Site Collection Design - Designing Access Control

= Access Control  =

Overview
SharePoint enables a huge amount of control over exactly who can see and do what within your SharePoint site or site collection. In our experience the best way to approach managing this aspect of your SharePoint site is to keep it as simple as possible, otherwise you run the risk of your site collection permissions running away from you and becoming a headache to manage (stories of more access control groups defined within a site collection than there are people using it are quite common!).

Our goals in the way we approach access control settings within our collection are to put in necessary controls so we avoid SharePoint Sprawl, while also doing whatever we can to help facilitate collaboration and information/knowledge sharing. A fine balance between the two is necessary.

Below we outline the standard approach we have defined for Research collections.

Training Slides
Click here to view the training slides that accompany this activity.

How SharePoint Permissions Work


How SharePoint permissions work is covered in greater depth elsewhere (see links at the bottom of this page). For now all we need to know is that users or groups are assigned permissions levels which dictate what they can and can't do within a given SharePoint site.

The Three Essential Rules
Here are the essential rules when designing how permissions will work in your site collection:

1. Avoid breaking the inheritance of permissions
Define your security groups at the top level of your site collection and inherit in all lower down sites (centralized control = much easier management in the longer term)


 * [[Image:Spperinher-perfect.jpg]]

2. Minimise the creation of groups
Below you will see how we tweak permission levels so as to minimize who is able to create new groups. That coupled with the fact we advise you to inherit access control settings from your top site will mean you have a small number of groups that you can manage in one place.

3. Avoid directly assigning user permissions
Whenever possible avoid directly assigning user permissions; where possible point to Outlook distribution lists or Active Directory groups for lists of users.

Applying the Three Rules
In the Create your Security Groups section we will look at how to configure your site collection to be compliant with rules one and three. In this activity we focus on defining our groups and identify the membership of those groups.

= Groups for a SharePoint team site collection = Below is an example how we would recommend you set up groups in your site collections. As you'll see we define a simple hierarchy of users by tweaking the default groups provided by SharePoint. These groups will be defined at the top level of the site collection, and then be inherited by the sub-sites within the collection.

TeamSite Collection Managers
Within SharePoint itself this group of users is managed in a slightly different way to the groups below (see Add Site Collection Owners).

Site Collection Owners have complete control over every aspect of every site in your site collection and as such control how the site collection as a whole evolves. We therefore recommend making your stakeholders the Site Collection Owners but only as long as they are SharePoint competent.

Site Managers
The key purpose of this group is to identify those who can create new sites within the collection. We tweak the default SharePoint permissions for this group and remove the ability of these users to change the themes for sites, since we wish to have a consistent theme used throughout the collection (for notes on how to apply this change in SharePoint see Create your Security Groups).

Designers
This group is used to identify the 'Super Users' of the collection and provide them with the permissions necessary to create and manage components (e.g. lists, libraries, surveys) within existing sites.

Content Users and Providers
This is everybody else in the department(s) that uses the site collection.

Visitors
At this point you have a big design decision to make - who you recognize as having the potential to be a user of any of the sites within your collection.

The single biggest impediment to enabling collaboration is restricting access. Limiting access creates silos of information, prevents serendipitous use of knowledge and effectively say "this is my information and you have to ask me for access". For collaboration to flourish we need to change the mind set where we set the default permissions on our content management systems and SharePoint instances to closed. We have to create a mature, open culture where open access is seen as beneficial and restriction of access is discouraged except where appropriate.

It isn't possible to take this approach in every single instance, SharePoint site owners must of course follow your organisations information security guidelines as appropropriate, BUT stop to think if you really need to lock a site down and make it inaccessible to the wider organisation.

How this effects your design decision is highlighted below. For a completely 'open' model give 'NT AUTHORITY\authenticated users' (i.e. anybody with a Windows account) 'Contribute' access.

Read more about the benefits of an open model for SharePoint site collection security.

= Next Steps =

Go back to the Site Collection Design page.

= See also =


 * Create your Security Groups - our section on creating security groups within your SharePoint collection
 * About controlling access to sites and site content (Microsoft Knowledgebase)