Managing SharePoint permissions in a decentralized environment

There are multiple ways of planning your Microsoft SharePoint site collection structure which will vary from business to business. However, there are many reasons why it makes sense to deploy multiple site collections rather than one large single site collection. The reasons for multiple site collections include improved performance, better security model, improved fault tolerance, and better navigation.

Often, a site collection is created per business unit or department. Such structure enables you to improve the SharePoint groups structure, and custom permissions levels which are scoped to the given site collection. Assume for example that we have a single site collection for our Sales department, and another site collection for Human Resources. The groups of users that we define in each site collection would be specific to the requirements of the department. As sub sites are created, we are less likely to break permission inheritance than we would be if Human Resource and Sales team sites are contained within the same site collection. Since the users that belong to that department are the creators of the content; Sites, Documents, Tasks, Announcements etc. It would make sense that the users themselves have a better understanding of who should have permissions to their content than the IT department would.

Many organizations are adopting the model whereby Site Owners and Site Collection Administrators are trained to manage SharePoint permissions. The Site Owners and Site Collection Administrators are information workers within the department themselves, but would have the added responsibility of maintaining the sites and content on behalf of their immediate colleagues who are creating the content.

This model is not without risk though. Potentially, the SharePoint permissions could get messy and unstructured. A lack of understanding could lead easily to users being given permissions to content that they should not be able to access. IT essentially loses control and has to spend countless hours trying to sort out a permissions nightmare.

Some of the issues that occur are listed below:

Common SharePoint Permission Issues

  1. Active Directory Groups are not enumerated within SharePoint which leads to the fact that Site Owners and Site Collection Administrators cannot see exactly who has permissions to their content (They can only see that the group has permissions but can’t see who is a member of the group). They don’t manage the Active Directory groups, and therefore assume that the Active Directory Groups are updated regularly as employees join and leave the organization. If a user reports to the Site Owner that they don’t have permissions to content, often permission inheritance is broken and a direct permission is assigned to the user in question. Direct permissions and broken permission inheritance is then a contributing factor to the permissions mess often seen within organizations.
  2. Limited Access is generally misunderstood. Limited Access is not a permission that can be assigned to a user manually. Limited Access is automatically assigned to a user if they are granted permissions to an object (let’s assume) Edit permissions to a folder within a site, but they did not have any permissions to the site. Limited Access will therefore be granted to the site allowing the user to navigate to the folder. If however, the same user happens to have (let’s assume Contribute permissions) to the site due to the fact that they are a member of an Active Directory Group which is granted permissions to the site. The standard permissions report within SharePoint will still report that the user has Limited Access when in fact, they have Contribute permissions via the Active Directory Group.
  3. Duplicate Permissions often occur due to users clicking ‘Share’ and breaking permission inheritance and perhaps sharing content with users who are already permissioned via a SharePoint Group or an Active Directory Group.
  4. Misunderstanding of Permission Inheritance occurs due to the fact that you need to visit the permissions page of every object within SharePoint including sites, lists/libraries, folders and documents to establish whether the permissions are inherited or broken. Not knowing whether permissions inheritance has been broken can lead to inadvertently assigning permissions to users on other content that they should not see by accident. Let’s assume for example, that permission inheritance has been broken on a subsite (Site B). A user is granted direct permissions to Site B after the inheritance has been broken. What isn’t considered is everything beneath Site B which is inheriting from Site B.

There are many SharePoint Permissions Management Tools designed to help SharePoint Farm Administrators to manage the permissions within their SharePoint farms. These are typically Windows Applications that are installed on a SharePoint Farm Administrators desktop, or they are web based applications that are designed to offer complete administration of SharePoint including SharePoint Migration, Managing SharePoint Features as well as Back Up and Restore. These are not tools that can be used by Site Owners and Site Collection Administrators.

DeliverPoint for Permissions Management

DeliverPoint from Lightning Tools is a SharePoint permissions management tool that is designed to work within a decentralized environment. DeliverPoint can be used for managing SharePoint permissions in a decentralized environment both by the Site Owner and Site Collection Administrator, but also enables the SharePoint Farm Administrator to retain control via Permissions reporting, auditing and alerts. Below are some of the features of DeliverPoint which address the needs of the Site Collection Admins, Site Owners and Farm Administrators:

Discover Permissions

Discover Permissions is a report that can be run against any SharePoint object. A user (who has Full Control to the object) can run the Discover Permissions report against the team site, list/library, or item within the context of the site. They don’t need to navigate away from the content itself to produce the discover permissions report. Unlike the out-of-the-box permission reports within SharePoint, the Discover Permissions report displays every single user that has permissions, along with what permission level they are assigned and how they were permissioned. The report can be filtered allowing you to find duplicate permissions for each user, report of all users with a specific permission level, or to see the members of each SharePoint Group or Active Directory Group. The report can also be exported or scheduled to run a predetermined time.

Below is the out-of-the-box permissions report for a Team Site Called ‘Sales Team Site’


If we drill into the Team Site Members group, we will see that it contains a domain group called DP\Sales


We cannot drill into the sales domain group to see the members. Clicking on it, simply shows the profile information for the domain group.


Running the DeliverPoint Discover Permissions report on the same team site, shows a very different and more useful report. (see below).


Using the Discover Permissions Report, we can see every user that is permissioned including implicit permissions such as Site Collection Administrators. We can tell from the above report that Brett is assigned Edit Permissions due to the fact that he is a member of the Sales Domain group. The below image shows the Discover Permissions report being executed on a document within a document library.


SharePoint doesn’t allow Site Collection Administrators or Site Owners to report on anything more than a single object at a time. DeliverPoint however allows you to run the discover permissions report on multiple objects at the same time including sites, lists, and items. Occasionally, you need to focus on one account. Perhaps an employee is leaving the organization and you wish to determine what permissions that employee has been granted throughout entire sites, site collections or web applications. DeliverPoint’s Unique Permissions Report enables you to do exactly that.

Unique Permissions Report

The below report is showing all of the permissions assigned to the account Zoe within the Sales site collection. We can determine from the report, all of the SharePoint Groups and Domain Groups that she is a member of, as well as the Unique Site Permissions, List Permissions and Item Permissions assigned to her. Should Zoe leave the organization, I can tell instantly what domain groups to remove her from. I can remove or transfer the other permissions in bulk using DeliverPoint’s Transfer or Delete operation.


Occasionally when an Employee leaves the organization, we are quick to disable or delete them from the Active Directory. This is often carried out and we forget about the permissions that are still assigned to them. Employees who have left the organization but still showing in People Pickers and permissions reports leads to concern over the security of other user’s content.

Dead Account Report

The Dead Account reporting within DeliverPoint highlights all of the users within the Active Directory that are Disabled or Deleted accounts but still have permissions assigned to them. DeliverPoint then gives you the ability to transfer all of those permissions to another account such as a new replacement employee, or allows you to simply delete the permissions and remove the account within one operation.


Compare Permissions

DeliverPoint provides a Compare Permissions report whereby you can select multiple sites/lists and compare the permission reports between the two selected objects. This is particularly useful when a user reports to be able to carry out actions in one site but not another and it is confusing as to why. It is also a useful report to run prior to re-inheriting sites between site collections.


Manage Permissions in Bulk

Microsoft SharePoint allows you to manage permissions on a single object at a time. Consider for example that an employee has retired from the organization. You would need to navigate to each individual permissions page to determine if the employee had permissions to the content. If they did, they would need to be removed and perhaps their replacement granted the same permission. DeliverPoint however provides you with the ability to Copy Permissions from one account to another, Transfer Permissions from one account to another, Grant Permissions or Delete Permissions as a bulk operation. You can set your scope as the Farm, Web Applications, Site Collections, Sites or Lists from the treeview and then perform the operation as one action. Each assigned or removed permission is logged in a report allowing you to review the operation.


Permissions Auditing

If you do adopt a decentralized permissions management model within SharePoint, IT will still want to oversee who is being assigned permissions to content. DeliverPoint’s auditing feature logs everything. It records every permission change whether it was carried out within the SharePoint user interface, through PowerShell or through DeliverPoint. You can determine who initiated the change, when it was carried out and what the operation was. If it was carried out in error, you could then use DeliverPoint to put right the change. Below you can see a permissions audit report for a site collection.


Permission Alerts

Reading Audit Reports can be tedious! Instead, as a Farm Administrator or even as a Site Collection Administrator, you could configure Alerts to notify you of certain permission changes within a given scope. For Example, I may trust Sandy to become a Site Collection Admin, and to manage permissions to everything within a site collection. But I want to be informed immediately if she were to grant Full Control to another account. I could configure the Alert to notify me should this be the case.


Permission Inheritance

Permissions Inheritance is difficult to understand at the best of times. DeliverPoint illustrates whether items, folders, lists/libraries or sites have broken permission inheritance.

Below, you can determine within a SharePoint list or library, which items have broken permission inheritance by the icon in the inheritance column. Document 3 has broken permission inheritance which can be seen by the brightly coloured icon.


Within the treeview, sites with a brightly coloured icon have unique permissions whereas those sites with a dimmed icon have inherited permissions


If the site has a diagonal line (strike through), the site contains objects with broken permissions. This is useful since we can tell without the strike through, everything within the site inherits permissions. DeliverPoint also allows for permissions to be inherited or broken as a bulk operation.

Clone Permissions

DeliverPoint also has the ability to clone entire permission Access Control Lists (ACL’s) between sites/lists or items. Assuming you have configured the permissions and role assignments as you would like for a given site, you could mirror the same permissions setup and role assignments for another site, even if that site were to be in another site collection or web application.


Hopefully, you can see how DeliverPoint can help to manage and report on your permissions in both a centralized and decentralized permissions management model. DeliverPoint is available for all versions of Microsoft SharePoint including Foundation from 2007 through to 2016 and is also available as an Add-In for Office 365 SharePoint Online.