Blog Data Security

SharePoint Permissions Cheat Sheet

Complexity is dangerous in the security world.  The harder something is to understand, the harder it is to protect.  SharePoint falls squarely into this category.  Configuring permissions in SharePoint can...
Brian Vecci
2 min read
Last updated June 9, 2023

Contents

    Complexity is dangerous in the security world.  The harder something is to understand, the harder it is to protect.  SharePoint falls squarely into this category.  Configuring permissions in SharePoint can be daunting, especially if you don’t understand the core concepts and terminology.  Unfortunately, managing access controls in SharePoint is often left end-users, not IT administrators, and that can spell disaster.

    Get a Free Data Risk Assessment

    Learn more about permissions management with our free guide. 

    This mini cheat sheet is designed to point out the various gotchas with SharePoint permissions so you don’t make the typical mistakes (now you’ll only make atypical mistakes).

    • SharePoint has “local” groups that can contain Active Directory Groups
      • For example, you can have a SharePoint permissions group called “Sales” which can contain Active Directory groups “Sales” and “Sales Engineering” and “Chess Team”
      • Unlike file shares where local groups are generally avoided, SharePoint specific groups are very common – this is makes it much harder to answer the question “Which human beings can access my data?”
    • There are more default permissions types than you can keep in your head at one time (33 in all):
      • 12 permissions types for Lists
      • 3 permissions types for Personal actions (e.g., views)
      • 18 permissions types for Sites
      • Each permissions type can be grouped into Permissions Levels.
        • For example, the default “Contribute” site permission level contains 8 of the 12 site permission types.
    • In addition to the built-in permissions types, admins can create custom levels
      • For a given site or list, a custom level might be applied, making it really hard to determine who can do what
      • A malicious admin could create a custom level called “Extremely Limited” (sounds innocent, no?) but grant that level permission to do everything
    • If you’re running a version of SharePoint prior to 2010, watch out for the “Authenticated Users” button
      • Before 2010, there was a button that let admins grant access to everyone who authenticated to the domain
      • The button was a common cure-all for frustrated admins trying to grant access to frustrated users

    OK, now that I’ve primed you for the worst, I’m going to give you a link that should be your best friend.  Bookmark it, study it, and hope for the best:

    http://technet.microsoft.com/en-us/library/cc721640.aspx

    Did you really think I’d leave you hanging here?

    Varonis DatAdvantage for SharePoint abstracts away the complexity of SharePoint permissions.  You’re only ever a double click away from figuring out who has access to SharePoint document libraries, lists, sites, sub-sites, etc.

    Don’t just take my word for it – try DatAdvantage free for 30 days.  At the very least, you can point Varonis at your existing sites and immediately lockdown data that is wide open.

    Image credit: keenanpepper

    Learn more about permissions management with our free guide. 

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Brian Vecci
    Brian Vecci Brian Vecci is Varonis' Field CTO and joined the team as a technical evangelist in 2010. He helps protect teams from insider threats, cyberattacks, and terrible sales presentations.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    best-practices-for-sharepoint-permissioning
    Best Practices for SharePoint Permissioning
    best-practices-for-sharepoint-permissioning
    Jonathan Pistilli
    March 29, 2020
    SharePoint is Microsoft’s enterprise-class environment for sharing content: documents, presentations, spreadsheets, notes, images, and more. While SharePoint has many advantages over a raw file system in terms of content management,...
    why-do-sharepoint-permissions-cause-so-much-trouble?
    Why Do SharePoint Permissions Cause So Much Trouble?
    why-do-sharepoint-permissions-cause-so-much-trouble?
    Brian Vecci
    January 6, 2012
    SharePoint permissions can be the stuff of nightmares.  At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying...
    fixing-the-open-shares-problem
    Fixing the Open Shares Problem
    fixing-the-open-shares-problem
    David Gibson
    March 29, 2012
    I recently spoke with an IT administrator who had started a manual open share cleanup project—finding and locking down folders and SharePoint sites open to global access groups like Everyone,...
    sidestepping-sharepoint-security:-two-new-techniques-to-evade-exfiltration-detection
    Sidestepping SharePoint Security: Two New Techniques to Evade Exfiltration Detection
    sidestepping-sharepoint-security:-two-new-techniques-to-evade-exfiltration-detection
    Eric Saraga
    April 9, 2024
    Varonis Threat Labs discovered two techniques in SharePoint that allow users to circumvent audit logs and avoid triggering download events while exfiltrating files.