Essential SharePoint 2013: Practical Guidance for Meaningful Business Results (2014)

Planning How You Will Share Internally

With earlier versions of SharePoint, only site owners (users with Full Control² permissions) had the ability to manage security on the site or on any content within a site. In SharePoint 2013 Online, all users have access to the Share option (refer to Figures 12-1 and 12-2) to request that a site or document be shared with an internal user, but only the site owner can approve these requests. In SharePoint 2013 on-premises, the user experience for sharing is different. These differences are summarized in Table 12-1.

2. Any user with the Manage Permissions permission level can manage permissions on content. By default, however, Manage Permissions is included only in the Full Control and Manage Hierarchy permission sets.

Sharing Documents Internally

Users with the ability to share can click the Share option for each of the documents they want to share and enter the name or e-mail address of any internal user with whom they wish to share the item. Figure 12-3 shows an example of the view that users other than the site owner see when they click the Share option for a document from the document “callout” box in a document library. To see the “callout” box, click the ellipsis (...) to the right of the document name (refer to Figure 12-1). As shown in Figure 12-3, the document is already shared with Scott Jamison. To invite additional internal users to see a document, all you need to do is start typing the name or e-mail address and the users that match the typed characters will be displayed so you can select the appropriate name. If you are not the site owner, the invitation to the guest user doesn’t actually go to the user. Instead, when someone other than the site owner initiates the Share action, a request is sent to the site owner, who then has the ability to approve, decline, or engage in a dialog with the requester to discuss why the request has been made and then decide the permissions the new user will get (Read, Contribute, etc.).

Figure 12-3 Sharing options for an individual document—visitor or member view

When a site owner initiates the Share action, the view shows the permission selection option directly, since the site owner does not need to request approval to share content. The site owner view for sharing a document is shown in Figure 12-4.

Figure 12-4 Sharing options for an individual document—site owner view

Sharing Sites Internally

Sharing a site works very much the same way as sharing a document. The best way to share a site is by clicking the Share option in the upper right-hand corner of the site (see Figure 12-2), but site owners can also grant permissions from Site Settings → Users and Permissions → Site permissions. When users other than the site owner in SharePoint Online want to share a site (remember, the Share option for sites is not visible to users with Visitor and Member permissions in SharePoint 2013 on-premises), they see the share request screen shown in Figure 12-5. The share request is submitted to the site owner, who can determine the level of access to grant the new user. When site owners share a site, they see a view that allows them to specify the type of permissions the new internal user should have, as shown in Figure 12-6.

Figure 12-5 Share request options for a site—visitor and member view in SharePoint Online

Figure 12-6 Share request options for a site—site owner view

You don’t have the ability to restrict sharing internally within your SharePoint environment, so planning how you will share internally is largely a training and governance exercise. Think about it this way: Sharing is generally a good thing when you need to share. Being able to easily invite a specific person from outside your team to edit a single document without editing your other documents is a really helpful feature. However, you should consider the following:

Introducing unique permissions on individual documents introduces a security risk and adds complexity to your environment. If you invite someone to collaborate on a document, you may want to remove those permissions when the editing process is complete.

Think about the implications of allowing anyone to invite others to edit content. You will introduce some risk in situations where a busy site owner might inadvertently approve access requests that shouldn’t be approved. Another risk is that someone will share the entire site when they mean to share only one document.

Our best advice is to make sure your site owners understand that “with great power comes great responsibility.” Simplified content sharing will definitely enhance many collaboration scenarios—but this new capability is not without risk, and you should take the time to consider the implications when you grant site owner privileges.

Planning How You Will Share Externally

If your teams do work that involves collaborating with external partners, SharePoint Online provides the capability to easily invite external users to access sites or documents. There are three scenarios that you can enable:

You can share an entire site by inviting external users to sign in to your site using any e-mail address, and then Office 365 will require the person receiving the invitation to associate with an existing Microsoft account (for example, a Hotmail or Outlook address) or a Microsoft Office 365 user ID.

You can share individual documents by inviting external users to sign in to your site using a Microsoft account or a Microsoft Office 365 user ID.

You can send users a guest link that they can use to view or edit individual documents on your site anonymously.

Setting up your SharePoint Online site to allow external sharing depends on the version of SharePoint Online that your organization uses. Since inviting external users into your site introduces a security risk, you should carefully consider the implications of external sharing and make sure that the site owners and administrators who can authorize these permissions have sufficient training and time to properly administer external users. External sharing is turned on by default no matter which version of SharePoint Online your organization is using. You should consider turning it off globally before anyone starts using sites or until you know exactly how you want to use and support this feature. No matter which version of SharePoint Online you are using, only users with Full Control privileges are allowed to share sites or items with external users initially. Once these users are “in the system,” their user IDs are available in the People Picker for any site user to select. However, sharing requests for external users are always routed to the site owner for approval before access is granted.

If your organization is using Office 365 Small Business Premium, the Office 365 administrator is the only person who can enable or disable the external sharing feature for all sites. When this feature is deactivated, any external user previously invited to sites can no longer access the sites. To enable or disable external sharing, go to Admin → Service Settings → Sites and Document Sharing. You can also use this same location to remove individual external users.

If your organization is using one of the Office 365 enterprise plans, you can configure external sharing at two levels within the SharePoint administration center. First, you can turn external sharing on or off globally for the entire environment. Additionally, you can turn external sharing on or off for each individual site collection. You can also specify whether or not you want to allow sharing with only authenticated users or with both authenticated and anonymous users through guest links. Remember, if you plan to allow external users to edit documents, you should consider restricting access to only authenticated users. Note that if your site has been upgraded from SharePoint 2010, you will not be able to manage external sharing through the SharePoint admin center for sites still using the SharePoint 2010 experience. For these sites, you will need to explicitly activate the site collection feature called “External user invitations.”

It is important to think about external sharing as part of your overall security planning for SharePoint Online. You may want to create a special permissions group to which external users are assigned when they receive invitations to be sure that you do not “overshare.” You may also want to create separate site collections that are used only for collaboration with external users so that you can allow external users to access specific content without opening up the entire environment. Remember that in all cases, your goal is to balance the ease of getting work done with trusted external partners with minimizing the governance “sharp edges” discussed in Chapter 4, “Planning for Business Governance.”

Sharing Sites Externally

If you share an entire site with an external user, that person can log in and function as a full member of the site but with some limited privileges.³ Your external user will be able to see the names of other site users in the People Picker. You will want to think seriously about whether this is a good idea if you have a site that you share with multiple external partners and you don’t want each partner to know the names of the other partners. You will also introduce some risk because once your external user has access to the site, some of your existing site users may be able to grant permissions to the external user that are different from the ones you originally assigned.

3. Guest users in SharePoint Online/Office 365 will see no links on the Suite Bar, nor will they see the ability to access an “About me” page for themselves or someone else. They will not be able to follow items or access the public newsfeed. However, if the site has a site feed, external users will be able to participate but will not see other users’ photos, and there will be no entry points for following people, topics, or documents.

If you invite external users to your top-level team site, they will be able to view content on the top-level team site and all sub-sites. If you have sensitive content, it’s a better idea to create a unique sub-site (with unique permissions) where you will put content for external users and then share only the sub-site externally. (This same concept applies when you are sharing content with internal users if the content is highly sensitive.) Remember that there is no single best practice for sharing site content with external users. It is important to think about the business purpose of your site and the level of trust you have with your external collaborators and choose an approach that minimizes risk while maximizing the ability to get work done.

Sharing Individual Documents Externally

If you are going to share documents externally in your SharePoint Online site,⁴ you can either use anonymous guest links or links that require authentication. If you allow anonymous guest links, anyone who gets an invitation can also share that same link with others. You should never use anonymous guest links to share documents that are sensitive, and as a best practice, you should never provide an anonymous link to allow editing of a document. Remember, even though any site user can use the Share option to share a document with an external user in SharePoint Online, only site owners (users with Full Control privileges) can authorize the access request.

4. Note that unless you have implemented some form of rights management on SharePoint content, your internal users will still be able to download a document and then share it externally via e-mail. You can have a governance policy (see Chapter 4, “Planning for Business Governance”) that tells users this is not permitted, but without some form of rights management software, you will not be able to prevent this from happening. Sharing individual documents with guest users from within your SharePoint Online site provides more control over external access, but it is not completely without risk as stated earlier. As a general rule, sharing is always best if you are working with trusted partners.

You must be a site owner or have Full Control permissions to share a document with external users the first time. Once individual external users have been granted access to any internal content, however, their user IDs are available in the People Picker, so that any user can use the Share option to initiate an access request even though the request will be routed to the site owner for approval. In addition, the external sharing feature must be turned on in either the Office 365 Service Settings or the SharePoint Online administration center, depending on which Office 365 plan your organization uses. For enterprise plans, external sharing must also be turned on for your site collection.

Planning How You Will Secure SharePoint Sites

Securing SharePoint sites consists of granting permissions to people who should belong to groups and then assigning those permissions to securable objects. Simple, right? We review each of these key security elements, which are shown in Figure 12-7, in the discussion that follows. Securing or providing access to content in SharePoint comes from the combination of these three security elements, as shown in Figure 12-8.

Figure 12-7 SharePoint security elements

Figure 12-8 Access in SharePoint happens when people are assigned permission levels for a securable object

Just as with previous versions of SharePoint, only users with the permission called Manage Permissions can grant security permissions. By default, only the Full Control and Manage Hierarchy permissions sets include the Manage Permissions item, and typically only the site owner will have this ability.

Securable Objects

Securable objects consist of all of the SharePoint elements to which permissions can be applied. These include a site collection, a sub-site or site within a site collection, a list or library, a folder, or an individual item in a list or library. By default, permissions are assigned at the site level, and lower-level objects inherit permissions from their parent site. For example, security permissions for the top-level site are inherited by all sub-sites unless you explicitly “break” the inheritance. Permissions for each object in a site are inherited from the parent site, and permissions for documents or list items are inherited from the library or folder, as shown in Figure 12-9.

Figure 12-9 Permissions in SharePoint are inherited by default

As a general best practice, you always want to apply security at the highest level possible in your solution because it’s easier to manage and maintain security in fewer places. The menu option used in SharePoint to apply unique permissions depends on the type of object.

To restrict, assign, or examine permissions for a site, select the gear icon in the upper-right corner (see Figure 12-10) and then select Site settings → Site permissions in the Users and Permissions group on the Site Settings page. Alternatively, to allow users to have access to a site, you can also click the Share option in the upper-right corner (see Figure 12-11), but be sure to select the appropriate security group for each user. As a reminder, if you do not see all of these options, you most likely do not have permissions that allow you to manage security on your site (or you are not the site owner).

Figure 12-10 Access site permissions from the “Site settings” option on a site

Figure 12-11 Assign site permissions from the Share option for a site

To restrict, assign, or examine permissions for a library, select the Library tab in the ribbon and then select Library Settings and the Shared With button, as shown in Figure 12-12.

Figure 12-12 Access document library permissions from the Shared With button on the ribbon

List permissions work exactly the same way. Be very careful if you want to assign permissions to just a list or library and not an entire site. The Share option in the upper-right corner of the page assigns permissions to the entire site, not the list or library. The only way to manage permissions for a list or library is to access the list or library settings from the ribbon.

To assign permissions for an individual item or folder, click the “. . .” context menu and then use the Share option (as shown in Figure 12-13). You can also manage permissions for an individual item or folder by clicking the “. . .” context menu until you have the option to select “Shared with” from the drop-down. Then select Advanced to both examine and assign permissions for the individual item as shown in Figure 12-13. (You can also share Office documents from directly within Office 2013. This is discussed in Chapter 20, “Integrating Office Applications.”)

Figure 12-13 Site owners can access permissions in multiple ways, including navigating from the document context menu to access the Advanced options (individual document permissions) screen shown in Figure 12-14

Figure 12-14 Individual document permissions show site owners how a document gets permissions (in this case, by inheriting from its parent) and if there are any pending access requests

It’s easiest to understand how security permissions have been applied if permissions are the same for all elements of the site. This is clearly not always possible or practical, but it should be a guiding principle for your security model. Another reason for minimizing security exceptions in SharePoint is that the interface does not easily show you where permissions have been “broken” unless you examine each item or use the Check Permissions option for each individual user in every context.

Because there is no way to scroll down a list or library view and immediately determine if a specific item (or list or site) is secured differently from its peers, it can be difficult to quickly identify or change where item-level security has been applied. Site owners can, however, select Site Settings → Site permissions to see a view like the one shown in Figure 12-15 and click the link to show which content on the site has unique permissions. This capability is extremely helpful, but it still requires a lot of clicking and must be repeated in each context where you want to understand how permissions were applied. Furthermore, if you need to update security permissions for individually secured items, you will need to update each item independently. If you are the Help Desk person trying to help a user navigate a list or library, you will need to remember that your permissions may be different from the user’s permissions inside the same list or library, so you may see more or fewer documents than the person you are trying to assist. If you have a security model that contains many item-level exceptions, you may want to consider documenting the exceptions in the item metadata or using a third-party solution for SharePoint security analysis and management such as those available from Axceler, AvePoint, and Dell.

Figure 12-15 If libraries or documents within a site have been assigned permissions directly, SharePoint alerts the user

Because security permissions are shared in all documents in a document library, if you have permission to edit one document in a library, you have permission to edit all documents in that library unless security has been “broken” (managed) for an individual document in the library. By editing, we mean the ability to alter or delete those documents. If you store documents in folders, security in the folder is inherited into each document in the folder. This is one reason that you may want to use folders in a document library—to apply shared editing permissions to separate groups of documents and minimize the use of item-level permissions. This is one example of how security has an impact on your user experience and content topology. Introducing folders or document sets to manage collective security may solve authorization issues but may introduce an inconsistency in how content is managed (for example, other libraries may group documents by metadata). Consider this when balancing security management and usability.

Security Trimming

Any object that you secure in SharePoint is secure in both “browse” and “search” scenarios. If a document, list, or site has unique permissions, users who do not have access to the object will not see it in lists or search results. This is called security trimming. If an unauthorized user attempts to access this content directly via a URL link, that user will be denied access and prompted for alternate credentials. Security trimming also impacts search results. If two different users execute the same exact search, they may see different results based on their permissions. Security does not affect the relevancy of results; it only affects the number of items that are returned.

Security Exceptions

Information Rights Management (IRM), which is part of most SharePoint Online enterprise plans and can be added to and integrated with SharePoint 2013 Server Standard and Enterprise on-premises, offers another way to secure items stored in SharePoint. Microsoft IRM allows users to create a persistent set of access controls that live with the content itself as well as in the location where the item is stored if your administrator has enabled IRM for your environment. IRM services can be used, for example, to protect an individual item from being downloaded or printed. When enabled, IRM security takes precedence in a list or library. For example, if an authorized user opens a rights-managed document from a document library where the IRM protection does not allow documents to be downloaded, the user would not be able to download and send that document to another user, even if that person also has access to the SharePoint library. Instead, the other user would have to go to the library and view the document directly. For more information about IRM and SharePoint 2013, refer to http://office.microsoft.com/en-us/sharepoint-help/apply-information-rights-management-to-a-list-or-library-HA102891460.aspx.

There are several objects in SharePoint that cannot be secured. These include views, audiences, Web Parts, and list Columns. Be sure to consider the following implications about which objects can be secured and how security is inherited:

Because you cannot secure an individual view of a document library, you cannot use unique views to get around the fact that you cannot secure an individual Column in a list. For example, you may want to have a Column in a list that shows financial numbers that you don’t want all users to see. You cannot secure the financial Columns using Manage Permissions or secure a view that doesn’t display the financial Columns. In this scenario, you should consider using an alternate means of sharing the sensitive data. For example, one approach might be to use Excel to store the information and secure the Column in Excel. You can then use Excel Services to display the information in a SharePoint Web Part. (See Chapter 18, “Planning for Business Intelligence,” for a description of how to leverage Excel Services.) Another approach would be to show the protected data in a separate list and use an event handler to keep the two lists synchronized.

You cannot secure a Web Part, but you can use an audience to target a Web Part so that it shows up only for users who “belong” to that audience. (Note that the content displayed in a Web Part is always secure, but security cannot be applied to the Web Part itself.) Targeting a Web Part using an audience does not secure the content displayed in the Web Part—you must secure the object displayed in the Web Part by managing permissions on the content. This is an important distinction. Audiences are used to personalize presentation and effectively manage screen real estate with relevant content. Use audience targeting to feature or showcase information, not to protect it.

People (User or Group)

In the context of SharePoint, “people” are individual users who need access to a SharePoint site and can be defined individually or as members of a group. A group is a named collection of people (users) in SharePoint.

While individual people can be granted permissions inside of SharePoint, it is generally more desirable to first add a person to a group and then grant permissions to the group. That way, new users can be added in one place, to either a SharePoint or Active Directory Group, and they will automatically get all the permissions associated with that group. This methodology is also helpful in two other ways: (1) it is easier to replicate security permissions for new users, and (2) it reduces the amount of legacy security that accumulates over time (for example, someone has left the company but his or her name is still associated with a collection of sites across the environment).

In SharePoint, there are two types of groups that you will work with:

A Domain Group is created outside SharePoint in Active Directory. A Domain Group (also called an Active Directory or AD Group) is defined for the entire enterprise and can be used in any site collection in SharePoint or to manage access for other applications used by your organization. Domain Groups are generally created by a security administrator in your IT organization, but some organizations allow business teams to request the creation of a new Domain Group that they can manage themselves. Domain Groups are most often created to represent persistent roles or geographic groups of people inside your organization. If you can, take advantage of existing, automatically maintained Domain Groups to assign permissions for your site. For example, if there is already a Domain Group for managers and you have content or sites that are for managers only, you should use this existing group to secure your site. When new managers are added or if someone is no longer a manager, you will not need to worry about (or be responsible for) adding or deleting the person’s name from the group. If your organization allows you to create Domain Groups that are not automatically populated, you may have to manage “comings and goings,” but you will still need to do so in only one place. It is not always possible or practical to have an Active Directory Group for individual sites in SharePoint. This is especially true if you are creating highly granular, low-membership groups. You should not clutter AD with SharePoint-specific groups. You should also avoid creating AD Groups that cannot be repurposed (that is, used in multiple security applications inside and outside of SharePoint). In these instances, you are better served by leveraging SharePoint security groups.

A SharePoint Group can be defined by a site collection administrator or a user with Manage Permissions privileges and can be used to secure objects within a single site collection only. Groups created in SharePoint for one site collection can be used only within that individual site collection and must be separately created and maintained if needed in another site collection. All SharePoint Groups are created at the site collection level and are available to any sub-site or other securable object in the site collection.

SharePoint Groups can include Active Directory Groups and/or individual users. However, SharePoint Groups cannot include other SharePoint Groups. There are two types of SharePoint Groups: Default Groups and Custom Groups. There is a raging debate in the SharePoint community about whether Active Directory or SharePoint Groups are “better” for managing security. As with pretty much all things related to SharePoint, the right answer is “It depends.” There are pros and cons of each type of security group as described in the discussion that follows.

Default SharePoint Groups

SharePoint provides several default SharePoint Groups for team sites; additional default SharePoint Groups are provided in publishing sites or when publishing features are enabled. Each SharePoint Group is associated with a default permission level. (Refer to the next section of this chapter for a detailed review of permissions and permission levels.). The out-of-the-box security groups in SharePoint are essentially a combination of “role” and “permissions.”

In addition, the SharePoint model is inclusive, not exclusive. That is, you cannot define activities that users or groups are not allowed to perform. For example, the Visitors group has the Read permission level by default, so people often associate the Visitors group with Read permissions, even though this doesn’t have to be the case. For example, when you want Visitors to be able to respond to a survey, they will need Contribute permissions.

As a general rule, you always want to give a person or group the least amount of permissions to effectively achieve the required business functionality . . . and no more (the “principle of least privilege”). This may create additional administrative overhead, but it is a core tenet of ensuring the stability and security of a SharePoint environment.

Default team site SharePoint Groups and associated permission levels are described in Table 12-2. Additional default security groups and associated permission levels are created if you use templates other than the Team Site template or if you activate publishing features for a site; these groups are described in Table 12-3.

Table 12-2 Team Site Default SharePoint Groups and Associated Permission Levels

Table 12-3 Publishing Site Default SharePoint Groups and Associated Permission Levels