You start off with the best intentions in the world to manage your permissions properly, keeping them tidy, efficient and accurate and over time, almost the exact opposite happens. That new guy who joined HR a week ago is able to access your highly confidential financial reports while the CEO is still begging to get into the area where you display your canteen’s lunch menu.
Since your organisation deals with a lot of confidential information on a day-to-day basis, your data needs to be protected but still easy to access. Sometimes it can seem requirements seem to be competing against each other.
These are problems that fall under the much larger umbrella of Information Architecture (IA), a practise concerned with solving the issues organisations have accessing and using information. You may already have heard of IA in relation to the construction of your website/intranet’s taxonomies, labels and wireframes but access is much more than just the path you design to the information, it’s also about the locked doors you put along the way.
As a rapidly maturing company, ClearPeople are no exception to the phenomenon surrounding messy permissions, so it came as no surprise when we started to drink our own champagne and invest some time in to our own internal infrastructure that we found our permissions and security were not quite as clean and tidy as we thought.
Things to consider
Without going into the specifics of any system or application, the most granular way of separating permissions boils down to users, groups, and roles. Since security permissions should be tailored to your business environment and needs, we won’t delve into too much detail, but instead present the options to define permissions at the application or directory level.
There are two routes we recommend you explore when planning out how you want your permissions to work in a Microsoft Ecosystem;
Managing permissions through Active Directory
- Teams and groups are set up and permissions are applied by IT administrators, any changes made in Active directory grouops will sync up to Sharepoint online.
- Most commonly only delegated admins have access to manage permissions in this way
- There’s a delay in permissions being synced (could be 30 mins to 3 hours, depending on the sync frequency set up by your IT admins)
Managing permissions independently through SharePoint Online
- Permissions can be amended by delegated Sharepoint Administrators e.g. line manager, content owners, site owners etc. this moves the emphasis away from IT
- Greater visibility of what is shared and the people it is shared with
- Groups need to be manually created in Sharepoint
- Moves the emphasis away from IT and on to Line Managers
Culture at ClearPeople: We are a small enough organisation to know each other and a have a relative idea of what information our colleagues have or should have.
Size of our IT Department: We have a small and nimble IT department. It doesn’t make sense to bog them down with making group changes every time access must be granted to a certain area for an individual, especially since that time could be spent on other pressing issues.
We’re SharePoint Experts: ClearPeople are SharePoint Champions and we know it better than most. It only made sense that we as a business took a more active role in managing it in all aspects, including security, at a managerial level.
Map out our SharePoint sites. Typically this would be done by undertaking a Content Audit, where we take not of content owners and those who hold responsibility over information.
Map out which manager is responsible for which area of the intranet; are there several managers who can approve access to a particular area? Who has responsibility for secure areas such as finance, or management? Who can authorise access to these?
Create the teams and apply those to the relevant people
Create security groups for the required departments; finance, sales, marketing etc.
Provide everyone with access to the base intranet, holiday and absence, latest news, homepage etc. and then each library underneath that has separate permissions.
Set up notifications, when a user requests permission to an area they don’t have access to, the notification goes to the relevant manager for that area and it is their responsibility to approve/decline. This cuts down on the overhead of IT then needing to request authorisation from the manager before making the change. If the manager is away, IT still receive the notifications and can action, if appropriate.
Security Permissions Summary
Security permissions, governance and generally getting your information architecture in check is always going to be a tough ask full of compromises. It’s an expansive subject that we can’t breakdown into a short and concise blog post, but one that impacts us and our client’s to such an extent we thought it may be worth writing about.
The principal benefit for us was how decentralisation of permissions and rights power away from Active Directory allowed for greater democratisation of the workplace environment, while still retaining the same level of internal security and accessibility to our end users. Freeing the bandwidth of our IT team to tackle real IT challenges was a happy consequence.
With that said, our route was right for us and it may not necessarily be the way your organisation should head. This is especially true if you have your own dedicated security team, a bigger IT department, or you’re just culturally unique and have security as something super serious and high on your agenda.
Depending on the level of complexity for your permissions, the process of sorting them out can be painful. If you need help defining your information architecture, security permissions and the governance procedures around it, come talk to us!