You are the SharePoint administrator and your organization is telling you that "we need governance!" This has become an all too common scenario, so I decided to spend some time with the team from Axceler to talk about their ControlPoint offering. SharePoint governance is a very broad topic that means something different to every organization. I talk to thousands of people every year who know they need governance -- they just don't know where to start. Anyone managing SharePoint can attest to the power of the platform, but also how difficult it can be to keep it under control.
There are a number of companies who try to address the complex challenges of Governance and Management complexities of SharePoint. Axceler ControlPoint product teams have put many years of experience with management technologies. The product's features read like a list of an administrator's day-to-day activities. ControlPoint simplifies painful and tedious tasks like permissions management, mass reconfiguration, copying or moving SharePoint objects, deep storage and analytics reports, metadata management, auditing end users, and controlling site administrators and owners. The reports and management scenarios seem to continue on and on.
Common Administrative Headaches
Let's talk about a few powerful use cases that plague the SharePoint administrator.
Most SharePoint deployments, whether large or small, utilize a distributed administration model – which means people manage different aspects at different levels. SharePoint was built to empower site collection administrators, content owners, and power users. The farm administrator knows this can be both a blessing and a curse. Site administrators and owners might not have a full understanding of SharePoint and may not even be in IT. So, how do we reign in the control we've given to these types of users?
Finding all site administrators and owners.
SharePoint lacks reporting on the permissions of multiple objects at once. I must go to each site, list/library, folder, and item one at a time to see who has access. What if my security team needs a full audit report on who has access to all sites and content across my farm?
Tracking permission changes.
Administrators need to keep up to date with all changes to the security model. What if a site collection administrator gives someone full control to sensitive SharePoint content? How do I, as the administrator, get alerted?
I have so much to do -- I manage other platforms too!
Can I create policies to automate SharePoint administration and governance? Managing the SharePoint security model and controlling my administrators is tedious and time consuming. Unless I'm willing to take away the permissions that these folks have, there's no way to control what others are creating, deleting, and changing on my farm.
Using ControlPoint, these governance issues can be addressed in a matter of minutes. Using out of the box SharePoint functionality, I am simply unable to gain this level of insight and control over my environment.
My ControlPoint Experience
I, personally, have found the administration experience in SharePoint has its limits. One thing in IT that is constant is change. Users are constantly getting married changing departments, and security seems to always be worried about those who leave the company and still have rights when they come back. The ControlPoint interface is clean. I've used a lot of different management interfaces and this one is impressive. Discovering reports and gaining insight simply walking the tree is fascinating. Seeing multiple farms in a single hierarchical tree view of many SharePoint farms in a single user interface is power. Navigate the farm hierarchy on the left of my screen, right click to take an action on any scope of my farm, and run my desired actions or analysis.
One thing I quickly realized was that there's a lot of functionality in ControlPoint, allowing me to rapidly solve my security issues. Discovering the features that I've wanted to run to make things like possible that otherwise would require custom development or a lot of scripting just to get basic reports.
Finding My Administrators
One of the first reports I ran was looking at the site permissions report. Using ControlPoint, some reports can be rendered in seconds, and if they got their permissions directly or through a SharePoint group or domain group. In the past , this has definitely been a real challenge to get these kinds of deal breaking down the security that's coming in through groups and inheritance, confusing, otherwise, to be sure.
I was quickly given the visibility I needed to know where my administrators had access, and how they got access. I could filter on any permission level, whether out of the box or custom, and I could even filter on certain users I was looking for. From the report, I was even able to make changes to permissions. I ended up cleaning some permissions by deleting where a user had direct access and adding him to a SharePoint group instead. Setting up reports to be automated for sensitive sites would be a great way to provide continued insights.
Tracking Permissions Changes
After I realized my farm could use some permissions cleanup, I wanted to use ControlPoint to track all changes and alert me and my team when the changes occur. I chose which events I wanted to track and when I wanted to be alerted. I could narrow my alerts on users, URL, and scope, but I wanted to keep the alerts broad so I could catch all changes. Security folks would definitely be impressed with these features.
Automating Governance and Creating Polices
At this point, I am comfortable with my security model and ensuring I'm kept abreast of any and all changes. So, what can I automate? ControlPoint can automate any report you see! For instance, I can create a policy that ensures I am a site collection administrator to all current and future site collections, and I can ensure my administrators always have full control. ControlPoint has some really powerful preventative polices around content creation and deletion, as well. In the screen shot below, I was able to enforce the use of a site template when a site was created. These policies will be enforced regardless of the permissions that the user has.
Supporting Distributed Administration
I had one of my power users try ControlPoint as well. Without any configuration, he was able to only take action on the scope of the farm that he owned. ControlPoint read his SharePoint permissions and security trimmed his controls, so that he could only analyze and change content he managed. Not only can my farm administrator use ControlPoint to manage the entire farm, but my other administrators and power users can take advantage of its functionality, as well.
What is the Downside?
Management is a headache. Governance is not easy, but since the administration side of things can be automated you need to decide what is important. The challenge is really deciding what is important and then deciding what reports will make a difference. While the user interface makes ControlPoint easy to learn, there are a ton of features packed into the product. The packed interface takes some getting use to, but the reports and tools and insights pay off.
ControlPoint is a powerful application built for anyone from a farm administrator all the way to power users. It gives administrators complete control over their portion of a SharePoint farm. I focused my review on the security features of ControlPoint, but there is so much more in the product. ControlPoint touches all aspects of an administrator's job.
I recommend evaluating ControlPoint for any SharePoint team looking to gain visibility and control of their farm. The SharePoint tasks that are usually tiresome will be accomplished in seconds, and you will be able to accomplish tasks that are simply not possible using out-of-the-box functionality.
This is a sponsored blog post by Axceler.