Complexity is dangerous in the security world. The harder something is to understand, the harder it is to protect. SharePoint falls squarely into this category. Configuring permissions in SharePoint can be daunting, especially if you don’t understand the core concepts and terminology. Unfortunately, managing access controls in SharePoint is often left end-users, not IT administrators, and that can spell disaster.
Get a Free Data Risk Assessment
Learn more about permissions management with our free guide.
This mini cheat sheet is designed to point out the various gotchas with SharePoint permissions so you don’t make the typical mistakes (now you’ll only make atypical mistakes).
- SharePoint has “local” groups that can contain Active Directory Groups
- For example, you can have a SharePoint permissions group called “Sales” which can contain Active Directory groups “Sales” and “Sales Engineering” and “Chess Team”
- Unlike file shares where local groups are generally avoided, SharePoint specific groups are very common – this is makes it much harder to answer the question “Which human beings can access my data?”
- There are more default permissions types than you can keep in your head at one time (33 in all):
- 12 permissions types for Lists
- 3 permissions types for Personal actions (e.g., views)
- 18 permissions types for Sites
- Each permissions type can be grouped into Permissions Levels.
- For example, the default “Contribute” site permission level contains 8 of the 12 site permission types.
- In addition to the built-in permissions types, admins can create custom levels
- For a given site or list, a custom level might be applied, making it really hard to determine who can do what
- A malicious admin could create a custom level called “Extremely Limited” (sounds innocent, no?) but grant that level permission to do everything
- If you’re running a version of SharePoint prior to 2010, watch out for the “Authenticated Users” button
- Before 2010, there was a button that let admins grant access to everyone who authenticated to the domain
- The button was a common cure-all for frustrated admins trying to grant access to frustrated users
OK, now that I’ve primed you for the worst, I’m going to give you a link that should be your best friend. Bookmark it, study it, and hope for the best:
http://technet.microsoft.com/en-us/library/cc721640.aspx
Did you really think I’d leave you hanging here?
Varonis DatAdvantage for SharePoint abstracts away the complexity of SharePoint permissions. You’re only ever a double click away from figuring out who has access to SharePoint document libraries, lists, sites, sub-sites, etc.
Don’t just take my word for it – try DatAdvantage free for 30 days. At the very least, you can point Varonis at your existing sites and immediately lockdown data that is wide open.
Image credit: keenanpepper
Learn more about permissions management with our free guide.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.