I was watching twitter this morning and catching up on the latest and noticed a tweet from Jeffery Dalton:

 

@jefferydalton: Wow... permission management in #SharePoint can be unwildly in a matter of seconds.

 

I think he meant "unwieldly," but you get the idea. 

Many would describe the core of the "Governance" and "SharePoint Anarchy" issue as lack of control.  The concerns of lack of control can really start at this basic level.  Paul Culmsee is focusing on something at a different level that goes into project management and what he refers to as assurance (reminds me of trustworthiness) and not so much focused on the basics of identity management and security.  Governance is what we need but for permissions management it's really "Management" that we need here.  Governance is more overarching and focuses on soft skills like policies.  This post focuses on an "out of control" scenario that requires more than just policies.  The gap is large enough in more structured deployments where it actually needs some technology behind it.  Permissions management can fit in to governance if we use the Burton group definition which is my favorite....

 

 

Mark Gilbert a Gartner Analyst recently did a talk on Surviving SharePoint, who bought up some benefits and risks which I recently attempted to address high level.  Interesting that most of these are addressed by the ever growing and ever reaching ISV partner eco system of SharePoint.

 

Remember "effective permissions" in Windows?  Customers ask for these features to be in the box, with some way of running it against the whole web app.  As SharePoint evolves from collab to ECM solutions, I expect a higher standard here as well.

 

Looking for solutions?  If you look around you might find solutions like http://www.codeplex.com/AccessChecker (Thanks Paul Gavin who agrees) there are a number of point solutions that are freeware and unsupported or paid solutions such as DeliverPoint, or Universal SharePoint Manager... what do you need?  Both are very interesting solutions, but there are a dozen or so options I've come across.  So many solutions to such a basic problem, we all hope to be solved in the next version.

 

Also having read this recent article - Why some security pros hate SharePoint by Bill Brenner.

 

It made me realize how tough balancing self service vs. a more tightly based knowledge management solution can be.  The self service management aspects of SharePoint are incredibly empowering, but the interfaces for oversight are lacking.

 

The SharePoint interface does make it easy to add users with the fancy Ajax people lookup and even the little check to verify something you type in.  That piece is hot, given how long it's been around.

 

The part that's ugly as in Good, Bad, and Ugly, is the management of permissions across thousands of sites.  I remember a call I once got when a "review" poped up when the Microsoft CIO was doing a search for review.  He found my review on my externally accessible my site.  I had put together an early copy and purposely put it on my mysite so I could grab it from the coffee shop where we were going to remotely work on our reviews.  He was very concerned that if the SharePoint expert would be so careless, it would be way too easy for end users to drop stuff out on SharePoint. 

 

It is very easy to drop docs of whatever type if you have the perms to do it in the first place and search makes it accessible.  Search is a very powerful thing. 

 

The problem with SharePoint permissions is the fact that you can't see what's going on recursively, you can't see what docs are setup granularly, and forget about site groups, vs. permissions levels, vs. AD security groups.  It should be simple, but it often isn't as simple as it should be.

 

Given there are controls at the web application level that can help mitigate what might happen on the outside...

 

- Web App policies - Deny access to groups

- Web App Anonymous switch - Manage ability to enforce anonymous on or off

- Auditing - yes you can turn on auditing, but it's far from perfect and the logging is XML and stored within a site collection

 

What's scary is the inheritance switch and then later deciding to change your mind.  You punish your permissions down the line without realizing what exactly is changing and restoring permissions... not an easy task.  Want rollback?  Sorry.

 

You're thinking... what a negative post.  Why?

 

Cause I want to make sure you realize that if you are concerned about someone having access to content they shouldn't or if you're worried about auditing an environment.

 

I actually see this permissions management area, call it what you want (Identity Management or Security), but it is an area where you should consider a third party solution.  Looking through my recent extranet site provisioning post at Bamboo and reading recent Analyst posts makes me want to push ISV solutions more around this particular area.  Having personally witnessed the transparency in external solutions does expose the issues in the box around the ability to manage permissions across a deployment.  Over the past few days I've come across solutions I previously hadn't seen... check out the updated list of SharePoint Management Solutions.  New Vendor Solutions added in the past few days... Epok, Axceler, SiteCore, EPC Group.  It's fascinating to see the partners that come to the space. 

 

The people that really need to be aware of these gaps are those that are doing Document Management and Records Management.  Often these solutions do have fewer people managing the solution, but often people will integrate the Document Management and Records Management sites with the collab sites.  Be cautious about mixing the structured from the unstructured.  Why cause you need to be auditing the more structured spaces and you may need to police your unstructured spaces handling the data quite differently and the policies across such spaces often have to be the same especially with out of the box solutions and features.

 

I've actually come across a few of these in Google Ads and Ads on Facebook (a lot more of these lately).  Check out this handy little tool... "Google Adsense Sandbox"  search for SharePoint and you can see what is being advertised.  Training is a big one, but also look at the broad number of management solutions that come and go.