Implementing Sharepoint security

There are two major approaches to implementing Sharepoint security:

1. AD groups
Create Active Directory groups for each site collection and optionally each subsite and object that will require unique permissions. Create a new SharePoint OU (Organizational Unit) within Active Directory. Put these new groups in this OU. Then add these groups to their corresponding SharePoint groups in SharePoint (Owner, Member and Visitor). Adding users to the AD groups may also be done through an externa identity management application.

Advantages: Control, as all changes to security happen in Active Directory. It is easy to add/update/delete people from groups. No individual user accounts are stored in SharePoint with regards to security.

Disadvantages: Extra setup work. Each site you create a new site collection or a subsite/object that requires unique permissions. You have to set up Active Directory first and then add the groups to SharePoint. If your SharePoint administrations and your Active Directory administrators are different people, they have to cooperate.

2. Sharepoint groups
Ignore Active Directory groups and let the SharePoint administrators and site collection administrators add people directly to the groups provided by SharePoint.

Advantages: Easier admin as it lets the SharePoint administrators quickly change security without needing to involve the Active Directory administrators. It's also easier to see the names of everyone that has the permissions for a SharePoint group right from the interface instead of having to go to the Active Directory administrators and having them look it up.

Disadvantages: Maintainability suffers. You can have individual user accounts all over your SharePoint farm and not know who has permission to what. Out of the box, SharePoint does not provide a tool that shows you all the permissions a specific user account has (although there are 3rd party tools that provide this). When someone leaves or you need to move their account between departments, for example, it can be time-consuming to update the permissions in SharePoint.

The first approach is clearly the better practice in my opinion.

External Access/Identity management
With companies setting up external Access management/Identity management platforms, you also need to look into how the Sharepoint security architecture maps into the corporate access/identity management architecture. Typically, You want to use the IdM application to tie users to groups (either AD or Sharepoint groups, both are possible). This way, both internal and delegated administration can be provided. Delegated administration can be offered for extranet partners to manage their own users for instance.

© Copyright 2008, Tomas Elfving