Friday, 26 June 2009

SharePoint Security - Wimbledon, Strawberries and a Scotsman

This week I am going to talk about the tricky topic of Managing SharePoint Security. Three words that can bring many an IT Manager out in a sweat. Similar to when the Air-Con stops working in the Server Room. With still 52 days until the start of the new football season and Martin O’Neill still not thinking of spending any money I am forced to start thinking about the goings on at SW19. Yes, it is time to talk Wimbledon (no I am not going to mention the Wombles again this is about tennis!) and that time of year when all us English folk start eating strawberries and shouting that familiar shout of ‘Come on Tim’. Sorry, this year we have to shout ‘Come on the moody Scotsman’ and we become ‘British’ instead of ‘English’. Maybe this could be the year when we have a BRITISH winner and a new Virginia Wade. Can Andy Murray win Wimbledon or by the time you are reading this is he already saying ‘next year will be my year’? Wimbledon is a fabulous event and always seems superbly organised. Security, like in SharePoint, must be a nightmare with so many courts and so many people going between them. How do security keep track of everyone and insure everyone’s safety. I expect most areas are covered by surveliance cameras but still it can’t be easy to pick out if anyone is grabbing an extra strawberry and would they be able to spot a Paraguay shirt (that’s a reference to Andy Murray’s anti English behaviour in the 2006 World Cup). So what are the similarities between being Head of Security at Wimbledon (probably wearing a nice blazer) and being responsible for managing the SharePoint Security? I think that both jobs involve you keeping an eye on everything that is happening over quite a large area. Company SharePoint structures can grow very quickly and in no time companies can reach 100 plus sites. This is testamony to the success and ease of use of SharePoint but can quickly turn into a security nightmare. Don’t get me wrong in the right hands SharePoint is very secure with an extra level of security added to the normal network Shares. You can set exactly who can access a site, list or individual item and then decide the type of access that person has. The problem comes when you try to work out who has been given access to what. If you document all permission changes that is one way of doing this (it is Best Practice), but who really does this? When the IT Department is busy and loud Susan from Sales insists she urgently needs access to the latest Sales figures many IT personnel just make the change. Alternativiely when the MD requests access to all the Finance data on the Finance site the change is usually instantly made. So how can we keep track of all these changes? Similar to the Security at Wimbledon in their Control Centre we need a central place to manage all the SharePoint permissions. To manage SharePoint Permissions affectively we need to look at some third party solutions available because MOSS or WSS out of the box doesn’t give the option to audit all of a User’s current permissions or when somebody is unexpectedly sacked retract all of their permissions imediately. At Wimbledon when a rowdy spectator is ejected they don’t usually leave a trail behind them but in the SharePoint world there could be dozens of entries for that user spread around all the sites. So which third party Permission Management Tools for SharePoint are availble. My personal favourite is Control Point which was recently a winer at Microsoft Tech Ed 2009. I also awarded this software from Axceler my ‘Top SharePoint Application’ in my SharePoint 2009 awards but to be fair I want to talk about two other Permission Management Tools first, that do a similar job. Firstly, we have Deliver Point which is a great package for viewing permissions from a central control point. It is certainly a step forward and would be welcome by many IT Managers. You can now identify that the Cleaner has access to your company’s secret two hundred year old recipe. One problem people have found with Deliver Point is it can take over 20 hours to synchronise with the Active Directory which means it isn’t run very often and can get out of date. It is certainly worth a trial though. Second entry is Rohati’s Transaction Networking System (TNS) which I found quite enjoyable to use and was impressed with the graphical interfaces. It did exactly what it said it could do and was great for enforcing policies. Again this is worth a trial. So now to Control Point 3 which really can achieve all that it promises and goes further than the other two with the addition of the ability to easily move whole sites and web Application across different servers. Ok this is going further than fixing the security issue but for the same cost as Deliver Point the extra features put it ahead. Imagine if at Wimbledon the Centre Court could just be picked up and placed next to Court 18 who would need a retractable roof then. Control Point can do this with your SharePoint sites. I am a fan of Control Point and you can request a trial by clicking on the link below but don’t take my word for it why not try the others as well. Try Control Point So after buying Control Point the IT staff will have more time for a sneaky listen to the tennis on the radio while they are supposedly working in the Server Room. One warning though – Control Point does need some effort in configuring it when you first install it, but perhaps those nice men at Office Talk can help you with that. My SharePoint Tip this week is to always use Active Directory (AD) Groups when possible and add these to SharePoint. By using groups it will be much easier to make changes in the future. Even if you only have one or two people the best practice is to create an AD group instead of adding individual users. This also has the benefit of you not having to remember individual names when you add permissions. So even if you are only adding British players left in Wimbledon create a AD group called ‘British players Left’ and hopefully add Andy Murray to it. Good luck Mr. Murray the English are right behind you if you win. Now come on Mr. Villa manager start buying some players. Looking at this clip this Scottish player named Murray might be good.


sridhar said...

I've known the plight of SharePoint permission management myself firsthand as I've been an admin for one of the most complex farms outside Microsoft with a userbase in excess of 40000. ControlPoint sounds very promissing and i'd love to try it.

Andy Dale said...

Sridhar, please email me your details to and I will arrange a demonstration.

Anonymous said...


Viagra Online

Harvard University

Buy Cialis

Buy Viagra Online