The Project Collaborate Approach to SharePoint Site Security

=Introduction= SharePoint enables a huge amount of control over exactly who can see and do what within your SharePoint site or site collection. But with great power must come great responsibility and in our experience the best way to approach managing this aspect of your SharePoint site is to keep it as simple as possible.

=Our philosophy: Keep it open and simple= Here's our recommended best practice:
 * 1) Avoid breaking the inheritance of permissions, i.e. define your security groups at the top level of your site collection and inherit in all lower down sites - centralized control = easier management in the longer term
 * 2) Minimise the creation of groups and where possible point to Outlook distribution lists or Active directory groups for lists of users
 * 3) Whenever possible avoid directly assigning user permissions

=Recommended Approach=

Freedom of Information
The single biggest impediment to enabling collaboration is restricting access. Limiting access creates silos of information, prevents serendipitous use of knowledge and effectively say "this is my information and you have to ask me for access". For collaboration to flourish we need to change the mind set where we set the default permissions on our content management systems and SharePoint instances to closed. We have to create a mature, open culture where open access is seen as beneficial and restriction of access is discouraged except where appropriate. To this end, Project Collaborate considers adoption of an open knowledge-sharing culture to be a prerequisite to enabling effective collaboration.

We know it isn't possible to take this approach in every single instance, SharePoint site owners must of course follow the relevant Information Security guidelines for your organisation, BUT stop to think if you really need to lock a site down and make it inaccessible to the wider population within your organization.

Gartner make the following recommendations for ensuring take up of an online collaboration site:


 * Err on the side of too much liberty
 * Keep rules to a minimum
 * Take the legal precedent approach
 * Bad behavior emerges
 * Take appropriate action
 * Only allow anonymity if it directly suits the purpose
 * Coach don't control, guide don't dictate
 * Leave room for emergent behavior
 * Don't fight the architecture of participation

Creating groups
For most of our site collections we use only three groups for managing the global site permissions. Note the settings that we designate each of those groups is based upon our philosophy of erring on the side of too much liberty, i.e. make our SharePoint sites as open as possible to encourage and facilitate collaboration.

Managing Security
Our approach taken to managing which members are included in the 'Designers' and 'Full Control' groups is very similar to that taken in most large-scale wikis.


 * Initially numbers of users included in these groups should be kept to a minimum while the base structure and organization of the site collection is created ("Too many cooks spoil the broth").
 * Users in this group are expected to have amassed experience of using SharePoint.
 * The groups are self-policing and members can be promoted and demoted by the community based on aderence to agreed best practice.

=Managing permissions to OneNote Notebooks=

By default OneNote notebooks inheirt the access permnisions set on the document library that hosts the notebook. If a user does not have permissions to acces the Sharepoint Document library the notebook is hosted in then they cannot access the notebook. The permissions for a notebook or section group of a notebook can be altered by disinheriting the permissions at the document library level or for the appropriate individual folder within.