0
Table of Contents
About the Author ................................................................................................................... 1
Introduction to SharePoint Permissions Management ..................................................... 2
Centralized Permission Management with SPDocKit ........................................................ 3
Batch permissions managment with SPDocKit ............................................................... 3
On-the-fly permissions managment with SPDocKit ..................................................... 13
Permissions reporting and forensics with SPDocKit ..................................................... 19
Conclusion ........................................................................................................................... 26
SPDocKit - Ultimate SharePoint admin tool ..................................................................... 27
1
About the Author
Adis Jugo is a software architect with 20 years of
professional experience in creating software solutions
that make users' lives easier. His is passionate about
improving all the aspects and phases of the software
development process. In addition to his two decades of
experience in software development and architecture,
he is a certified Professional Scrum Master (PSM), with
extensive experience in agile project management.
He is currently working as a Director of Advisory for Deroso Solutions, Microsoft
Gold Partner based in Germany and he has been a speaker at various Microsoft
conferences and User Groups meetings. In January 2012, he received the Microsoft
Most Valuable Professional (MPV) award for Microsoft SharePoint Server.
2
Introduction to SharePoint Permissions
Management
One of the strengths of SharePoint, and one of the main reasons the platform
became so popular in the first place is permissions. It does not matter whether
permissions are governed centrally, or whether site owners can grant permissions
themselves: the powerful permission management in SharePoint helped the
platform’s popularity skyrocket. Everyone can set up permissions in his or her own
way but that is the problem with SharePoint. Because this is possible and because
everyone (who has rights) can do it, SharePoint’s greatest strength very often turns
out to be its greatest weakness.
SharePoint has never been good at centralized permission management.
Everything is fine as long as you only have a couple of site collections. However,
when an IT Administrator needs to add/delete/change users on several hundred,
or even several thousand, site collections, things get interesting. Sure, you can
write short PowerShell scripts for such tasks, but when you need to do so on a
daily basis, things become more difficult. In addition, tracing the history of the
permissions can be challenging in SharePoint environments that are not tightly
governed. Built-in permissions forensics in SharePoint are on a very basic at best,
and permissions reporting is virtually nonexistent.
Strangely enough, there aren’t that many third party tools that would close this gap
with SharePoint permissions. My favorite tool and the one that I recommend to in-
house administrators, is SPDocKit which was one of the first tools to offer permissions
reporting.
3
Centralized Permission Management with
SPDocKit
SPDocKit makes day-to-day permissions management much less painful job because
it includes a wizard-like centralized permissions management tool. I will outline some
key permissions management tasks based on cases with which I was confronted
during my career and explain how SPDocKit can be used to automate these tasks
(almost) completely.
Batch permissions managment with SPDocKit
One of the most common cases in permissions management involves batch
permissions management. Think about adding a new audience (users) to existing
SharePoint content. This is fairly easy when you only have to deal with a few site
collections, but what happens when you have hundreds, or thousands of them?
This was exactly the case we faced with a customer who had over 20,000
automatically provisioned SharePoint site collections – one site collection per
customer project. The site collections had almost identical structures: the same lists
and libraries, an identical predefined folder structure in the libraries and a complex
permissions structure. In all, we were faced with 24 SharePoin t groups per site
collection, times 20,000.
At one point, an auditing process was going on, and we had to give external auditors
permissions to review documents in certain libraries that were present in all 20,000
site collections. The auditors did not have access to any other content in the
SharePoint farm, except for those libraries. The process included the following tasks:
Breaking permissions inheritance for the ”Reports” libraries,
Creating the permission level “Auditing Permissions”,
Creating a SharePoint group for the auditors,
Adding users to that group,
Giving “Auditing Permissions” to the “Auditors” group for the “Reports” library.
4
This had to be done for all 20,000 of the site collections. Clearly, one could not do
this task manually, and using PowerShell meant opening the door to a potentially
large error margin. For that reason, our tool of choice to implement these
requirements was SPDocKit.
SPDocKit has a wizard-style interface used to execut permissions-related batch
operations. You can find everything you would expect in the interface, including –
breaking and restoring permission inheritance on multiple levels, batch
creating/editing/deleting SharePoint groups and permissions levels, managing group
membership and assigning or revoking rights for principals on different securable
objects – that all worked intuitively, which did not leave much room for mistakes.
Before any batch operations are executed, SPDocKit will conveniently show a preview
of the results, so the administrator can decide whether to proceed with the
operation, or cancel it. In the case above, we started with the “Permission Inheritance
Wizard”.
5
Image 1: Breaking permissions at all 20,000 instances of the “reports” library (one in each site collection)
6
The SPDocKit permissions wizard asked us to review and confirm the action to break
the inheritance.
Once that change was confirmed and applied, SPDocKit iterated through the site
collections, and executed the command.
In the next step, the SharePoint administrator created the new permission level for
auditors using the next wizard – “Permission Levels Wizard”. The administrator chose
to choose the name for each new permission level, and its base permissions. After a
review and confirmation, every site collection received the new permission level:
“Auditing Permissions”.
Image 2: Creating the new permission level for auditors
7
Image 3: Choosing base permission
8
Using the “Group Management Wizard”, our SharePoint administrator followed the
same procedure to create a new SharePoint group (“Auditors”). After setting the
group name, description, and owner, and then reviewing the changes, the “Auditors”
group was created in all site collections.
Image 4 : Creating a new SharePoint group “Auditors”
9
Next, the administrator assigned the “Auditing Permissions” level to the
“Auditors”group on the “Reports” document library, for all 20,000 site collections
using the “Manage Permissions Wizard”.
Image 5 : Assigning the “Auditing Permissions” level to the “Auditors” group on the “Reports” document libr ary
After these steps, we had a document library named “Reports” with broken
permissions inheritance in all site collections, and a SharePoint group named
“Auditors,” with the assigned custom permission level “Auditing permissions” for that
library.
10
Of course, all 20,000 of the “Auditors” SharePoint groups (one per site collection)
were empty at first. Using the SPDocKit “Group Membership Wizard”, we easily
populated the groups with standard auditors.
Image 6: Adding users to specific groups
11
Image 7: Defining SharePoint group membership changes
A few minutes and five wizards later, we had broken the permissions inheritance on
20,000 document libraries, created 20,000 SharePoint groups and custom permission
levels, assigned the necessary custom permissions for those libraries, and populated
the newly created SharePoint groups. SPDocKit made this job much easier.
Writing custom PowerShell scripts would have taken considerably more time, and the
process would have been more prone to errors. Executing those tasks manually
through the SharePoint interface was not an option at all. In all the wizards
mentioned above, all site collections from a web application were selected, but that
is not a limit - admins canchoose which ones to use. For example – if auditing is
necessary on only 100 projects instead of all 20,000, admins can select the 100
projects for which it is required.
12
The SPDocKit batch permission wizards, allow administrators to do much more. They
can revoke permissions or change them, change the base permissions set for each
permission level and add or remove members from SharePoint groups.
Essentially, when all (or some) of a large set of lookalike SharePoint site collections
and sites require a permissions change, SPDocKit permission wizards are your best
friend. This is true for all scenarios in which site provisioning is involved: it does not
matter whether it is a matter of self-service site provisioning, or site provisioning
through a business work flow.
These types of sites (project sites, team sites, meeting sites etc.) are usually identical,
or at least very similar to each other in structure, and there are usually plenty of such
sites (SharePoint is a collaboration platform, after all).
SPDocKit’s Batch permissions management is very useful when dealing with a large
number of site collections; it can be a real lifesaver in that scenario. However,
administrators are more likely to deal with permissions inside one site collection.
13
On-the-fly permissions managment with SPDocKit
The SharePoint user interface provides all the basic options for dealing with
permissions. We can create, edit, and delete groups; manage group memberships;
and create and manipulate permission levels. By drilling down through SharePoint
securable objects (data structures), we can break and restore permissions and set
specific permissions for all objects down to the item level.
Even though SharePoint offers many possibilities, much remains open. New sharing
capabilities make it easier than ever for users to break permissions on the item or
folder level. It is not easy for administrators to identify those items. Cleaning up
permissions remains a repetitive, slow task—moving users who obtained permissions
directly to the appropriate SharePoint groups requires a lot of clicking.
Administrators never have a broad overview of the permissions at one particular site.
Dealing with permissions and the entire user experience (or rather the “admin
experience”) does not provide optimal efficiency. Thus, many SharePoint admins
handle permissions exclusively through PowerShell. However, PowerShell is a
command line tool: therefore is not appropriate for everyone, especially if all an
administrator needs to do is perform a few quick actions or get an overview of what
is going with permissions on a particular site.
This is where SPDocKit comes in. In version 5, we got the “Permissions Explorer”.
Using a familiar, hierarchical tree view of SharePoint securable objects (data
structures), administrators can drill down through the site collection objects to do
everything SharePoint allows with permissions, and even a bit more. Everyday
operations are one click away, including detecting securable objects with unique
permissions (broken permissions inheritance); breaking and restoring permissions;
creating, editing, and deleting SharePoint Groups and Permission levels; and
managing group memberships.
14
This easy access significantly reduces the time needed to perform those repetitive
tasks compared to the time required in the standard user interface.
Image 8: Permissions Explorer
While browsing through the site structure, administrators can easily see who has
permissions for the currently selected object. Furthermore, they can filter those
permissions based on the principal’s status (enabled or disabled), type (SharePoint
Group, AD Group, or user), and—in an interesting feature—history. Each time
SPDocKit loads the farm information, it writes the information in the background
database. Administrators can then use it as a kind of “way back machine” for
permissions.
15
In addition to browsing and exploring permissions, administrators can define
permissions settings on the site collection level for primary and secondary site
collection administrators, members of the administrators group and SharePoint
Groups and Permission levels.
Image 9: Setting the site collection administrators
16
Image 10: Creating a SharePoint Group
Image 11: Creating a new Permission Level via the SPDocKit interface
17
While drilling down through the hierarchy, administrators can break and restore
permission inheritance at any location and grant or revoke permissions for the
currently selected object.
Image 12: Breaking permission inheritance
Image 13: Granting permissions for the selected object
18
These features help administrators significantly speed up their work on permissions.
In addition to speeding up repetitive everyday tasks, SPDocKit offers some useful
automations for tasks that would normally require a lot of clicking or scripting. If you
look at the Manage Permissions ribbon, you will see “Edit”, “Clone”, “Transfer”,
“Remove”, “Move to Group”, and “Copy to group” icons.
Image 14: The SPDocKit Manage Permissions ribbon operations
While the functions of “Edit” and “Remove” are clear (change permission levels or
revoke permissions for a principal completely), the other four icons are particularly
interesting.
Although the SharePoint 2013 “Share” icon allows users to quickly share content with
other users, it creates many (sometimes unnecessary) item level permissions when it
would be much better to simply add users in the appropriate SharePoint groups.
With SPDocKit, administrators can easily clean that mess up by selecting the “loose”
principals on objects with broken permission inheritances and then copying and
moving them to the appropriate SharePoint groups—all with one click.
“Clone” and “Transfer” offer other interesting functions. Administrators often face
requirements such as “User X needs to have the same permissions as User Y” or
“User Z is being transferred to another division and User W is taking his place.”
SPDocKit’s “Clone” and “Transfer” capabilities do exactly that-they give new users the
same rights an existing user has or transfer existing rights to a new user and revoke
them from the original user. That comes in handy in day-to-day work.
Of course, as you would expect for a tool of this caliber, SPDocKit allows
administrators to get information about each user in the site collection (e.g., where
the user comes from and his or her memberships in SharePoint and AD groups).
Overall, this powerful toolset helps administrators perform permissions-related tasks.
19
Permissions reporting and forensics with SPDocKit
Permissions reporting and forensics are usually only needed when a problem arises.
In these cases, it is important to determine who has permissions on certain securable
objects and more importantly, why.
SharePoint permissions are serious business, and they must be viewed as having the
highest importance. A large amount of sensitive corporate information is stored in
SharePoint, and giving unauthorized people access to classified content can pose a
big threat. Therefore, it is important to have the ability to report, at any time, who
has permissions and through which channels those permissions were given.
SharePoint does not offer that ability out of the box, and it is a hassle to code that
functionality in PowerShell. At this time, SPDocKit is the only tool on the market that
can cover those cases and perform full permissions forensics.
Image 15: Report showing SharePoint groups with no permissions
20
In addition to forensics, SPDocKit can help you keep your SharePoint clean by
removing unused users and groups. In the Permission Reports section, you can easily
detect groups that do not have any permissions in their sites, groups owned by a
disabled SharePoint user, or groups containing disabled or orphaned users. You can
then easily correct those issues by cleaning up those groups and users or giving
them the necessary permissions.
Image 16: Report showing orphaned users
21
Image 17: Report showing users with no permissions in the site collection
Besides these simple but necessary cleaning tasks, the real strength of SPDocKit
permission reports lies in permissions forensics. With these forensics reports, we can
easily determine who has access to the data and why.
22
For each SharePoint securable object, including sites, lists, and list items, SPDocKit
will tell us who has permissions for those objects and in what way they were given.
Image 18: Permissions for a SharePoint site grouped by permission
For example, you can use this report to discover that the cleaning lady has “Add
items” permission on the management site and that she got it through her
membership in the “Cleaning Staff” Active Directory group. That group is a member
of the “Portal Contributors” SharePoint group, which has been assigned the
“Contribute” permission level for that particular site. That permission level, of course,
contains “Add items” permission. You can find all that information with just one click.
This represents the ultimate governance/compliance report in terms of SharePoint
permissions.
23
Of course, you can break this down into numerous other useful reports and
information overviews. The next report shows the matrix of Principals (SharePoint
Groups and SharePoint users) and permission levels, including the roles each
principal has on the site, in a graphically appealing way.
Image 19: Principals and permission levels in a subsite
Furthermore, one of the most commonly requested reports shows a quick overview
of securable objects (i.e., sites, lists, and list items) with broken permission
inheritances. You can get this report in one click with SPDocKit.
24
Image 20: Overview of securable objects in SharePoint Farm
In addition to securable object and permission level reports, SPDocKit offers
important principal-based reports so administrators can easily determine which
permissions a SharePoint user or SharePoint group has in one or more site
collections. With these user-centric reports, administrators can see which permissions
a principal has and the way in which those permissions were given (e.g., through
SharePoint Groups, AD Groups, or directly) and act accordingly.
25
Of course, as expected from SPDocKit, each of these reports can easily be saved as a
PDF or Word file, manually modified, and included in a larger report.
Image 21: Saved report shows the overview of a SharePoint site permissions
26
Conclusion
SharePoint’s out-of-the-box features are simply not enough for serious governance
scenarios and simplified permissions management. Administrators will either write a
bunch of PowerShell scripts and avoid the SharePoint user in terface comp letely or
find a tool to deal with those issues. Different tools on the market partially cover
SharePoint permissions management and reporting.
When all or some of a large set of lookalike SharePoint site collections and sites
require a permission change, SPDocKit permission wizards are best choice. In my
opinion, SPDocKit’s permissions toolkit belt does the best job. It offers batch
permissions management across site collections, simplified permissions management
inside a single-site collection and powerful cleanup, forensic, and reporting options. I
often say that SPDocKit’s features let SharePoint consultants have the equivalent of a
Swiss Army knife in their pockets.
27
SPDocKit - Ultimate SharePoint admin tool
What is SPDocKit?
SPDocKit is a unique tool that allows you to easily administer and manage your
SharePoint farm. You can use it to keep an eye on your farm health , generate farm
documentation to prevent errors while migrating to another farm, and compare and
track changes on your farm in no time.
Why SPDocKit?
Generate SharePoint Documentation
Audit Farm Configuration and User Actions
Analyze Farm Modifications down to a Document Level
Analyze Search Terms and Database Growth
Compare Farms and Track Changes
Enforce Governance Policies
Monitor SharePoint Farm Health
Analyze SharePoint Permissions
Manage Permissions
Start with a free trial
More information is available at www.syskit.com.