Plan your permissions strategy

An effective permissions strategy will enhance the manageability and performance of your site, ensure compliance with your organization’s data governance policies, and minimize the cost of maintenance for you and your organization.

In this article


Why strategize?

Most Web sites are created speedily, with the aim of solving a particular problem or getting a specific set of information to people who need it quickly.

That’s good, but often, the structure of the site that you start with to meet specific needs ends up being the default structure as your site collection grows and is required to meet other kinds of needs. This can result in permissions settings chaos, where everyone in the organization has full control over sub-sites, or, every individual has to be granted permissions for every new site they need to use.

A good permissions strategy can catch these problems before they get started.

An effective permissions strategy gains you control in three main areas:

  • Manageability and performance. The permissions settings you choose have long-term consequences for how much work it takes to manage your sites, and how speedily your sites respond to user commands.
  • Data governance. A planned permissions strategy can help you ensure compliance with your organization's data governance policies, which may be unique to your company, or may be an essential part of complying with financial and accounting disclosure and retention legislation, such as Sarbanes-Oxley.
  • Cost of maintenance. A strategy that takes advantage of built-in efficiency tools, such as security groups, permission levels, and permissions inheritance will enhance ease of use for your site users, and minimize the requests for individual access that permissions managers have to respond to during the life of the site.

Tips for an effective permissions strategy

Keep these tips in mind to help create a simple, easy-to-maintain permissions strategy.

The principle of least privilege

Give people the lowest permission levels they need to perform their assigned tasks.

Work with security groups

When you give people access   , add them to standard, default security groups (such as Members, Visitors, and Owners).

Make most people members    of the Members or Visitors groups.

People in the Members group can add or remove items or documents, but they cannot change the site structure, site settings, or site appearance.

People in the Visitors group have read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.

Limit the number of people    in the Owners group.

Only people you trust to change the structure, settings, or appearance of the site should be in the Owners group.

Work with permissions inheritance

Use permissions inheritance to create a clean, easy-to-visualize hierarchy.

Managing permissions becomes more difficult and time-consuming when some lists within a site have fine-grained permissions, and when some sites have sub-sites with unique permissions and others with inherited permissions.

If you use fine-grained permissions extensively, users may experience slower performance when they try to access site content.

It is much easier to manage and explain permissions when there is a clear hierarchy of permissions and inherited permissions.

Organize your content    to take advantage of permissions inheritance.

Consider segmenting your content by security level – create a site or a library specifically for sensitive documents, rather than having them scattered in a larger library and protected by unique permissions.

Top of Page Top of Page

 
 
Applies to:
SharePoint Foundation 2010 , SharePoint Online for enterprises, SharePoint Online for professionals and small businesses , SharePoint Server 2010