In previous articles in this blog post series, I noted that even if advanced permissions options were a key reason behind SharePoint’s success, centralized, automatized permission management in SharePoint is virtually non-existent. There are two ways out of the permissions-management trap: writing PowerShell scripts or using third-party products that can close the gap. This blog series focuses on SPDocKit, a tool that—IMHO—closes that gap in the best possible way. The second article in this series discussed batch permissions management using SPDocKit, and the third article concentrated on efficient permissions management inside a single site collection. This article covers permissions reporting and forensics.
Part 1: SharePoint admin’s dream: Centralized permissions management
Part 2: Batch permissions management with SPDocKit
Part 3: On-the-fly permissions management with SPDocKit
Part 4: Permissions reporting and forensics with SPDocKit
Permissions reporting and forensics are usually only needed when a problem arises. Who has permissions on certain securable objects? And, more importantly, why? If you think these questions are unnecessary and overblown, just remember the rumors that Edward Snowden was a SharePoint admin before he started his new life in Russia.
SharePoint permissions are serious business, and they must be thought of as having the highest importance. A lot of sensitive corporate information is stored in SharePoint, and giving unauthorized people access to classified content can pose a big threat. It is, therefore, important to be able to report, at any time, who has permissions and through which channels those permissions are given.
SharePoint does not offer that ability out of the box, and it is a hassle to code that in PowerShell. At this time, SPDocKit is the only tool on the market that can cover those use cases and perform full permissions forensics.
Besides forensics, SPDocKit can help you keep your SharePoint clean by removing unused users and groups. In the Permission Reports section, you can easily detect groups that do not have any permissions in their sites, groups owned by a disabled SharePoint user, or groups containing disabled or orphaned users. You can then easily sort out those issues by cleaning up those groups and users or giving them the necessary permissions.
Report on SharePoint groups without any given permissions
Report on orphaned users (users that are disabled or deleted in the active directory, but had access to the farm and can still be found in SharePoint).
Report on users without any permissions in site collection
Besides these simple but necessary cleaning tasks, the real strength of SPDocKit permission reports lies in permissions forensics. With these forensics reports, we can easily determine who has access to the data and why.
For each SharePoint securable object, including sites, lists, and list items, SPDocKit will tell us who has permissions on those objects and how they were given.
The report above shows the permissions for a SharePoint site grouped by permission. You can use this report to find out that for some reason, the cleaning lady has “Add items” permission on the management site and that she got it through her membership in the “CleaningStaff” Active Directory group. That group is a member of the “Portal Contributors” SharePoint group, which has been assigned the “Contribute” permission level for that particular site. That permission level, of course, contains “Add items” permission. You can find all that information in just one click. This is the ultimate governance/compliance report when it comes to SharePoint permissions.
Of course, this can be broken down into numerous other useful reports and information overviews. The next report shows the matrix of Principals (SharePoint Groups and SharePoint users) and permission levels, including the roles each principal has on the site, in a graphically appealing way.
Furthermore, one of the most commonly requested reports is a quick overview of securable objects (i.e., sites, lists, and list items) with broken permission inheritances. You can get this report in one click with SPDocKit.
In addition to the securable object and permission level reports, SPDocKit offers important principal-based reports so administrators can easily determine which permissions a SharePoint user or SharePoint group has in one or more site collections. With these user-centric reports, administrators can see which permissions a principal has and how those permissions were given (e.g., through SharePoint Groups, AD Groups, or directly) and act accordingly. If anyone had pulled such a report on that Snowden guy, certain things that happened probably would not have happened.
Of course, as we expect from SPDocKit, each of these reports can easily be saved as PDF or Word file, manually modified, and included in a larger report.
For serious governance scenarios and simplified permissions management, SharePoint’s out-of-the-box features are simply not enough. Administrators will either write a bunch of PowerShell scripts and avoid the SharePoint user interface completely or they will find a tool that can deal with those issues. Different tools on the market partially cover SharePoint permissions management and reporting. In my opinion, SPDocKit’s permissions toolbelt does the best job. It offers batch permissions management across site collections and simplified permissions management inside a single-site collection along with powerful cleanup, forensic, and reporting options. I often say that SPDocKit’s features lets every SharePoint consultant have the equivalent of a Swiss Army knife in their pocket.