Compiling your company’s SharePoint permissions report can be a painful task. You spend hours visiting each SharePoint Site, trying to work out who has been given access to each one. Do they have a right to view this information? Why has the site administrator given them access? When were SharePoint permissions given, and by whom? Bringing all this information together into an intelligible SharePoint permissions report takes time and patience.
Putting your monthly report together might be painful, but getting it right is essential. The most high profile SharePoint-related breach in recent years was Edward Snowden’s NSA leak—the contractor was able to bypass the principle of least privilege to view SharePoint content he shouldn’t have been able to, thanks to security architecture that could have been managed better. Broken SharePoint permissions can be the biggest risk when it comes to internal security, and so monitoring your environment with a regular SharePoint permissions report is essential.
The problem, however, is that SharePoint doesn’t give you many good options for creating a comprehensive report out of the box. So, what can you do instead?
Creating a regular (monthly) SharePoint permissions report should definitely be part of your organisation’s SharePoint strategy. Unfortunately, the out-of-the-box options are pretty limited:
- It is simply not possible to compile a full SharePoint permissions report for your entire environment out of the box. Instead, you view permissions by Site. To do so, go to: Site settings -> select Site Permissions -> select ‘check permissions’ -> then you have to type the name of an individual to view their permissions rights.
- Or you can run PowerShell scripts. A quick search on the forums will throw up a range of PowerShell scripts you can download (often for free) which will scrape together your permissions from SharePoint and give you a high-level overview of how they’ve been allocated.
The problem with both of these approaches is that they’re both very manual and, while the PowerShell approach saves some time, you’re still left with a lot of manual work to do, especially if you want to take action off the back of your report.
When you first started out with SharePoint, permissions were probably pretty easy to manage, with Site admins keeping their domains well organised. But then the reality of managing SharePoint in the real world hits you: SharePoint permissions get broken, documents access is given out to colleagues and knowing who has access to what becomes very confusing. Now, these broken permissions often happen for very good reasons, but they also make your environment more prone to breaches and leaks, hence the value of a SharePoint permissions report in the first place.
However, what you really want from a SharePoint permissions report is more than simply a spreadsheet giving you a view of where permissions have been allocated and who has access to what. Rather, you want something that can help you act to manage and maintain your environment better.
- Discover broken permissions
Find all documents in your environment that have broken permissions inheritance, then decide what to do with them. - Find out how permissions have been granted – and by whom
Ideally, you should be producing a monthly SharePoint permissions report. Not only should you be able to see where permissions have been broken, or who permissions have been given to, but also who by. Is someone behaving suspiciously, or unthinkingly giving out too much access to contractors when they don’t need it? - View unique permissions
One key thing you’ll want to include in your SharePoint permissions report is a view of specific accounts that have been granted permissions. This will help you pick up on anything unusual and decide if that individual should have access to the content they’ve been given access to view. - Kill dead accounts
Out of the box, SharePoint isn’t very good at telling you which ‘dead accounts’ in Active Directory still have access to SharePoint. It’s very valuable indeed to be able to view and delete these accounts in case a former employee manages to access content they shouldn’t be able to see any more. While it would be tricky for a former employee to access this content, someone who knows the ins and outs of SharePoint technically could—so why take the risk? - Manage permissions inheritance in bulk
It’s all very well being able to see who has access to what in your SharePoint permissions report, but if that’s all you can see, there’s not a huge amount of value in producing it. Ideally, you want to be able to manage and reallocate those permissions in bulk from a central place; cloning, copying, deleting or transferring permissions as required.
You can bring huge value to your business with a consistent and regular SharePoint permissions report. It will help you avoid the risk of breaches or compliance fines if auditors discover risky practices in the business. And, it will also help make the day job of your Site admins a lot easier—they’ll thank you for a smoother and easy-to-manage SharePoint permissions management capabilities.
Our SharePoint permissions management tool empowers you to produce a better SharePoint permissions report, help you clean up your environment and ensure your Site admins have greater control over their domains. Learn more about our tools here, and get the most out of your SharePoint permissions report today!
