May 05
Having read various papers on this over the course of the day (the most useful can be found here), it seems pretty clear – the SharePoint security structure is hard to maintain!
Here are some key recommendations for a maintainable structure:
- Focus on using Active Directory to maintain your security structure. Set up groups in Active Directory, and assign them to SharePoint groups in your site collection. Don’t assign users to SharePoint groups – assign users to the right groups in Active Directory, which will automatically filter through into SharePoint.
- Active Directory has a wide selection of APIs and tools to manage group membership – if you need to handle security changes programatically, you’ll find it much easier in AD than SharePoint.
- Always use Domain Local groups in Active Directory to assign to your SharePoint group. This is not only best practise according to standard Windows recommendations, it also allows you to use users from a different domain over a one way trust. Universal and Global groups are limited to your domain and forest respectively.
- SharePoint’s People Picker is quite powerful. If you need granularity beyond simple groups, you can assign specific access to individual users where needed, but your administration demands will go up. Try not to break inheritence rules without VERY strong business drivers, as maintaining security after that point is extremely difficult.
- For a simple extranet structure, using the default SharePoint groups is fine – most external users are visitors to the site, unable to make changes. Internal users are members, able to update teh site where appropriate. IT staff tend to be Site Owners, in order to maintain the site structure. This is actually quite flexible, especially if moving between the groups is simple through Active Directory group assignments.
Recent Comments