Securing Your SharePoint Team Library With Document Permissions
SharePoint is one of the most popular enterprise collaboration tools in the world. In fact, two thirds of all enterprises use SharePoint as their primary consolidated communications and document management tool. Organizations today store a significant amount of their business operations information on their SharePoint sites, including intellectual property and confidential material. Nevertheless, not all organizations are properly securing their assets. Administrators need to commit to consistent, granular security controls in order to protect their system’s most important data from compromise.
Creating Granular Security Access in SharePoint
SharePoint allows for sophisticated and granular security access based on permission levels and group roles. Ideally, in any security situation, access is deployed based on what each individual user is required to have to be able to perform their job functions, rather than based on other factors such as trust level or seniority. Security access controls are designed not only to protect against the actions of the user, but also against potentially compromised accounts. On an annual basis, 2 out of 5 individuals have their passwords compromised in some way. By limiting access to what is strictly necessary, these risks are reduced.
Levels of Security Access in SharePoint
Security access in SharePoint can be given either uniquely to a user or a user can be added to a group, at which point they will inherit a set of permissions. Groups can also be created with different sets of permissions based on what the administrator needs to allow. Several of the default permission levels include:
View Only: At this level, users can view pages, items, and documents in the browser.
Read: In addition to being able to view documents, users in this group can also download documents.
Contribute: Users in this permission level can view, add, update, and delete documents in the library.
Full Control: This is the highest permission level, which is assigned by default to the Owners group. It includes all available SharePoint permissions.
As you can see, each level of control includes all of the access of the previous level in addition to the access provided through their role. It is possible to create unique sets of permissions per user rather than allowing users to inherit the above sets of permissions, but it’s generally not advised because it is a more difficult system to manage and maintain. Additional groups are generally recommended if unique rules are desired. For most systems, these user roles will be enough.
The Scope of SharePoint Permissions
Every type of permission—view, modify, delete, create—also has a scope. A scope affects the breadth of what the user can modify. From smallest scope to greatest scope, the levels are: document, folder, library, site. Those who have the greatest levels of permissions will be able to alter the entire SharePoint site. Those who have the least amount of permissions will be able to view documents, but will not be able to modify any.
Control over the site should be limited to only administrators. As noted, scope should only be extended to what is absolutely necessary for the individual in question to perform their work. This is generally considered to be a security best practice.
Creating Document, Folder, or Library Exclusions
Occasionally, an administrator may have the need to restrict access to specific files beyond the permissions of its users. Documents, folders, and libraries can all be excluded from existing permissions through their individual settings. However, this also has the additional effect of breaking inheritance. The document, folder, or library will maintain these settings regardless of how its parent’s permissions are set. This can be extraordinarily dangerous and thus is frowned upon in practice because it means that these individual permissions will need to be separately tracked and maintained.
It can be easy to forget how security standards have been set and potentially allow users to continue accessing documents after they should no longer be allowed to do so. It can also create a situation in which more administrative time has to be spent managing the permissions of specific folders and documents, as the system cannot be modified on-the-fly. A better solution is to create a unique user role and apply it to the documents, files, and libraries, and then add the applicable users into that group. This will have the same effective impact but will make the security controls easier to manage.
Preventing Secured Documents From Being Downloaded and Copied
Documents can be excluded from being downloaded through view-only access, in combination with server-side file handlers. Users will be able to read the documents but they won’t be able to actually save the documents. This doesn’t mean that the document is entirely secure from sharing, though; it can still be copied and shared if the user truly wants to do so. This can be very dangerous in the case of malicious insiders, as there may not be a way to track audit logs regarding these actions. And it may not be just malicious insiders. Even well-intentioned users can attempt to copy data and then send this data through unsecured or unencrypted methods.
Third-party solutions, such as Accusoft’s PrizmDoc for SharePoint module, can improve upon security. PrizmDoc for SharePoint is a server-side file handler that actively protects against the downloading, printing, and clipboard copying of data to better assure security.
SharePoint is a superb collaboration tool, but actions do need to be taken to appropriately secure its data. Negligence, malicious actions, or even system issues could potentially expose highly confidential and sensitive information. Further, there are ways that security can be managed through SharePoint that could potentially create other security issues. Through third-party, server-side solutions and conscientious management of security access, administrators will be able to reduce their risk without damaging the productivity that SharePoint provides.
Accusoft provides content and imaging solutions that solve document lifecycle complexities. Our patented technology provides document viewing, advanced search, image compression, conversion, barcode recognition, OCR, and other image processing tools to use in application and web development. Visit us at www.accusoft.com.
Companies and Suppliers Mentioned