Custom Software Apps & SharePoint Consulting

Myths about SharePoint Security

Data security is not nearly as exciting as Hollywood or the media at large would have you believe. Most of the threats to your organization’s data aren’t going to come from malicious bespectacled hackers using cleverly-written applications to bypass your organization’s firewalls and hardware security measures. In fact, a recent survey found that over half of the threats to your organization’s security are coming from inside your own walls! Intrusions from outside accounted for only 14% of security threats, according to that same study.

Secure Information with SharePoint 2010

Fortunately, securing your company’s digital assets is simple with the right tools and mindset. Microsoft SharePoint 2010 not only makes it easy to collaborate and share information within an organization, but also to secure that information and protect it from individuals who should not have access. The trick is to understand SP’s security features—of which there are many—and leverage the appropriate capabilities depending on your organization’s needs.

First, it’s important to understand how Share Point works with your existing security infrastructure to make managing security easier. Most small and medium-sized businesses already utilize Active Directory internally to manage user identities and credentials across a domain. Out-of-the-box, SP recognizes your internal Active Directory-enabled domain and authenticates users accordingly. SP software can also be tied to other authentication providers if your organization uses a non-Microsoft user management system or forms-based authentication if you would like to provide users with a separate login and password.

Authentication providers are tied to zones (with example zones being Internet, Intranet, Extranet, and Custom zones). Users from each zone are challenged and routed (through your Alternate Access Mappings) according to the zone they’re arriving from. In SP 2010, you can tie multiple authentication providers to each zone, allowing users multiple ways to log in.

SharePoint User Permissions

Once users are authenticated, how do you manage what they can and can’t see? By assigning permissions, of course! There are two popular schools of thought on how to set this up:

  • Assign permissions to existing user groups from your authentication provider. For example, use your existing Active Directory groups to assign permission levels to each group.
  • Manage user permissions using Share Point user groups containing individuals.

There are benefits and drawbacks to both. For medium-sized organizations with a relatively static organizational structure and rigid divisions between organizational units, tying permissions directly to AD groups can be beneficial and save a lot of management time. SP software user groups are the way to go if you’re planning to share documents between departments and manage permissions more granularly.

After setting up the appropriate permission groups for your organization, you can then manage the permissions for every item in your SP farm’s hierarchy. Share Point 2010 makes it easy to customize permissions from the site collection level all the way down to specific documents in specific libraries. By default, items are configured to inherit permission levels from their parent—sites inherit the permissions of their top-level site, libraries inherit the permissions of their parent site, and documents inherit the permissions of the library in which they’re contained. At any point along this hierarchy you can break permissions to establish custom rules that propagate to the lower levels.

SharePoint Customization

I’ve only scratched the surface of SP software’s security capabilities. Using custom code in combination with SharePoint’s out-of-the-box workflow engine, powerful solutions can be sculpted to manage the fine-grained permissions of an approval process, a business intelligence dashboard, or any other complex application your business may want to implement.


Carol Donnelly
Director of Consulting @ Entrance
Carol has close to a decade of experience leveraging software technologies to create enterprise content management, bi & analytics, collaboration, and need-specific software solutions that help businesses transform into a modern digital enterprise. She has helped clients address challenges related to contract and records management, contract and AFE approval workflow, lease digitization, and offshore extranets.