I sat down yesterday and read a great article titled “Managing SharePoint Security, Permissions the Hard Way” by Steven Pogrebivsky. It definitely does a great job at explaining the difficulties in managing SharePoint permissions with the out-of-the-box tools in SharePoint. I wanted to take the time to share my experience in managing SharePoint permissions the easier way.
Before I point out the easy way let’s recap the hard way. A new employee enters an organization and over time they accumulate permissions to various SharePoint sites. Over a period of months or years the permissions structure is as fractured as spaghetti code. Eventually the employee leaves the organization. Do you go back to every SharePoint site this employee had access to and remove them from every SharePoint group? Usually the answer is “No”. Why? Because the employee's permissions were never documented well enough for the site administrators to know wihch sites to remove the departing employee from.
Let’s take a step back and think about what existing processes we can leverage to ensure that SharePoint permissions are ALWAYS added and removed as employees enter and leave an organization. When a new employee enters an organization they are given an account in Active Directory (AD). The employee's account is also added to a few AD groups so they can access file shares and other resources on the network. When the employee leaves the organization their account is deleted from AD and any AD groups that they belonged to.
The easy solution: leverage AD groups and SharePoint groups together to manage access to your SharePoint sites. I highly recommend creating AD groups that mirror your SharePoint groups. That will allow you to add the AD groups to the appropriate SharePoint groups. All of the permissions management for SharePoint will be done in AD.
Let's look at this scenario again using the easier solution. A new employee enters your organization. This user is given an account in AD and his account is added to several AD groups - some of which will allow him access to a standard set of SharePoint sites. Over time this employee will gain access to new SharePoint sites by being added to new AD groups. When the employee leaves the organization their account is removed from AD and the AD groups. This employee has automatically lost access to all SharePoint sites within the organization. There is no need to search through the SharePoint sites to ensure the employee's access has been completely removed.
That is SharePoint security the easy way.