Much like the user interface of SharePoint is an open canvas, the security model offers lots of room for creativity, though the efforts are mostly transparent to the end users. When designing a security model, I like to thing about things like what size is the user base, what is the organizational structure of the company, how do the business units interact with each other, what are the security policies in the company, how strict must the security on the content be, is the IT staff willing to accept the responsibilities, etc..
As a rule of thumb (with exceptions of course), I don't create SharePoint users, instead I create SharePoint groups and corresponding AD groups. I like to manage the memberships exclusively in AD. Another thing I try to avoid doing is creating roles based solely on org charts. If an organization is collaborative enough that they are implementing SharePoint, then chances people are interacting outside of their immediate department anyways. Most workspaces and content are custom and besides; departments change and reorganizations happen.
There is a significant effort that goes with keeping the security model in good shape. Limit SharePoint security to roles based groups, keep all of the group membership management in AD, and have a consistent organized pattern and naming convention. When that is all set, spend a some time developing the following two reports:
- A report that shows Sharepoint Site, SharePoint group names, access levels
- A report that shows AD groups, member names, and email addresses, nested groups and their members
Hi Nicholas,
ReplyDeleteNice post. Would like hear from you for the following scenario.
For internet MOSS sites , when client does not have AD/LDAP infrastructure but would like to use SQL Membership provider for authentication we need to consider following:
a) Maximum number of cross-site sharepoint groups possible with MOSS 2007
b) Maximum number of users a sharepoint group can hold
c) Currently SharePoint groups does not support nesting so we end up with flat groups ? Is there a way to support groups hierarchy solely with MOSS groups
d) Cross site groups will not be visible outside site collection
e) Does it worthwhile to create groups/roles in SQL server and just look them up in MOSS instead of creating MOSS groups?