In this article we’ll be focusing on broken inheritance and unique permissions in a SharePoint environment, and how the lack of central permissions management can lead to a totally messed-up permission hierarchy and security breaches. Additionally, we’ll be covering the topic of SharePoint permission management and reporting with SPDocKit.
If you’re a SharePoint administrator or a consultant working for a company, you’re surely aware of how quickly SharePoint permission management can spiral out of control.
SharePoint is the most popular collaboration platform deployed among organizations worldwide. According to the Association for Information and Image Management (AIIM), one out of every two corporations uses SharePoint, on its premises or online. Let that sink in for a moment.
Now, can you imagine how many end users and permissions that adds up to? Can you imagine the enormity of managing all those permissions manually? Not to mention trying to find all objects such as sites, subsites, lists, and list items that have broken inheritances. It’s hard to keep track of it by learning it by heart.
That’s why SPDocKit helps so many of our clients perform their daily tasks, such as keeping an eye on who has access to what and making sure SharePoint permissions stay organized.
In this article we will go through various use cases and available SPDocKit reports that help you get your SharePoint permissions under control.
One of the specialties of SPDocKit is permissions management, which offers insights into permissions for different users and groups across a SharePoint farm.
You can create various permission reports on site collections, at subsite, list, list item, user, and group level, as well as perform a security audit.
In the permissions report section, the following SPDocKit reports are available.
- Site Collection Hierarchy, which shows all principals and their permissions across the selected site collection. It also includes a complete hierarchy structure overview, including any objects with broken permission inheritance.
- SharePoint Groups, which shows all SharePoint groups and their members across the selected site collections.
- Permission Cleanup.
- Health Checks.
Identify unique permissions
Among the Site Collection reports, there’s a Unique Permissions report that automatically identifies all SharePoint objects with unique permissions, a.k.a. objects with broken permission inheritance.
Breaking inheritance on securable objects can lead to a catastrophic problem that most site owners tend to overlook—permissions assigned in sites with broken inheritance reside only within a particular site. The problem with it is in the fact that this is usually done without notice of SharePoint admins.
Permission Health Checks
Permission Health Checks are there to help draw your attention to best practices in permission management, and whether there’s perhaps a better and more efficient way to assign permissions.
Let’s go over the reports in the Permission Health Check, and consider the best practices when granting and restricting access to different SharePoint objects in your environment.
1. Directly Assigned Permissions
This report shows those users who have directly assigned permissions.
To simplify permissions management, avoid granting individual permissions. Assign permissions through groups.
For example, you might want to add users to standard default groups (such as Members, Visitors, and Owners). Be sure to limit the number of people in the Owners’ group.
2. Lists with Uniquely Secured Items
This report shows all lists and libraries that contain list items (or folders) with unique permissions.
It’s always best to make the most of permission inheritance when organizing your content. You can even segment the content into different security levels. For example, you can create a separate site or a library for storing your confidential information and sensitive documents. This is a better way to manage your sensitive data than having it scattered across all sorts of libraries with unique permissions.
When dealing with documents, list items or folders, best practice is to use inherited permissions. Creating a lot of documents, each with a unique permission, requires a lot of managing and it takes time. Why? Because you have to dig them up and go over each of them to review whether appropriate permissions were assigned.
3. Uniquely Secured List Items
This report shows all list items or folders with unique permissions.
The same goes for uniquely secured list items as for the lists mentioned in the previous subtitle. The difference between the Lists with Uniquely Secured Items report and the Uniquely Secured List Items report is that the later offers more detail.
The first one tells you which lists are problematic and the second specifies exactly which documents within the list are problematic.
Break/Restore Permissions Inheritance Wizard
There are various wizards within SPDocKit which you can use to manage SharePoint permissions, but in this article we’ll focus on the Break/Restore Permission Inheritance Wizard.
The wizard allows you to break permission inheritance on the desired subsites or lists across the selected farm, web application or site collection.
With the same wizard, you can restore permission inheritance. However, please note that restoring permissions inheritance on a subsite will also restore the permission inheritance for lists and items on that subsite.
With SPDocKit you have an additional option to choose to restore permission inheritance for all subitems on the selected list or folder.
Aside from this wizard, you can use the Compare Wizard to compare SharePoint permissions between any two selected SharePoint objects.
We covered the Compare Wizard extensively in a previous blog post, The Art of SPDocKit Compare Wizardry, so be sure to check it out for more information.
SPDocKit 7 is available for download now and there’s a 30-day trial available so you can test all its capabilities. As for pricing, we offer in-house and consultant licensing, as well as licensing depending on environment type (SharePoint On-Premises or SharePoint Online).