.
- You may assign different permission levels to the same group for every securable object.
- Web application policies trump all of this (see below).
Security administrators lost in a sea of group and user listings can always rely on these axioms to manage and understand their security configuration.
- Group names falsely imply permission: Out of the box, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" group cannot contribute at all, but only read (for example). This would not be a good idea, obviously, since it would be very confusing.
- Groups are not defined at a site level. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" link. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
- Groups membership does not vary by site (i.e. it is the same everywhere the group is used): Consider the group "Owner" and two sites, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, I might access the People and Groups links via the HR site, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. In fact, I’m removing her from the global Owners group. Hilarity ensues.
- Failing to name groups based on specific role: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, I should have created two new groups: "HR Owners" and "Logistics Owners" and assign sensible permission levels for each and the minimum amount required for those users to do their job.
Other Useful References:
- Web application policy gotcha’s: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!255.entry
- Clearinghouse for SharePoint security: http://www.sharepointsecurity.com/
- Links from Joel Oleson: http://blogs.msdn.com/joelo/archive/2007/08/23/sharepoint-security-and-compliance-resources.aspx
If you’ve made it this far:
Please let me know your thoughts via the comments or email me. If you know other good references, please do the same!