In myfirst article, I talked about how Microsoft is an object oriented environment and the objects are stored in namespaces. I discussed the fact that each object has its own list of security permission entries called Access Control Entries (ACE) that determines who can access the object.I also stated that if the list gets too big,access to the object will be slowed down. The questionis“howdo we provide access to hundreds ofthousands of users and still maintain a small list of permissions for a SharePointobject?”
How many standard access levels can you have to a SharePoint object? Think about it. It is really not that many. In a standard setup, you usually use Full Control for the Site Owners group, Contribute for the Members Group, Read for the Authenticated Visitors group, and maybe View Only for Anonymous users.
SharePoint Permission Levels Security = Groups and Permissions
There are several ways of granting a user access to a SharePoint site and they will allwork. Some ways are just more efficientthan others. The key to maintaining access performance as your SharePoint Farm scales upto support thousands of users is to keep the Object’s Access Control List as small as possible ie: with few entries. Thisrequirement isbased on the two-stage verification and validation process we discussed in the first article. You can achieve this by using Local SharePoint Access Based Groups based on access levels. You then place the Active Directory Global Group with the SharePoint Local Group. Finally, you assign the Local SharePoint Access Based Group an access permission level. In the example below, the Active Directory User is a member of the Active Directory Global Group, which in turn is a member of the SharePoint LocalAccess Level Read Group, which has been assignedthe Read permission level Access Control Entry in the site’s Access Control List.
Leverage Active Directory
What I always advise my clients is that once you setup the SharePoint Group and Permission structure, you should not have to change it. In other words, if you are changing SharePoint Groups and Permissions all of the time it is not setup efficiently. It might still work but there is a lot of performance and management overhead. The main place that group membership should be managed is in Active Directory, a process which is being done already. As a new employee joins the Finance Department, they will get added to the Active Directory Finance Global Group. That will be done by the HR department or the IT’s Active Directory team. In doing so, the new employee will automatically gain access to the SharePoint Finance site without any work required from the SharePoint team. The only change to SharePoint Local Access Level groupswould be if you needed to provide access to an employee from another department to your own department sitebut did not want them to be a member of your own departmentsActive Directory Global Group because that would grant them automatic access to all of your department’sinformation.Once your permission levelsare in place, you should not have to change them going forward.Moreover, thesecurity architecture will be fully scalable to thousands of SharePoint Site Collections and tens of thousands of users.
What is agood SharePoint Logical Architecture that can leverage this security model? We will discuss that inour next article.
image sources
SharePoint Security Model In Action: Learning Tree International
