The first few minutes of my presentation, I will be doing at the Best Practice Conference. Trust me, it gets even better, but you have to attend to get the rest!
The Cast
Active Directory (AD): Cheshire Cat. AD is everywhere and nowhere at the same time. To the end users AD is absolutely no where. They know they signed onto their computer to get to their applications, but if you ask them what AD was, they would look at you with the wide eyed bewilderment Alice had upon entering the looking glass or wonderland for that matter. This is the power of being nowhere as the Cheshire Cat. If you switch to the internal IT personnel’s point of view AD is everywhere. Its security permeates throughout all of the network environment. Applications, computers, file shares all utilize AD for permissions for starters. AD when it comes to SharePoint can be looked at in two parts. The user and the security group. Just like the Cheshire Cat can detach its head from its body. These two parts indeed make up the one.
SharePoint Security Groups: White Rabbit. Zoom! Did you see that white streak? Apparently the white rabbit is late for a very important date… Again. SharePoint Security groups can be a fast answer. But… Zoom! if you try and control these fast moving targets you could be coming up with empty arms.
SharePoint Permission Levels: Mad Hatter. Approximately 10/6 of the time you will be using the out of box permission sets. Yes, now you know why that card in the Mad Hatters Brim means. There will be times where you will be absolutely mad not to use a custom designed permissions set.
Zones: Caterpillar. Yes, as completely mind boggling and mysterious as the hookah smoking caterpillar is, Zones seem to have the same effect on people. Most people don’t realize the power of Zones and what can be accomplished. The question is Who… Are… U?
The Good
AD (Cheshire Cat): Most companies have well defined security groups in their Active Directory. Please note, email distribution groups are NOT security groups and cannot be used as such in SharePoint. AD groups must be security groups in order to be used as security within the SharePoint environment. Did I reiterate? Yes. Did I need to? From experience? Yes. The reason using AD security groups are such a good tool in helping to lock down security is because of the familiarity with them. Many users know which groups they belong to. They see them when they use the infamous file servers. They know they can only see the finance department folder on the file server because they are part of the “finance team” (read Finance AD Security group). They also know about security groups when it comes to applications. Sally from HR can edit information in Our Persons HR application. The reason why she has read/write access is because she is part of the HR Our Persons security group with only one other from the HR department to be sure the information is locked down.
Another bonus about AD is the fact its a controlled environment. There is probably only a handful of people that are allowed to make any kind of changes to your AD. This is very good. The control will allow you to keep a consistency that might not otherwise be as achievable if opened to the masses. Lets face it, when it comes to security, the less hands that can touch the security environment, the more secure it would indeed be. The individuals who are in control of AD are well aware of the potential pitfalls and hazards that come with the adding of users into security groups, or better yet embedded security groups. (Read: Security groups that are held in security groups.) The assurance of a safe and accurate security groups certainly is a good thing. Warms the heart like a Cheshire Cat’s smile.
Using AD security groups to grant sweeping permissions to large numbers of people is a very good point to bring up. I think of the concentric rings in an archery target when I talk about granting permissions. Lets use a company portal, its pages and sub-sites as an example. One site collection with all the company wide information. Lets say that the bull’s-eye in center is the the company portal. The first ring that circles the bull’s-eye is the read only permission set. This is pretty much everyone in the corporation. The portal is a place for your employees get information to help them with their jobs and be “on the know”. This is not really a place where you want anyone and everyone to be able to add, change or delete content. Using the power of SharePoint inheritance of security, you can very easily add AD security groups to the out of box SharePoint group Portal Visitors. This will grant view permissions to all your employees with ease.
Lets take that a step further. Lets move out to the next ring. This would be your contributors. Very few are desired. The executive AD security group is selected. We could place the security group in the out of box SharePoint Group Portal Members. This will enable your CXX’s be able to post information that is targeted to the company as a whole. A way to replace the never read email blasts your company currently uses
Moving to the next circle out we are going to create a AD security group called Portal Designers. This group could be placed in the SharePoint group Portal Designers. This is to allow a limited number of individuals who have extensive web design background to be able to add, change and delete content, look and feel and style of the Portal.
Lastly, one more step out in our concentric rings we come to the circle that encompasses the entire environment. This is our administrators. For our fictitious company we will say the AD security group Internal IT is used. This group could be placed inside the out of box SharePoint group called Portal Owners.
And the coup-de-grace, using AD security groups as well as individual accounts is a Best Practice! Granted there are trade-offs. These are covered in depth in the book that inspired the whole reason to hold the SharePoint Best Practice Conference. Microsoft Office SharePoint Server 2007: Best Practices published by Microsoft Press. You will find in depth analysis of the pros and cons of using groups versus individual accounts on pages 152 – 156.
I hope this teaser whets your appetite for more. I would love to see you all at the Best Practice conference. If you want more information on the conference, just click the banner below and know the information you will receive there is worth more than … 1 MILLION DOLLARS… Ok… so I like Austin Powers Movies a little too much, but the value of this conference is unbelievable. The caliber of the speakers is top notch, not to mention includes the two gentlemen who wrote the book! See you there!
0 Comments