What is the best way to manage the permission Hierarchy?

Mike T
  • What is the best way to manage the permission Hierarchy? Mike T

    Our current practices are composed of only using Active Directory groups for large swaths of access, such as the top site collection permissions. Any other permissions are to be handled within SharePoint groups themselves. What is the best way, from a central farm administration context, to manage access given by data owners to other users from within site collections.

    It would seem to me that the out of the box tools would start to become unwieldy and wouldn't be scalable as the Farm grows.


  • DeliverPoint

    ** Disclaimer **

    I worked on the team that wrote the tool.

  • ControlPoint is the other popular tool.

  • As you mentioned the out of the box tools seem a little limited when it comes to managing a large system. The ability for example to see what securable objects an individual has in a site collection or across the farm is non-existant. Being able to also match up if they have access via a AD Security group or directly with their account is also non-existant.

    One of the most frequent IT requests I've seen is "give access like John Doe" to which my canned repy is "What access does John Doe have?"

    Both DeliverPoint and ControlPoint have capabilities around managing permissions across all sites in the farm. The last time I was "inside" a company versus consulting, it took me less than an hour to prove an extremely quick ROI on the tools.

2007 permissions administration
Related questions and answers
  • I have run into a problem several times now where I have developed a custom timer job, and I want my site collection administrators to manage the schedule of this job with a custom application page but I keep running into security related obstacles. Since timerjobs are child objects of SPWebApplication, they are stored in the config database. If you have set up your farm properly in such a way... the Central Admin app pool account can write to the config database But then we lose the whole point - I want my site collection administrators to be able to manage the schedule! The only alternative solution

  • I'm prototyping the best way to dynamically connect web parts at runtime. Essentailly, the application will allow for several disparate application groups to create web parts that will be consumed within the SharePoint front end. All of the web parts will need to automatically detect consumers and providers to create connections at runtime. What we are looking to do is have webparts discover... purposes "best way" means most efficient, elegant and/or standard. We'd like to follow established sharepoint design patterns as much as possible, but code efficiency is somewhat important. I've been able

  • I've got 889 groups in People and Groups that I would like to delete. The normal way I can delete one group is: Navigate to the People and Groups management page, /_layouts/groups.aspx Click Edit to get to the Group Settings Scroll to the bottom and Click Delete I don't want to do that 889 times, but I don't want to deploy code to the server to do it. What is the best way to accomplish this? A free third party client based tool would be acceptable or a web services api call if no other way exists.

  • I'm some kind of admin on my sharepoint site, but not the big kahuna who runs it all. I can add users and groups and set permissions within my site. What I can't figure out how to do is actually make a user a member, so that when they use the My Links dropdown, they'll be able to see the sites I run as one of the options (that arise from the My SharePoint Sites option). How do you make, and in fact even tell that a user is a member (in 2007)?

  • Is it possible to extend the activity stream in SP2010? Out of the box, the activity only contains data from a user's mysite and profile changes. I would like to feed in a user's activity from other sites within the farm. For example, if there is a team site in the farm which has a discussion board and the user starts a new discussion or posts a reply, I would like his followers to know about the update. The update should only be seen by the user's followers who has access to that team site. Also, it would be great if you can direct me to an article that talks about the architecture

  • When I go to manage service applications in Central Administration and try to create a new service application like: New > Create a new service application, the link isn't active. My issue is I would like to create a Search Service Application after installing Search Server Express 2010. Do I need to run the Farm Configuration Wizard and install the below if I can create a Search Service... migrated WSS v3 to SharePoint Foundation 2010 and then installed Search Express 2010 on top of it. I am logged in with an account that has full farm administration access. Update 2: I migrated WSS

  • SharePoint and access my application from there. Within my application (and DB), all these users will be hierarchically related (I don't know if this is easily possible in Active Directory so that I could... level... So I can't win this way either. What would you suggest? ... parts are not used in other SharePoint sites as well? It would probably break the application and it could, of course, make it possible to replicate the same application but using different users. I

  • application level, and then for the publishing site -- I chose anonymous access for 'entire site'. I guess it must be a permissions thing, but I have no clue as to what! Any help appreciated. ...I have a custom master page, custom.master, for a publishing site. It was working fine, however I just enabled anonymous access to the publishing site, and now browsing to the home page... attribute in the content page. I started from a minimal master page for custom.master. PlaceHolderTopBanner is a custom ContentPlaceHolder that I created (as an area for a different banner image to go

  • We recently migrated some applications from SharePoint 2007 to SharePoint 2010. The application uses the SiteData.asmx web service. After the migration there are Access Denied errors, withtout any.... The error I get is: Server was unable to process request. ---> Access is denied. System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> Access is denied..., GetSiteAndWeb) The error happens when running as a farm administrator. The same error happens running on a local development machine, which makes me think it has nothing to do with user permissions

Data information