In my work as an IT consultant I spend a lot of time focusing on security, both of content and users. Almost every organisation I work with has questions about how SharePoint deals with these issues, and they can slow down a project right upfront as details are worked out and senior stakeholders reassured.
SharePoint 2013, as many of us know, offers a powerful security model. As well as groups and permission levels, the inheritance model means that right ‘out of the box’ SharePoint can satisfy 99% of security related requirements. Yet from time to time I come across some that need one of the many third party projects available for SharePoint to satisfy. Once area that often needs a little extra help is security governance and monitoring. Whilst SharePoint 2013 user reports are much improved, products from the likes of Metalogix and Sharegate can add another level of detail and functionality.
For a recent project the client had already decided to go with Metalogix ControlPoint, and needed to get a grip on a sprawling system that had got out of hand. It’s not a tool I’d used too much before, so I thought I’d write up a post of how the project went and the four particular ways in which we put it to use.
1. Conducting a permissions review
Understanding how permissions are defined within SharePoint is really difficult using out of the box’ functionality. The problem is rooted in SharePoint’s granular security model. When a user wants to see what another user is permitted to access, Administrators must inspect a potentially large number of SharePoint objects (Sites, lists, libraries etc..)
ControlPoint gave us a number of tools to get round this:
Permissions Analysis
ControlPoint’s Permissions Analysis feature allows Administrators to create reports detailing the permissions of a SharePoint farm from the highest entity to the lowest.
Permissions chain inspection
ControlPoint allows the ‘permissions chain’ of any SharePoint object to be viewed. This chain describes how a given user is granted permission to a particular object.
2. Taking control of permissions
The SharePoint farm in question had grown to thousands of sites and users, with hundreds of thousands of documents and items. ControlPoint helped here in two ways:
A central interface
We could enforce new and updated permissions across sites, site collections, from single interface. Central admin should really offer this kind of thing.
Cleanup of Direct Permissions
We used ControlPoint to clean up direct permissions (where a user has specific access to a SharePoint element). There are now lots of other tools available to do this kind of thing, but it was welcome to find it in ControlPoint as well.
3. Conducting a thorough audit
As I mentioned the existing system was in a bit of mess, but we didn’t really know how bad. ControlPoint gave us some insight:
Audit and Change Log Analysis
Bespoke reports can be created to audit activity. Adhoc or scheduled reports can be used to understand if sites meet governance or compliance constraints. You could argue other tools do this kind of thing better than ControlPoint, and I mentioned the built in reporting engine is now a lot more flexible.
Content Analysis
We used ControlPoint to identifying unused and duplicate content, as well as users that were storing too much content. This was pretty useful and revealing. ‘View all site content’ and the Sites explorer should really offer more in the way of data size and analysis.
4. Enforcing Best Practice
Ensuring users adhere to best practice, security policies, and governance advice in the long term is a big challenge on many project I work on. We had some new rules on this particular, and whilst we didn’t really use ControlPoint to enforce them it could help on this front.
With ControlPoint it is possible for Administrators to proactively monitor SharePoint farms and be alerted to predefined changes within the environment. For example, an alert can be generated when sites are created or deleted or when inheritance between SharePoint objects has been broken.
If a problem is found, ControlPoint provides some tools to fix it. For example, if an alert is triggered notifying the Administrator that the permissions of a particular site have been changed, it’s very simple to locate the site and reverse the changes. You could of course just use the alert function, and fix the issue using ‘out of the box’ tools.