Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Why Do SharePoint Permissions Cause So Much Trouble?

2 min read
Published January 6, 2012
Last updated June 9, 2023

SharePoint permissions can be the stuff of nightmares.  At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying to manage user permissions. SharePoint’s a useful collaboration platform—and Microsoft’s fastest selling product ever—but helping to ensure proper permissions and access control is probably not its strongest suit.

Get a Free Data Risk Assessment

The first challenge with SharePoint permissions is that, like file servers, SharePoint has “local” or SharePoint-specific groups that can contain AD groups and users. Unlike file shares, however, where server local groups are rarely used on the shared folders, SharePoint local groups are much more common.  This adds a layer of complexity, especially in large organizations where the SharePoint administrative team may be completely separate from the group managing Active Directory.

Next, the actual permissions themselves are more complicated. NTFS file systems are usually Full, Modify, Read & Execute, List, Read and Write. With SharePoint, you get 12 permissions types for lists, 3 for “personal” actions like views and 18 different types for sites themselves. These permission types can be grouped into “permission levels.” For example, the default “Contributor” site permission level contains 8 of the 12 permission types. In addition to the handful of built-in permission levels, Administrators can create custom permission levels. To top it off, a given user, group, or SharePoint group can be granted multiple permission levels on a given list or site, so it can quickly become very difficult to understand what a given user or group can actually do with the data they’ve been granted access to.

Even though SharePoint permissions can be confusing even for technology teams, Microsoft is designed to allow non-technical folks to manage permissions directly. Prior to SharePoint 2010, there was even a built-in button to easily grant access to all Authenticated Users, or everyone in the organization that’s logged into the domain. What ended up happening is that business users would use this as a short-cut to get people access when needed, rather than managing permissions in a more secure way. With more and more sensitive data being shared on SharePoint servers, this represents a significant area of risk.

The good news is that Varonis DatAdvantage for SharePoint helps organizations make sense of SharePoint permissions by providing intelligence and unobtrusive metadata collection for SharePoint, as it has for years for file systems and (more recently) for Exchange. The SharePoint permissions nightmare ends as critical data governance questions can finally be answered: Who has access to a SharePoint site and what level of access do they have? What have they been accessing? Which SharePoint sites are exposed and contain sensitive data? Most importantly, how do we fix them without disrupting business? SharePoint can be a powerful collaboration tool, but it’s important to understand the data that’s there, who’s using it and what permissions are in place and how those controls are changing.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
dspm-deep-dive:-debunking-data-security-myths
DSPM Deep Dive: Debunking Data Security Myths
DSPM is the leading acronym in cybersecurity. However, the recent buzz has cluttered the meaning of data security posture management. Let's demystify it.
speed-data:-rethinking-traditional-cybersecurity-principles-with-rick-howard
Speed Data: Rethinking Traditional Cybersecurity Principles With Rick Howard
Rick Howard, author, journalist, and Senior Fellow at the CyberWire, chats about his new book on rebooting cybersecurity principles with Varonis' Megan Garza.
the-benefits-of-threat-and-data-breach-reports
The Benefits of Threat and Data Breach Reports
Threat and data breach reports can help organizations manage security risks and develop mitigation strategies. Learn our three pillars of effective data protection and the benefits from these reports.
three-ways-varonis-helps-you-fight-insider-threats
Three Ways Varonis Helps You Fight Insider Threats
Insider threats are difficult for organizations to combat. Varonis’ modern cybersecurity answer uses the data security triad of sensitivity, access, and activity to combat threats.