Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot. Learn more

SharePoint Permissions Cheat Sheet

Complexity is dangerous in the security world.  The harder something is to understand, the harder it is to protect.  SharePoint falls squarely into this category.  Configuring permissions in SharePoint can...
Brian Vecci
2 min read
Last updated June 9, 2023

Complexity is dangerous in the security world.  The harder something is to understand, the harder it is to protect.  SharePoint falls squarely into this category.  Configuring permissions in SharePoint can be daunting, especially if you don’t understand the core concepts and terminology.  Unfortunately, managing access controls in SharePoint is often left end-users, not IT administrators, and that can spell disaster.

Get a Free Data Risk Assessment

Learn more about permissions management with our free guide. 

This mini cheat sheet is designed to point out the various gotchas with SharePoint permissions so you don’t make the typical mistakes (now you’ll only make atypical mistakes).

  • SharePoint has “local” groups that can contain Active Directory Groups
    • For example, you can have a SharePoint permissions group called “Sales” which can contain Active Directory groups “Sales” and “Sales Engineering” and “Chess Team”
    • Unlike file shares where local groups are generally avoided, SharePoint specific groups are very common – this is makes it much harder to answer the question “Which human beings can access my data?”
  • There are more default permissions types than you can keep in your head at one time (33 in all):
    • 12 permissions types for Lists
    • 3 permissions types for Personal actions (e.g., views)
    • 18 permissions types for Sites
    • Each permissions type can be grouped into Permissions Levels.
      • For example, the default “Contribute” site permission level contains 8 of the 12 site permission types.
  • In addition to the built-in permissions types, admins can create custom levels
    • For a given site or list, a custom level might be applied, making it really hard to determine who can do what
    • A malicious admin could create a custom level called “Extremely Limited” (sounds innocent, no?) but grant that level permission to do everything
  • If you’re running a version of SharePoint prior to 2010, watch out for the “Authenticated Users” button
    • Before 2010, there was a button that let admins grant access to everyone who authenticated to the domain
    • The button was a common cure-all for frustrated admins trying to grant access to frustrated users

OK, now that I’ve primed you for the worst, I’m going to give you a link that should be your best friend.  Bookmark it, study it, and hope for the best:

http://technet.microsoft.com/en-us/library/cc721640.aspx

Did you really think I’d leave you hanging here?

Varonis DatAdvantage for SharePoint abstracts away the complexity of SharePoint permissions.  You’re only ever a double click away from figuring out who has access to SharePoint document libraries, lists, sites, sub-sites, etc.

Don’t just take my word for it – try DatAdvantage free for 30 days.  At the very least, you can point Varonis at your existing sites and immediately lockdown data that is wide open.

Image credit: keenanpepper

Learn more about permissions management with our free guide. 

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

best-practices-for-sharepoint-permissioning
Best Practices for SharePoint Permissioning
SharePoint is Microsoft’s enterprise-class environment for sharing content: documents, presentations, spreadsheets, notes, images, and more. While SharePoint has many advantages over a raw file system in terms of content management,...
why-do-sharepoint-permissions-cause-so-much-trouble?
Why Do SharePoint Permissions Cause So Much Trouble?
SharePoint permissions can be the stuff of nightmares.  At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying...
fixing-the-open-shares-problem
Fixing the Open Shares Problem
I recently spoke with an IT administrator who had started a manual open share cleanup project—finding and locking down folders and SharePoint sites open to global access groups like Everyone,...
sidestepping-sharepoint-security:-two-new-techniques-to-evade-exfiltration-detection
Sidestepping SharePoint Security: Two New Techniques to Evade Exfiltration Detection
Varonis Threat Labs discovered two techniques in SharePoint that allow users to circumvent audit logs and avoid triggering download events while exfiltrating files.