The Challenging Task of Managing SharePoint Permissions

If you are a SharePoint administrator then you know that there are some features in SharePoint that are awesome, while others definitely need improvement. One area that needs improvement is permissions. There are round about ways of managing permissions in SharePoint that most of us try to live with. If you are a SharePoint administrator then you may be more knowledgeable than, let’s say, a Site Owner who is responsible for managing and securing a site. Even for simple tasks like enabling Anonymous access for a site, there are lots of things you need to understand and go through various hoops to get all the permissions working properly.

Let’s be honest……Microsoft developers have not done a very good job of making the management of permissions in Microsoft Office SharePoint Server (MOSS) 2007 and Windows SharePoint Services (WSS) easier. Permissions can be assigned using SharePoint Groups or Active Directory, which gives you the flexibility to assign permissions whether you have an Active Directory environment or not…..this is a good thing. However, for those of us who are very familiar with Active Directory and SharePoint, this is not a problem but for people who are not very familiar with Active Directory it could be challenging to understand why there are two levels of permissions and when to use one or the other. It’s not the fact that permissions can be assigned at the two levels I mentioned above, it’s the lack of better management of permissions that is the issue. Some people don’t understand why they can’t open an Active Directory group from within SharePoint and why they can’t see in a consolidated area where their users have permissions in the site collection, lists or libraries.

Permissions are scattered in SharePoint all over the product and their is no easy way to centrally manage and view permissions or to get a better picture of how inheritance is applied at various level. For example, if you want to assign unique permissions to a bunch of documents in a library at one time, you can’t. You need to select one document at a time and assign permissions. This is unacceptable to most organizations. Microsoft markets SharePoint as a collaborative solution for large enterprises with hundreds of thousands of users, yet there is less than acceptable focus on security in SharePoint in the sense that there is no central location that you can use to get a good view of your overall security, permission levels and access control of SharePoint farms or individual sites.

Microsoft’s typical answer to these weaknesses in the product is that this is by design and then they give you all kinds of excuses why this is unnecessary. That would have been okay except that when the next version rolls around, Microsoft touts how this couldn’t be done in the previous version and now it is so easy to accomplish the same task. I could give you lots of examples of how Microsoft blasts previous versions of their own product just to sell the new version (we butchered Windows Vista but what a great job we’ve done with Windows 7)…..but let’s leave that for another time. [By the way, in my opinion Microsoft has done a much better job with Windows 7.]

This major weakness in SharePoint is a great opportunity for third-party vendors. Codeplex, an open source project community has filled some gaps by providing an Access Checker Web Part. The Web Part does a decent job but lacks certain functionality, for example it doesn’t support SharePoint groups and you can use Active Directory users but not Active Directory groups.

I will be evaluating several SharePoint products that are specifically meant to address access management down to the individual items in SharePoint Lists and Libraries. Look for my product reviews under blog category Reviews.

My (funny) Prediction

I predict that when a future version of SharePoint (it may not be called SharePoint by that time) comes out, Microsoft will ridicule MOSS 2007 for its primitive way of handling permissions. The lack of comprehensive permission and security management will be laughed at and the new version will be touted for its enhanced capabilities and ease of management……I guarantee. Anyone willing to bet? Same will be said about the gazillion accounts with umpteen rights needed to install and properly configure MOSS 2007 in an enterprise with no clear documentation from Microsoft.

Having said that, we have to realize that for all practical purposes MOSS 2007 is really version 1 of SharePoint. Because it is so different than it’s predecessors, it’s not even fair to compare it to SharePoint Portal Server 2001/2003 or WSS. I consider MOSS 2007 version 1 of SharePoint and I have to admit that for a version 1 it is an impressive product with enormous potential. It is revolutionizing online collaboration and I expect it to only get better as the new versions roll in.