Complexity is dangerous in the security world. The harder something is to understand, the harder it is to protect. SharePoint falls squarely into this category. Configuring permissions in SharePoint can be daunting, especially if you don’t understand the core concepts and terminology. Unfortunately, managing access controls in SharePoint is often left end-users, not IT administrators, and that can spell disaster.
This mini cheat sheet is designed to point out the various gotchas with SharePoint permissions so you don’t make the typical mistakes (now you’ll only make atypical mistakes).
- SharePoint has “local” groups that can contain Active Directory Groups
- For example, you can have a SharePoint permissions group called “Sales” which can contain Active Directory groups “Sales” and “Sales Engineering” and “Chess Team”
- Unlike file shares where local groups are generally avoided, SharePoint specific groups are very common – this is makes it much harder to answer the question “Which human beings can access my data?”
- There are more default permissions types than you can keep in your head at one time (33 in all):
- 12 permissions types for Lists
- 3 permissions types for Personal actions (e.g., views)
- 18 permissions types for Sites
- Each permissions type can be grouped into Permissions Levels.
- For example, the default “Contribute” site permission level contains 8 of the 12 site permission types.
- In addition to the built-in permissions types, admins can create custom levels
- For a given site or list, a custom level might be applied, making it really hard to determine who can do what
- A malicious admin could create a custom level called “Extremely Limited” (sounds innocent, no?) but grant that level permission to do everything
- If you’re running a version of SharePoint prior to 2010, watch out for the “Authenticated Users” button
- Before 2010, there was a button that let admins grant access to everyone who authenticated to the domain
- The button was a common cure-all for frustrated admins trying to grant access to frustrated users
OK, now that I’ve primed you for the worst, I’m going to give you a link that should be your best friend. Bookmark it, study it, and hope for the best:
Did you really think I’d leave you hanging here?
Varonis DatAdvantage for SharePoint abstracts away the complexity of SharePoint permissions. You’re only ever a double click away from figuring out who has access to SharePoint document libraries, lists, sites, sub-sites, etc.
Don’t just take my word for it – try DatAdvantage free for 30 days. At the very least, you can point Varonis at your existing sites and immediately lockdown data that is wide open.
Image credit: keenanpepper