Permissions Nightmare

Posted 26 August 2016 12:00 AM by Emma Stern, Head of Managed Services @ClearPeople

Turning Your Permissions Nightmare Into a Dream

If you’ve ever worked in IT, you’ll know that managing security permissions can be a nightmare. 

You start off with the best intentions in the world to manage your permissions properly, keeping them tidy, efficient and accurate and over time, almost the exact opposite happens. That new guy who joined HR a week ago is able to access your highly confidential financial reports while the CEO is still begging to get into the area where you display your canteen’s lunch menu.

Since your organisation deals with a lot of confidential information on a day-to-day basis, your data needs to be protected but still easy to access. Sometimes it can seem requirements seem to be competing against each other.

These are problems that fall under the much larger umbrella of Information Architecture (IA), a practise concerned with solving the issues organisations have accessing and using information. You may already have heard of IA in relation to the construction of your website/intranet’s taxonomies, labels and wireframes but access is much more than just the path you design to the information, it’s also about the locked doors you put along the way.

As a rapidly maturing company, ClearPeople are no exception to the phenomenon surrounding messy permissions, so it came as no surprise when we started to drink our own champagne and invest some time in to our own internal infrastructure that we found our permissions and security were not quite as clean and tidy as we thought.

1 Things to consider

Without going into the specifics of any system or application, the most granular way of separating permissions boils down to users, groups, and roles. Since security permissions should be tailored to your business environment and needs, we won’t delve into too much detail, but instead present the options to define permissions at the application or directory level

There are two routes we recommend you explore when planning out how you want your permissions to work in a Microsoft Ecosystem; 

1.1 Managing permissions through Active Directory

1.1.1 The pros

  • Teams and groups are set up and permissions are applied by IT administrators, any changes made in Active directory grouops will sync up to Sharepoint online.

1.1.2 The cons

  • Most commonly only delegated admins have access to manage permissions in this way
  • There’s a delay in permissions being synced (could be 30 mins to 3 hours, depending on the sync frequency set up by your IT admins)

1.2 Managing permissions independently through SharePoint Online

1.2.1 The pros

  • Permissions can be amended by delegated Sharepoint Administrators e.g. line manager, content owners, site owners etc. this moves the emphasis away from IT
  • Greater visibility of what is shared and the people it is shared with

1.2.2 The cons

  • Groups need to be manually created in Sharepoint 
  • Moves the emphasis away from IT and on to Line Managers
We considered these two options internally and opted to manage permissions through SharePoint, expressly giving permissions to line managers to control key areas of our system (in this case, our intranet). While this may seem controversial and against governance best practises there was a strong argument to take permission management away from IT and still retain findability, manageability, and security for our content. This included the fact that;

Culture at ClearPeople: We are a small enough organisation to know each other and a have a relative idea of what information our colleagues have or should have.
Size of our IT Department: We have a small and nimble IT department. It doesn’t make sense to bog them down with making group changes every time access must be granted to a certain area for an individual, especially since that time could be spent on other pressing issues.

We’re SharePoint Experts: ClearPeople are SharePoint Champions and we know it better than most. It only made sense that we as a business took a more active role in managing it in all aspects, including security, at a managerial level.

2 The work

2.1 Step 1

Map out our SharePoint sites. Typically this would be done by undertaking a Content Audit, where we take not of content owners and those who hold responsibility over information.


step 1

2.2 Step 2

Map out which manager is responsible for which area of the intranet; are there several managers who can approve access to a particular area? Who has responsibility for secure areas such as finance, or management? Who can authorise access to these?

2.3 Step 3

Create the teams and apply those to the relevant people

2.4 Step 4

Create security groups for the required departments; finance, sales, marketing etc.


Step 4


2.5 Step 5

Provide everyone with access to the base intranet, holiday and absence, latest news, homepage etc. and then each library underneath that has separate permissions.

2.6 Step 6

Set up notifications, when a user requests permission to an area they don’t have access to, the notification goes to the relevant manager for that area and it is their responsibility to approve/decline. This cuts down on the overhead of IT then needing to request authorisation from the manager before making the change. If the manager is away, IT still receive the notifications and can action, if appropriate.


admin

3 Security Permissions Summary

Security permissions, governance and generally getting your information architecture in check is always going to be a tough ask full of compromises. It’s an expansive subject that we can’t breakdown into a short and concise blog post, but one that impacts us and our client’s to such an extent we thought it may be worth writing about.

The principal benefit for us was how decentralisation of permissions and rights power away from Active Directory allowed for greater democratisation of the workplace environment, while still retaining the same level of internal security and accessibility to our end users. Freeing the bandwidth of our IT team to tackle real IT challenges was a happy consequence.

With that said, our route was right for us and it may not necessarily be the way your organisation should head. This is especially true if you have your own dedicated security team, a bigger IT department, or you’re just culturally unique and have security as something super serious and high on your agenda.
Depending on the level of complexity for your permissions, the process of sorting them out can be painful. If you need help defining your information architecture, security permissions and the governance procedures around it, come talk to us!


Share:

Add your comment

 
 

 

Archive

Tagcloud

Digital Transformation employee engagement staff satisfaction productivity Microsoft Teams Office 365 Yammer cms content management system agile GDPR Microsoft Graph collaboration Microsoft sharepoint 2016 upgrade migration SharePoint Online 2016 Tech Trends Digital Disruption Context marketing marketing SharePoint 2010 SharePoint 2013 TFS Git security kentico Analytics intranet jquery QA Quality Assurance testing digital workspace content management websites Sitecore sitecore marketplace sitecore module cloud Microsoft Cloud Storage digital strategy technical consulting sitecore modules Experience database Sitecore 7 Sitecore 8 support account management customer experience Data Storage windows azure cms integration front end front end development prototype Cloud Storage StorSimple Front-end Development Layout SharePoint 2013 colour palette UI design website design log viewer sitecore cms website Azure big data business-critical sharepoint accessibility android apple chrome clear people clearpeople debug emulator ios mobile testing opera resize adobe desktop flash ie10 internet explorer 10 metro windows 8 bcsp SharePoint Advanced System Reporter reporting framework ControlMode form control master page placeholder publishing console SharePoint 2007 SharePoint error search search results search values software testing testing scenario audit content information architecture retention schedules PowerShell QuickLaunch scripts SharePoint server 2010 business solutions metalogix replication replicator storagepoint stena technet UK Technet picture library slideshow web part RTM released to manufacturing caml caml query MOSS 2007 query infopath