The truth behind administrators and SharePoint permissions management

By

SharePoint, Microsoft’s titan document management and productivity tool has a dark secret…

…when it comes to SharePoint permissions management for site collections, your SharePoint Farm administrators are not the automatic key holders. In fact, site collection owners have more immediate access to a site collection from the beginning. If you think that’s strange and are interested in the setup, or you want to know how to get past this hurdle—perhaps your farm admin needs full access to a site collection for security or productivity reasons—read on!

Shedding light on the confusion

Meet the farm administrator

A SharePoint farm administrator is a highly critical role; this individual has access to the entire SharePoint farm. This farm can be (and usually is) made up of many different site collections. Within each site collection are several sites, in which are our libraries, lists and individual pieces of content. A farm administrator is required to complete certain SharePoint administration tasks, usually from within the SharePoint central administration web site.

Some responsibilities of the farm admin include:

  • Installing, configuring, maintaining, upgrading and managing a SharePoint farm
  • Organising all service applications like search, metadata and user profiles
  • Creating a content database
  • Assigning permissions for all users
  • Supporting users in their use of the platform

Meet the site collection administrator

Site collections generally have several sites created and while you need site owners to run the individual sites, you will probably want to put someone in charge of the entire site collection, giving them overall full control of permissions and other duties. That said, ‘full control’ might be a bad phrase to use. That’s because there are five general permissions levels in SharePoint: Read, Contributor, Edit, Design, and Full Control. And one special level that overrides them all: SharePoint Site Collection Administrator.

What does that mean, functionally?

A user with Full Control to a site will have complete control over the site, meaning this user can configure lists and libraries and create subsites as well as set permissions and view analytics logs, etc.

The Site Collection Administrator can do all the above as well, since they have access to a set of additional tools to manage each site in the collection—sort of like a “super owner”, giving them ultimate control over everything in the site collection.

Here’s the rub

The interesting thing is that you might expect a farm admin would have complete access to permissions in every site collection in the farm, right? Like the ultimate super owner, surpassing even the other super owners (i.e. the site collection admins) in each of the site collections. But this is not automatically true. Just because a user has farm administration rights doesn’t mean s/he is automatically given rights over site collections.

Why?

It is likely this way by default because of security reasons. This default setting ensures that no one person or persons has ultimate control over everything in a company’s IT system—think of all the content and personal and valuable information that exists in a company of any size.

And then again, sometimes you need or want your farm admin(s) to have full access to the site collections. So, to get around this, the obvious thing to do is add the farm admin as a user to each site collection you want them to have access to. However, depending on the size of your SharePoint farm and the level of access you want them to have, this solution could take you a tediously long time.

A quick fix for SharePoint permissions management

Here’s a little trick to bypass having to add your farm administrator to every site collection individually, giving them full control over each site’s permissions management:

  • First, go to Central Administration
  • Then to Manage Web Applications
  • Highlight the web app you want rights to
  • Click on user policy
  • Add the user’s account with full control rights

There you have it, this will give a farm admin the same rights as a user with site collection access, so they can get an overview of site collection permissions, see who has been using the site collection or if they need to fix or reorganise an aspect of the site. However, we have another, more powerful way of side-stepping this strange impracticality of SharePoint permissions management.

An even better solution

DeliverPoint is a specifically designed tool for better in-context permissions reporting and management in SharePoint. DeliverPoint enables site, site collection, and farm admins to be much more accurate in their reporting on permissions against all your SharePoint content. By aiding in better, faster, more convenient permissions management you allow your users (farm and site collection admins alike) save time, ensure consistent permissions management across platforms and end permissions confusion. And that can solve problems for you in the long term, allowing your IT folks get on with more advanced work.

For more great advice and best practice for your SharePoint environment and to learn more about DeliverPoint for hybrid Office 365 SharePoint permissions, get in touch with us today.