Published: December 05, 2013 12:12 PM by
Here is the foundation for this post and why you need to read this if you have two teams. One specific to AD (Active Directory) and the second team who owns SharePoint AND is not IT (about 99% of the time). This more often than not happens in large organizations or in companies that have extremely small IT staffs who are wearing too many hats to deal with yet another “program” such as SharePoint. There are certain things AD is needed for when it comes to SharePoint. More explicitly, there are pieces of SharePoint that are deeply integrated with AD and when there is a disconnect between the two… Bad things happen! When these bad things happen, the end users suffer. When the end users suffer, you have one of these at your door.
(Homer being chased by an angry Mob. Thanks to Fox Television. This is not my work. Watch the longest running sitcom ever on Fox. Got to give credit where credit is due.)
Here is a great example I have had an email thread with one of my peers about this very subject. I have changed the names and such to protect the innocent.
“I am consulting to a very large international company. In this company the AD group is a global group and doesn't talk much to the SharePoint group. They have established the following Practice.
Suppose I start my life out in Europe. My AD user ID will then be EUROPE\Smith. Now I move to the USA. They now change my ID to NA\Smith.
So... They let the SharePoint group know through some feed periodically of all the users. The SP group now makes sure that all the users in the feed are available as user in SP, while the people who no longer appear in the feed get removed. Below is a detailed case study that I put together:
From the SharePoint perspective, the actions taken “automatically “are equivalent to creating a completely new user id, and deleting the old one.
Automatic Scenario (Smith as an example)
1. AD alerts SharePoint of a new user id (NA\Smith)
2. AD no longer tells SharePoint that the old user id is valid (EUROPE\Smith)
3. SharePoint script figures out that (EUROPE\Smith) is no longer valid ID.
Therefore SharePoint Script removes the user ID (EUROPE\Smith).
4. RESULT: (EUROPE\Smith) no longer has access to the objects that he once did.
The short term solution is to run a server side operation that moves the user ID from EUROPE\Smith) to (NA\Smith)
This took me over a year to uncover why we were having issues with some people.
My questions to you is: Is it normal practice in large AD implementations to change a user? (Say from a EUROPE Domain to a NA Domain)”
SharePoint Team: Hi, we are going to install SharePoint <newest version>. We need <insert number above 6 here> service accounts.
AD Team: What!? *Crawls off the floor and back into their chair*
SharePoint Team: We want to install using best practices. Oh and the LDAP account. We need to give it elevated rights in AD. We want SharePoint to push AD several fields the governance council decided should be self-service.
AD Team: WHAT!? *Starts hyperventilating in a brown paper bag*
SharePoint Team: Yes, it needs to have the ability to Replicate Directory Changes and also Create Child Objects and Write All Properties as well.
Announcer: 7… 8… 9… 10… the AD Team is out for the count. there is no recovery from this one folks. Smoke is coming out of their ears. There is nothing left but the wrap up… *continues to drone on with sad opera music blaring in the background*
My Thoughts on the Matter
I could very easily dig into my past and find other examples, but i think i safely made my point. More often than not this deals with large companies with serious communication, people or cultural issues. Some is because they grow by acquisition, others from pure organic growth that was faster than the culture could adapt to. The concept of an IT getting over burdened by the number of application and having to create “Power User” teams to fill the gaps where IT cannot is becoming alarming as well. Companies have a hard time understanding IT can be only slashed so many times before it loses its effectiveness as a unit. A majority of companies i have worked with, spoken to, interviewed, etc. have skeletal staff in IT, wearing multiple hats and responsibilities over many different applications, network devices, and more. These stalwart individuals out of a sense of duty/loyalty, will do their best to make it work placing duct tape over gapping wounds out of fear of losing their jobs. I seriously digress, I am sure many are well aware of this issue, but I felt it necessary to defend IT staff after poking fun of them in Example 2.
To the IT Staff. I would highly recommend relooking at your Standard Operating Procedures (SOP’s) that deal with AD objects. As you saw in example 1 they were just deleting a user object in one domain and creating a new one in another domain. This is becoming less and less of an option as Microsoft is tying more and more of their products to the AD user objects. From exchange mailboxes, Lync accounts, to SharePoint user profiles, AD objects are being relied on as a defining factor in these and more. The level of end user impact will now be very noticeable and will cause added undue stress internally. It would be my recommendation to “migrate” a user account from the Europe domain to the Americas domain as in the example above. (Example 1) Secondly IT Staff, if you are going to utilize your power user teams to offload applications such as SharePoint, you will need to have a certain level of trust with that group. This will be necessary to not have issues such as the above example (Example 2) surface and you feel blindsided.
To the Application Teams (Power Users). Being in this position can be/ is a two edged sword. You have been identified as someone who is capable of managing SharePoint, but within the same regard, you are not IT. This place, at times, can feel like your in limbo. My suggestion to you is be sure you have all the information you can gather, before you go to your IT team for a request. If you are asking for elevated privileges for your LDAP service account to allow My Site’s to make changes to AD. Be sure to gather the information IT will request/need to make an educated decision with. Also go in with the understanding the IT staff is going to be hyper-sensitive to bringing others into their realm to assist them. They desperately need the help/staffing, but are always first in the line for the firing squad when the economy is showing itself to be tough. Another thing to keep in mind, unless you worked in IT previously, you may not always garner the support of IT on everything you request. Understand, they from a technological perspective, see the bigger picture and how things may or may not work in the whole when you do make requests.
To both sides of the equation. Everyone has something to offer, check the ego’s at the door when you meet. Make sure you meet, i have been with clients who had both teams whom almost never spoke to each other at all until something hit critical mass. When meeting, ensure you take all information available to you to ensure the other team is adequately informed, especially when decisions need to be made. Understand both teams are trying to reach the same common goal. There is no way a company can/should replace IT staff with power users. This being said, lower the defensive shielding a bit as this fear has not solid foundation. (or shouldn’t) IT as the number of applications increases. More importantly as SharePoint continues to infiltrate into the deeper recesses of your business, you are going to need help. Find ways to work together and not make counterproductive choices that will negatively effect the other team.
Published: September 11, 2013 12:09 PM by
Over the last 8 plus years I have been to many clients and worked for several companies that utilized SharePoint. I have guided many of my clients to utilize best practices that the SharePoint community has come to recognize as standard. Interestingly enough, the cliché about the cobblers kids held true with most of the companies I worked for that used SharePoint. I digress. When working with clients, the core business problems they want to solve are similar in nature. What makes these companies different are things like company culture, average employee age, industry vertical they fall under, and other factors. There have been many successful SharePoint deployments, average deployments, and deployments that fell into time that has been forgotten. Throughout all of these I have come to the understanding that SharePoint can be viewed as a mirror that is the perfect reflection of your business.
Welcome to the Funhouse
|The picture of the funhouse mirrors that you see to the right is a still shot from the Disney cartoon of Phineas and Ferb. (Great show, I am sure you will all enjoy it) Businesses are quite similar to the way they view the way they look and operate as the kids in the image are seeing themselves. Why is this? One of the primary reasons, people like funhouse mirrors is they distort reality. Some mirrors even over enhance how good you look such as Buford (kid in black t-shirt). Time and lack of perspective can do the same thing to companies image of themselves. Companies tend to look at themselves in the funhouse mirrors that enhance how they look. Lets face it, we as individuals tend to do that as well, I know I wouldn’t mind having Buford’s mirror installed in my house. |
Hypothesis: SharePoint Reflects Your Companies True Image
My whole life, I have been a people watcher. Until I performed at Universal Studios Florida, I was a wall flower, so people watching was more than enough for me. Those skills have helped me in understanding consultation and how to do what is right by the client. Also consider the vast range of peers and mentors I have within the SharePoint community, I have been able to glean priceless data from them as well. (I have to say this article is thanks to all the different avenues of information I have come by. So to all my clients, peers and mentors; Thanks!) Over the years I have gone into clients and have heard certain desires repeatedly of what was expect of SharePoint. SharePoint is an application (arguably a platform) that is created by the software corporation Microsoft. It is as good as the programing teams that have labored over the code at Microsoft could make it. As with any other program or application, home grown or purchased, SharePoint is as good as what is put into it. If your planning for it’s installation is starting up the wizard and hitting next it will get you so far. If you take three months to come up with a governance, plan a path you will more likely get SharePoint to a higher level. I could continue, but I think you get the idea. This being said, SharePoint is not a silver bullet, the end all be all, the Swiss Army Knife that will do away with every other application your company currently has. Let me explain.
Not a Silver Bullet: SharePoint is not a silver bullet to all business problems. SharePoint can assist you in coming to a solution for those issues, but more often than not can’t fix every problem your company has.
The End all be All: Some companies (even myself in my early days) see SharePoint absorbing and becoming every software need over time. As much as I like SharePoint this is not the case. Like other systems out there, SharePoint has strengths and weaknesses. Yes, it is built on .NET. and yes if you get a large enough force of developers behind you, you can make SharePoint do many things. The point here is why would you want to do that to begin with? Utilize SharePoint for its strengths.
Swiss Army Knife: SharePoint is like a Swiss Army Knife with 1000 blades. It looks cool, but you are going to look odd walking down the street with it in your pocket. This is very similar to my previous point, with one exception. How many of you have used every single ‘blade’ on your Swiss Army Knife? I remember mine. I used maybe 7 or 8 of the items on the 20 item blade I had. Just because they are there does NOT mean you have to use them. Same with SharePoint. There are a lot of ‘blades’ and over time you may indeed use them all. That will happen when your company matures in its usage of the product and has business processes and governance that dictate the ‘blades’ that are going being used.
I have stated all I have so far to come to this one statement. “SharePoint is just a tool your company can use to assist in solving/streamlining business problems/solutions. It’s success or failure is completely dependent on the leadership, culture and direction of your company. The remaining part of this post will show you why your final SharePoint solution will mirror your companies true image.” This is a very strong statement, but important to be spoken. I will give examples of what I mean. Some will be very SharePoint specific, but others will be more of the big picture approach. (read 50,000 ft. fly over)
Clear Images Made by SharePoint
AD (Active Directory) Mirror:
I think the most clear cut case to make my point is the User Profile Synchronization Service. This service will very quickly… Ok immediately show how good or how bad your AD is being kept up. Has your IT been able to maintain the information it can hold well enough? Has the decision from the executive team been made as to what should be held in AD? SharePoint’s reflection of your AD can be quite brutal. If you don’t put in people’s managers and someone clicks on the Organizational Chart tab. They will see just themselves. They are the organization, an island unto themselves. What happens if you had a lateral move in your company. You completely changed departments and see on your profile you belong to the old department you left 2 years ago? I was at a client site and the ultimate scenario came up after running the AD Synchronization. They did a search on a name, scrolled down and stopped on someone who they identified had passed away a good amount of time before SharePoint even introduced into their environment. Yikes!
Throughout my consulting years, I have done numerous envisioning sessions with clients of different verticals and sizes. One of the most common desires companies have when they bring SharePoint into their tool set is for communication to improve. Communication… communication is one of the most needed skills when it comes to business and yet it is one of the most dysfunctional skills out there. I have a lot of theories and maybe will post my thoughts on this in a different post. Businesses most common goal under the line of communication is to open lines of communication between departments. Departments work as silo’s. If a business process crosses departments, many times, the business process breaks down under the guise of poor communication. Cross departmental communication is important without a doubt. Companies place their hopes in SharePoint (amongst other products) to break down the barriers of communication.
With my passion for SharePoint and for communication with people, I have set out on this noble quest to help these companies plagued by the evil miss-communication monster. Everything SharePoint has had to offer all the way back since MOSS 2007 was used to slay the beast. Discussion boards were put together with it configured to be email enabled to allow those ever traveling executives and sales representatives participate even from afar. Blogs are required by all employee’s as a part of their profile. Those who actually pull through are rewarded with more space on their MySite. Wiki’s pop up, with a wild west ideals with everyone as an administrator. Micro blogs are thrown on every site for as far as the eye can see… Yet. Yet the expected communication is not there. I sit in amazement as all the pieces are in place, all the communication avenues in SharePoint are turned on. What happened?
Instantly fingers of the communication failure is pointed at SharePoint! Its SharePoint's fault, its not doing what we were expecting it to do. What is happening in this case is SharePoint is reflecting a perfect image back to the company that is pointing their fingers. The issue is a company issue; more over a culture and people issue. Its not a bad thing, please understand I am not saying this to make you feel bad. Your company has grown to the level it is at because of your people and your culture. This is a very good thing! What is happening is SharePoint has shown some flaws, some weaknesses that the culture and people have come to live with. They understand how to work around these pain points and/or short comings. Its hard to have your company weaknesses made apparent to you. You have worked long hours, shed blood, sweat and tears to build it to the point it stands at today. In the end SharePoint is nothing more than anther tool that has the ability to assist in communication, however, it will require your employees to embrace this idea.
Is that OUR Business Process?:
Another case where SharePoint reflects a perfect image back to the company, is within the desire to automate a business process. When you try to come up with a solid workflow path, is it easy for the participants to explain? Is it clearly defined and easily understood? Is there a lot of exceptions to the rules? Is it point to point or state dependent? Most companies I have worked with never mapped out their business processes. These processes have been organically grown over time. If a situation arises, the participants usually are on their own to come up with a solution to move it forward. Time is lost, checks and balances may be skipped, an unduplicated solution may be utilized when these situations arise. More often, these pain points are felt when multiple departments are involved. Typically business processes held within a team or department are more often than not more grounded and easier to capture than the more complex cross-departmental processes.
Once again, when you as a company approach SharePoint to automate a business process, you will quickly see a reflection in the mirror on how clear cut and accurate your business process truly is. Don’t point fingers and saying SharePoint is at fault. Think of it as growing pains to bring your business to the next level. Once you take the time as a company to refine a business process, the potential of new growth will be well worth it!
Conclusion: Trust the reflection in the Mirror
SharePoint is a viable tool and product that has been released by Microsoft. Understandably, there are a lot of frustrations that are aimed at SharePoint. This being said, you as a company need to understand the strengths and weaknesses of SharePoint and what it can do for your company. If you do not have the bandwidth to understand that information, hire a consultant or company that you trust to advise you after they learn your needs, pain points and goals. Everyone who has worked with SharePoint has war stories and fishing stories. As time progresses realize some of these stories tend to get embellished (otherwise why would it be a good story… Right?) Learn when you are actually see the reflection of your company. Use SharePoint as a way to understanding your companies strengths and weaknesses even better. Grow, become more streamlined, become more efficient from what you learn when you look in the mirror.
If the mirror shows your AD is a mess. Don’t fear, start an AD remediation project. If your IT is too busy, hire a consultant/company who specializes in it. Let them take your AD to a much better place. If you are looking for a solution to increasing/improving your communication within set goals. There are great third party products out there such as NewsGator that will help ‘gameify’ communication to help encourage your end users. Hire motivational speakers, or bring in team building coaches who make it a career to help people to connect. Strive to change the culture of your company to encourage communication. Lastly, understand your business processes. Not from silo perspectives, but as a whole. Bring all the participants into a room, give them a stack of yellow sticky notes and have them build out on the wall yellow sticky by yellow sticky what the process currently is. Allow and afford them the grace to show where the ‘exceptions’ are and objectively see how the process can be streamlined, remove the bottlenecks, optimize areas where decisions need to be made. Yes it will be a heavy investment up front, but if you make a business process that your company’s bread and butter comes from streamlined. The return investment will be able to prove the ROI you were hoping for and more. Now you will hear words like ‘duplicate able’, ‘efficient’, and ‘streamlined’. Once these changes are made and you look into the mirror known as SharePoint, the results will be much more rewarding and the tool you were hoping would help you will indeed do just that.
Published: October 17, 2012 13:10 PM by
The stars must be in alignment, because here comes yet another blog post. This is another area that I have found to be short of great information in the SharePoint community in explaining the URL, how its built and how it can actually be a good… No, a great tool to increase find-ability of information AND give a wealth of information just at a glance. It will take some training and understanding with your end users, but in the long run, the pay off could reap huge rewards.
There are a couple of things I would like to caution to think instantly that they are ‘good ideas’ right up front. The first is the use of the Tiny URL’s. This may seem like a good idea at the time, however, the tiny URL can be cryptic at best. At worst it could be used by a disgruntled employee to send viruses, or people to less than savory sites, phisher sites, etc. The second reason is certainly understandable, but the first on being cryptic at first pass may be a moot point to you. The fact its short and sweet is great, yes it could work, but can any valuable information be drawn out of it? Will a user be able to see a tiny URL with a bunch of ‘random’ characters and goes, oh that link goes to the employee handbook? I don’t think so. So the email they got the URL as part of the body with the subject line of what it is will have to be kept… not good.
The second rumbling that I have heard about is in SharePoint 2013, the ability to assign Friendly URL’s (vanity URL’s). This ability will be available as a publishing feature. This certainly is better than seeing some of the cryptic URL’s with GUID’s thrown in for good measure. There is some uses here, but unless there is some sort of governance around the naming convention, this could very well go all over the map. I would hate seeing the URL http://<intranet>/Toaster/ go to something like the company Christmas party image of your CEO with a lampshade over their head. (Just sayin!) Probably not, but there is that possibility.
Why are these scary to me? They do have their place but when it comes to organized content, these two approaches could muddy the water and diffuse the potential for a great information architecture (IA). I may be off base here, but with my experience URL’s can make or break find-ability in an organization. Think of it as mixed signals to your end users.
A lot of the remainder of this post is going to refer to my previous blog post called An Executives Look at SharePoint Security. When working with at client, I always build SharePoint solutions security centric. In my Blog post I spoke of the four categories every SharePoint site you can possibly imagine will fall into governed by security. When configuring the main web application on an engagement, I build four managed paths that match up with those categories. (Department, Team, Project and Community sites) I also delete the ‘sites' managed path as this is too generic. Something generic when trying to put together information that is useful is like having a zombie movie where everyone is already a zombie and they all happen to be vegetarian. This sets the foundation for the URL’s and is key for making your SharePoint URL’s increase in value. Creation of new site collections depending on the type of security and what category they fall under should automatically utilize the managed path it matches up with.
Another thing to understand is when creating site collections, sites, lists and libraries using naming convention best practice will assist in the ability to have your URL legible. An easy to read URL that will contain a wealth of information such as security and other identifiers of the site the URL points to is a welcome site. One best practice is to not allow any spaces when first creating a list of library. If you create a list or library with a space in between the words when you first create it, the URL will have to add a %20 to the URL to represent a space. Not much fun to read, when you have a lot of %20’s in a URL. It makes it very illegible. Once the list or library is created, then you may go back into list/library settings and add the space(s) back into it as it will have no affect on the URL at this point forward.
The Useful URL
When you put this all together, the URL should read like a sentence. See the image below.
When your taxonomy is correct the URL can give a wealth of information. I will break out each segment below, with ideas, thoughts and reasons.
Web Application: This is the largest object in SharePoint as stated in my previous blog. This is also the beginning of the URL. I would say having a good name utilizing a host header is better than the name of the server or something phenomenally generic like ‘SharePoint’ or ‘intranet’. This will help it to be more memorable and allow for a fresh outlook if a previous SharePoint deployment attempt when horribly wrong. This will also be the beginning of the sentence, the noun if you will.
Managed Path: Remember earlier in this post I spoke about using the categories as managed paths. You will have the managed paths department, team, project and community available to you. This will indicate what type of site it is at a glance. It goes beyond that as well. I know the security schema that is attached to it as described in my previous blog post as well. It tells me who is able to see/interact with the information that is housed at the site. Is it the company as a whole, just my department or a sub set of individuals comprising as a team.
Site: This is pretty straight forward… what site is it? As above, I did not spell out SharePoint, but did keep GovernanceCommittee. Is it a bit lengthy? Yes… yes it is, however, it is also extremely legible as well. I know I am going to the SharePoint Governance Committee’s site and I also know what to expect as well.
List/Library: As stated in the section of this blog post called The Foundation, If you create a list or library with no spaces in the name initially, the URL will not have a lot of %20’s in it. I know know from the image that I am going into a document library for Governance documents. Having a specific name vs. the out of box generic names is also going to help you with find-ability as well. You have to understand, with the out of box team site template, the document library Shared Documents will be in each and every single one. Then you have 100 sites, made from the template with the same document library name, the difficulty to find something due to the fact there is nothing that will assist it to rise to the top. This being said, its also in your best interest to give a good description, as this too brings weight to your search results.
Folders: Not pictured but well worth a mention, is folders. Do not have extremely long names for folders. You will rush very quickly to a bad place where your URL will exceed the 256 characters before you even put your documents in the folder. If this takes place, you will not be able to get to your documents. If you want to have the URL legible beyond this point, you will need to not have spaces or use _’s instead of spaces. This is a whole topic I could do a full blog post on… hmmmm. For now, just understand the same rules will apply here, but the URL will change if you put spaces in after its initially created.
Items and Document: Might as well take this through the gambit… right? When you name a document or list item, if you again, want the URL extremely legible, don’t put in spaces. I have to pause a moment to take this a step further. This is a web based application. Don’t try to put funky characters in your file/item names. SharePoint will not like you for it. No ?’s, #’s, /’s, &’s, etc. This will bode very badly and SharePoint in most cases will not even allow it. Also be aware of the length of the file names or item titles. Being in a web environment, SP will break if the URL goes beyond 256 characters. I have seen this to this day, yes.
With a little planning, you will be able to have a URL that will be of great value to all your end users. Something that will allow them to know many facts about the location they are about to visit. Upon receiving a link to a document or item in SharePoint, the URL will quickly let them understand a lot of information about that document or item before even opening it.
Published: October 15, 2012 09:10 AM by
I have been working with a lot of clients since my last post and have come to the realization that security is still a pain point for many when it comes to SharePoint. The thing that has left the deepest impression when it comes to this topic is the fact “despite everyone saying that security is the greatest concern,” it turns out security is placed as an after thought. A lot of this has to do with the lack of understanding what security is and how it works. This post is going to try and give an executives explanation to the following. For all of you out there on different versions of SharePoint, this is version agnostic, meaning, this can be taken to heart no matter what the version of SharePoint is.
- High level explanation of the SharePoint object model
- Categories of any site you could create in the eyes of security
- Site Collection vs. sub site
- Tie it all together
SharePoint Object Model (High Level)
One thing I have learned working with different level management from directors to your High C’s (CEO, CIO, etc.) is they appreciate the breaking down of SharePoint objects and what it means to security. Most people (I know I am one of them are visual) so I have created a image of how the objects related to each other. See the image of concentric squares below.
Use the image on the left to visually understand what I am going to attempt to explain. Each box represent an object in the wonderful world of SharePoint. The larger the box, the larger the object. The smaller the object… well you get the idea. The parent child relation starts from the outside and works its way to the inner. The web application is the only object that does not have a parent object. The item object is the only object that does not have a child object under it.
What is all this parent/child stuff I am talking about? That is a good question. Just like my father, I have dark brown hair. Looking back at what we learned in junior high science class, I have dark brown hair because I inherited my fathers dark brown hair genes. In SharePoint, when it comes to security, the child can inherit the exact same security as its parent. For example, the intranet you go to every day that is on SharePoint has security. Everyone in the company can SEE the intranet, but not make changes to it. Only a very few individuals have the ability to make changes to the intranet. If you created a sub-site underneath the Intranet and told it to inherit the permissions of its parent, that would mean, it would not be just a copy of the permission of the parent, but the permissions of the parent itself. So the same few people who could make changes to the intranet, will be able to make changes to this new sub-site. The same people that had permission to view the intranet, would be able to view this new sub-site.
SharePoint will allow you to change permissions of any object you see in the image of concentric squares. This in itself is not a difficult concept to grasp, however, it does have other ramifications you should know about that could add complexity on the maintenance of the security over time. We will get into this when we come to the section “Tie It All Together” For right now, understand that you can give unique permissions to any object in image to the left. The largest two boxes, web application and site collection are allowed to have their own unique permission set without breaking inheritance. The site collection is the smallest object that has its own unique security schema without cutting ties from its parent.
Site Categories in the Eyes of Security
As you can see from the table below, there are four types of sites. Two of which are almost identical except for the fact one has an expiration date. (See Team and Project in Table 1) Please understand, I know these are generalizations and there can be an infinite possibility of permutations and variations of security.
A department site is a collaboration site specifically for the department it is named after. There are no exceptions, if you are a part of the department you can go to the site, if you are not, you may not.
AD Security group containing only employees of a specific department
This site is the most common site of the four. This is a site that allows for cross departmental collaboration.
AD Users added directly by the Team lead or usage of an AD Security group created for the team by the IT department.
This from a security standpoint is the same as a team site. The one difference is this has an end date. Projects finish then are archived or removed completely.
AD users added directly by the project lead or usage of an AD Security group created for the project team by the IT department.
A community is a companywide site with no exceptions. Everyone participates as some level.
In this case, <domain>/domain users is an easy way to handle this.
Site Collection vs. Sub Site
One of the questions comes up constantly. Should we use a sub-site or a site collection? The answer is yes. There are different times you will use both, both have their own place in the world of SharePoint. Understand this is from my point of view, through observations that have been made over time at multiple clients that span mom and pop shops of a handful of employees to Fortune 500 companies with over 35,000 employees. I see things very black and white when it comes to security in SharePoint, and yet have seen and even worked in several shades of grey. I will try and put a table together of the trades offs on a site collection vs. sub site at the end of this section.
A site collection as you recall from the section labeled SharePoint Object Model, is the smallest object with the ability to have a unique security schema without breaking inheritance. A site collection is an island unto itself, meaning, there is no way to get to it without a link or knowing the URL. If one would look at a SharePoint intranet, there could be dozens of site collections beyond the one housing the intranet you may not even be aware of. Think of it like a cloaked Klingon battle ship. Unless you know its there, or it lets you know its there with a happy greeting of lasers, phasers and other weapons, it is out of site and mind. Lets face it, seclusion is certainly a strong proponent of security. Prisons, such as Alcatraz are proof of that.
What does this mean? In order to ensure a unique security schema for a specific site, the site collection is the best choice. It will be able to utilize or disallow SharePoint features, allow for a potential non-IT employee to be the owner, have its own recycle bin, its own quota and more. This being said, the downside to its seclusion is you will need a plan how to allow your casual browsers/employees find the site collection if they lose the link, forget to hit ‘add to favorites’ or delete the email that welcomes them to the site collection. The navigation is specific to the site collection itself only. Anywhere outside the site collection including that phenomenal navigation your corporate communications department put together will not be there natively. Create a feature to force that navigation to be uniform across, build it manually for each site collection, decide to have every site collection utilize its own unique navigation within reason as long as a link is available to go back to the home page of the intranet. These are the paths that you could choose from. There is no wrong choice as long as one is made.
A sub-site is a part of a site collection, the navigation of a sub-site is tied directly into its parent. You even have the option to use the global (top) navigation of the parent so its uniform. When first created, you have the choice to dictate if the sub-site is going to share the same security as its parent or break the inheritance. The sub-site is listed in the View all Contents page of the parent site. You are able to use several out of box bubble up web-parts to consolidate like item objects in a single view at the parent level. This is most certainly not available to cross site collections. I find the time to use a sub-site is when the security is exactly the same or a sub-set of users of its parent site. For example, I would create a sub-site in the HR department site for the director and CFO. This sub-site will contain documents, that are so sensitive in nature, only these two by company by-law will allow them to have access rights to them. This is an appropriate business case to break permission inheritance.
|Site Collection ||Sub-Site|
|Does not break inheritance for unique security schema ||Must break inheritance for unique security schema|
|Navigation, both global and local are unique, additional development must be put together to have shared navigation cross site collections ||Can inherit global navigation from its parent with out of box controls.|
|Easy for end users to loose track of if the ‘email’ with the link welcoming them is lost or their favorites on their browser are reset to default. ||A sub-site can be found in a variety of ways, including links on the page of View all Site Content as well as in the global and/or local navigation of its parent site.|
|Has its own quota. ||Shares a quota with its parent, therefore has less space to store information|
|Contains its own recycle bin and second stage recycle bin ||Contains its own recycle bin, but shares its parents second stage recycle bin requiring a site collection owner, not site owner to restore things that have made it into the second stage recycle bin|
Tie It All Together
Largest Common Denominator
When giving out permissions you want to try and figure out the largest common denominator and give sweeping permissions in relation to that common denominator. The easiest site to explain this to is your intranet. The largest target denominator is the site collection that the Intranet (definition of intranet here is all employee facing pages of company approved information in a strictly controlled environment) is contained. The largest common denominator in this example is every employee of the company must be allowed to see (read-only) all the pages contained within the main Intranet. Giving permissions easily to achieve this is to add <domain>/Domain Users security group to the Readers SharePoint security group. (read-only) This covers the largest portion of the population with the needed permission set. For the few who actually own the content and need permissions to make changes to it will be added (perhaps individually) into the “Designers” or “Site Owners” SharePoint Security groups to obtain that elevated set of permissions. Simplicity should be the goal, but not the absolute when giving permissions by the largest common denominator.
One of the greatest and worst features about SharePoint is the ability for every object you saw in the image above with concentric squares have its own unique security schema. The thing that has plagued most every company that has had SharePoint up to this point is security when first released was an afterthought. “After all we can just break security and give unique permissions to object X.” Though that is true there is a price you must pay for every inheritance break that is rarely thought about. The difficulty for maintaining that security schema increases by N+1, where N = the number of inheritance breaks you can find in a single Site Collection. As much as I despise underlining to try and force a point, it is absolutely necessary here. Making the security bend to your will to accommodate your needs is easy, but maintaining it is a much different story. An example is needed here. You are working on your team site. This site has over time become quite large and gone through several owners. You don’t realize there are 86 breaks in inheritance. A new employee is added to your team. They are supposed to have rights to every item in your site collection. You know of 67 inheritance breaks, so you go to each one and add them manually. A deadline comes close and the new employee is told to go to a document, but they don’t have rights. Finding the place where the inheritance was broken to get them those rights become arduous and painful. Avoid the breaking of inheritance like the plague (as I should avoid clichés like the plague).
That being said, there is ALWAYS an exception to every rule and the one I just told you of not breaking inheritance if at all possible is no different. There will be times a business case is presented that will deem the usage of inheritance breaking necessary. The key words in the previous sentence are “Business Case”. When you have a solid business reason behind the breaking of inheritance, the maintenance issues spoken of in the previous paragraph becomes secondary to the need.
Planning your Security
After I have said all of this, I want to encourage you to plan your SharePoint solution around a Security Centric approach. This will in the end allow you to have a much more simplistic security schema in place that will in turn allow you to be able to comfortably manage it. Understand, over time, even the best security schema ever created that even extra-terrestrial beings will come and try to copy, will over time deteriorate. Security should be constantly in the back of your mind, not your end users mind. (Not that it usually is)
Published: April 22, 2011 12:04 PM by
Back story: Sitting with a client, their entire focus for their SharePoint project was geared around the social networking abilities of SharePoint 2010. What I did know, was area got a huge upgrade between 2007 and 2010. I also know how MySites work, how they are configured. I would even go far as to say, I am quite comfortable with setting up Profile Synchronization despite its idiosyncrasies. The SharePoint 2010 proof of concept was up, everything was running smooth, and AD was synchronizing nicely. Lets see how this bad boy works with Office 2010. Then to my stark realization the supposed super cool, outrageously awesome tie in to SharePoint and Outlook information called the Office Social Connector was blank. NOTHING! Its just a flick of the switch, right? Not exactly. I walked into this looking at Office 2010, Outlook 2010 specifically, as a black box that knows what to do.
Wowsers, where’s the info!?
The Problem: So here is the problem I encountered. SharePoint and Office do work well with each other, BUT… There is more to the Office Social Connector than meets the eyes. There are more steps involved depending on what you want to display. The problem lies in, there is very little about it in one place.
Needed Information: After several days of piecing fragmented information together, the black box began to become more translucent. Let me share with you my findings. This is not going to be a huge developer deep dive of vast proportions to break the code to the Fort Knox of Microsoft Code. This is to try and give to you what I learned in layman’s terms in every day speech. This way you know what is needed to make the Office Social Connector work with your network. Minimally. If your looking to tie it to other sources, such as Facebook, LinkedIn etc. No soup for you.
Nothing was in the social connector, not even emails related to that individual. How could that be? What was wrong? What needs to be put in place? Windows Desktop Search. Yeah you heard me correctly. It makes sense when you think about it. My client is still running on a Windows XP image. Windows Desktop Search was not a part of the image. So this is why even this information was not available. Here is where I got found the fragment that pointed me in that direction. “To take advantage of the features that are available with the Outlook Social Connector, you must run Outlook 2010 in Cached Exchange Mode with Windows Desktop Search and have Microsoft SharePoint Server 2010 My Site configured for users. In this configuration, local items — such as e-mail messages, meetings, and attachments from the sender — will be included in the communication history. Additionally, with My Site configured you can view the activity feed from the sender’s My Site.” This can be found Determine which features to enable or customize in Outlook 2010.
Once I installed Windows Desktop Search and it indexed my machine, as if like magic most everything started up. Sweet! Oh yeah baby! Out of morbid curiosity, I switched over to my laptop which is running Windows 7. I found a pleasant surprise. My information was already showing. Suddenly I remember, Windows Desktop Search is baked into Vista and Windows 7. No wonder why I was just expecting it to work. Certainly good to know.
As for the feed updates. not nearly as difficult. Click the big green + Add under any of your pictures and let it rip. Type in the URL to your MySites, then username and password. BAM! There it is. This was not difficult. No worries, there.
Last thing, seems to be a wall bigger than the Great Wall of China… photos. Why are they not there? We all put our images in our SharePoint profiles. Yeah… Yet, nothing. Grrrrr! It took several days of research and redesigning my Bing (see that Microsoft! ) searches to get the information I was looking for. When I finally came to the answer I must have looked like a deer in the headlights. I was certainly not expecting it. I knew at the clients many of the executive board want the images populated. I also knew we were going to be in a battle with the AD owners. Let me give you the excerpt from the Blog post the Office team put out there about this very thing that helped me understand what needed to happen. “
I’ll use Active Directory since it will be the most common type of server used. What is the benefit of storing pictures in Active Directory? Well, the new Outlook social connector will pull from what is stored in the thumbnailPhoto attribute so a picture of a sender is visible in email. SharePoint 2010 will sync users pictures directly to the thumbnailPhoto attribute.” Found at SharePoint 2010 Profile Picture Property 101. Now if you are like me you are going to say, what was that? Store the images in AD? Really? I have to say… Really. We tested the theory and sure enough, the images once all the AD servers synchronized. So this is where it gets interesting. How are you going to get the images in there? Well SharePoint can do it! BUT (There always is a big butt with these, isn’t there?) This means the battle with AD team members will have to be picked up again. This time they are going to have to give your LDAP service account even more privileges to make changes in AD. Good times will be had with your governance committee to give solid business reasons as to why you want to increase the permission radius of your LDAP account. Unless you have the trump card, “Because the executives said so.” Everyone has to give their LDAP account Replicate Directory Changes permission. That was a battle to let them understand that without it SharePoint Profile Synchronization would not happen. Here is the excerpt from the TechNet article of what needs to be added. “If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with. See Grant Create Child Objects and Write permission for instructions to grant this permission.” Yeah, this is to allow you to change SharePoint from import to export.
Solution Had: Once these changes were put in place the Office Social Connector worked like a champ. Lesson learned, SharePoint touches everything. Its no longer the simple plug and play of 2001. (If you could even call that plug and play) I needed to put this out there because I know many of you are looking for the same answers. With them being spread all over the internet, having it in one area, certainly helps.
Published: January 28, 2011 14:01 PM by
You are sitting there minding your own business thinking life is great. You just installed a SharePoint 2010 environment and WHAM! You have the indentation of a bus license plate on your forehead. What was that?!? You just opened up your SharePoint Health Analyzer and see the error. (See Figure 1) Expired sessions are not being deleted from the ASP.NET Session State database. Fight the urge to play “It’s the End of the World” by R.E.M. and crawling under your desk repeating “duck and cover.” This can be fixed, and without too much pain. Really!
Ok, go to your SQL Server and open up SQL Server Management Studio. You will need to have SQL Server Admin rights. (I believe. My SQL Admin days are a faint memory in my mind. I know enough to be dangerous.) Look for SQL Server Agent and expand that. There you will find Jobs. Expand Jobs and see if you have a DeleteExpiredSessions job registered or not. (See Figure 2) If not you will need to fix this.
We need to create this job so we can save the world. (Mwaa haaa haaa) Right click the Jobs folder in SQL Server Management Studio and Select New Job. On the General configurations page, Enter the Name, who you want the owner to be, category if needed, and a description. (See Figure 3) NOTE: The SharePoint health checker is looking for a specific name. DeleteExpiredSessions should be the name you use. Or change the rule to the name that you select.
On the select a page on the right hand side click on Steps next. At the bottom you will see the New button. This will allow you to build a new step. From here give the Step a name, use Transact-SQL script (T-SQL), Select your StateService_<GUiD> DB and put in your SQL statement in. (See Figure 4) Click Parse to make sure your SQL statement is correct. Click OK.
On the select a page on the right hand side click on Schedules. At the bottom of the new window you will see the New button. This will allow you to build a schedule. Give the schedule a name, and time(s) that work for your corporation. (See Figure 5) Click OK.
Fill out alerts, notifications and/or targets if needed then hit OK. You will see your job appear in the job list. If you wish, you can execute the job you just created by right clicking on it and selecting Execute Stored Procedure.
Published: July 15, 2009 13:07 PM by
The first few minutes of my presentation, I will be doing at the Best Practice Conference. Trust me, it gets even better, but you have to attend to get the rest!
Back in the day, a literary Labyrinth was called a Choose your Own Adventure Book. I actually have somewhere in my parents house the very same book that is pictured above. Reading these was an adventure. Did you choose the right path? Putting your finger(s) in multiple pages, just in case you did not choose the right path. Planning your SharePoint environment is very much the same way, there can be multiple out comes, with lots of twists and turns along the way, and depending on the choices you made earlier, could force the outcome later.
Page 1 & 2
Your company hears about this SharePoint “thing.” It sounds like a good idea. You and a bunch of co-workers are standing around the water cooler talking about it.
“Hey Sarcastic Sally, how is the paper your working on?”
“As good as an ulcer,” Sally retorted.
|“Did you hear about that program called SharePoint?”|
”Stop smiling, the light shinning off your teeth is going to blind me. Yeah, it sounds cool.”
”Maybe we should look at the business problems it could solve before we move forward with it?” you ask yourself out loud.
Sarcastic Sally Scoffs. “It’s a cool application, let’s just move forward. You are such a worry wart.”
Go to page 21 if you agree with Sally
Go to page 37 if you want to follow your own idea
Sally scares me, I think we better listen to her. However, I am not sure if this is the right way, so lets put our finger in here JUST IN CASE.
Page 21 & 22
Your SharePoint environment is installed and takes a life of its own, causing chaos and mayhem everywhere in your company. You are blamed for the IT nightmare and sent to a small town in Idaho to flip burgers.
Oh no! I like burgers, but not that much. What happened!
In reality, this is a very common mistake. More companies than not introduce a application into their environment without understanding the problems they are targeting to solve. This can be fatal to the success of releasing the application, especially if it is SharePoint. You have to understand the new workforce you are dealing with is Generation X, Generation Y, and the Lost Generations who have had Internet for the better part of their lives. They are the My Space, Facebook, iGoogle, My Yahoo, My MSN, instant messaging, tweeting generations. They know how to use we based applications very well. SharePoint being a web based application will be instantly second nature to them to use. That being said, if you do not know what business problems SharePoint is going to solve for your company, they will make those choices for you. There is a LOT of power with just out of the box features and web parts that they can take advantage of. At first glance this may sound like a good thing, however, there is one caveat. If you have legacy applications or applications that are not as intuitive to use, user friendly or “cool” to look at this new workforce can and will use SharePoint to replace those applications. This will then spread your information over multiple systems causing search ability issues and segmented data. This is not the desired effects SharePoint should have. SharePoint is extremely powerful, and I will dare say more powerful then Microsoft even realizes. This is a good thing, but has to be managed properly. In time those legacy applications may very well be absorbed by SharePoint based applications, but you want to keep it under control. Spotting the business problems SharePoint is designated to solve is the first step in a healthy deployment.
Good thing we put our finger in the page. Lets go back and try the other path… That's, page… 37. Lets go!
Page 37 & 38
You shoot back, “No, I think it will be a good idea to figure out the business problems we want to solve for the company.”
“Like what?” asks Jeff from accounting.
Sally and you watch him drain half the water cooler bottle of its contents into his water bottle. “Well, Sally already gave us one. She is having trouble collaborating with her team. The paper they are working on isn’t as easy as it should be. So collaboration is a big one I would think.”“Oh, sorry to hear that Sally, but we have our own problems,” Jeff informed us.
“How so?” Sally inquired.
“Well, we have all of these reports we are forced to do, but they are so time consuming, I don’t have time to do what I am supposed to do.” Jeff wrinkled his nose.
“The enterprise version of SharePoint has Excel Services and BI capabilities,” I offered. “That could be another business problem we could solve initially.”
“Do you have an executive sponsor?” Jeff wondered.
“We are IT, why would we need that?” Sarcastic Sally snapped.
“To get funding and support.” Jeff said defending himself.
Go to Page 13 if you want to get an executive sponsor.
Go to Page 25 if you agree with Sally
I say we go with Sally, she still scares me. Lets go to page 25, but I am going to put my finger here again, JUST IN CASE!
Page 25 & 26
| || |
Oh no, SharePoint has been considered a rogue project. Lack of funding has landed us in trouble. We are forced to use an old Commodore 64 and two TRS 80’s to try and build the environment. The project and idea has died before it could even go forward. A walk to the water cooler for you and Sally is now known as the Walk of Shame.
Sally did it to us again! What happened?!
Find out at the SharePoint Best Practices conference. If you want more information about the Best Practices Conference click on the banner below. Hope to see you there, as the line up of speakers is UNBELIEVABLE! Two of which are the authors of the book that inspired this entire event. Microsoft Office SharePoint Server 2007: Best Practices published by Microsoft Press.
Published: July 15, 2009 09:07 AM by
The first few minutes of my presentation, I will be doing at the Best Practice Conference. Trust me, it gets even better, but you have to attend to get the rest!
Active Directory (AD): Cheshire Cat. AD is everywhere and nowhere at the same time. To the end users AD is absolutely no where. They know they signed onto their computer to get to their applications, but if you ask them what AD was, they would look at you with the wide eyed bewilderment Alice had upon entering the looking glass or wonderland for that matter. This is the power of being nowhere as the Cheshire Cat. If you switch to the internal IT personnel’s point of view AD is everywhere. Its security permeates throughout all of the network environment. Applications, computers, file shares all utilize AD for permissions for starters. AD when it comes to SharePoint can be looked at in two parts. The user and the security group. Just like the Cheshire Cat can detach its head from its body. These two parts indeed make up the one.
SharePoint Security Groups: White Rabbit. Zoom! Did you see that white streak? Apparently the white rabbit is late for a very important date… Again. SharePoint Security groups can be a fast answer. But… Zoom! if you try and control these fast moving targets you could be coming up with empty arms.
SharePoint Permission Levels: Mad Hatter. Approximately 10/6 of the time you will be using the out of box permission sets. Yes, now you know why that card in the Mad Hatters Brim means. There will be times where you will be absolutely mad not to use a custom designed permissions set.
Zones: Caterpillar. Yes, as completely mind boggling and mysterious as the hookah smoking caterpillar is, Zones seem to have the same effect on people. Most people don’t realize the power of Zones and what can be accomplished. The question is Who… Are… U?
AD (Cheshire Cat): Most companies have well defined security groups in their Active Directory. Please note, email distribution groups are NOT security groups and cannot be used as such in SharePoint. AD groups must be security groups in order to be used as security within the SharePoint environment. Did I reiterate? Yes. Did I need to? From experience? Yes. The reason using AD security groups are such a good tool in helping to lock down security is because of the familiarity with them. Many users know which groups they belong to. They see them when they use the infamous file servers. They know they can only see the finance department folder on the file server because they are part of the “finance team” (read Finance AD Security group). They also know about security groups when it comes to applications. Sally from HR can edit information in Our Persons HR application. The reason why she has read/write access is because she is part of the HR Our Persons security group with only one other from the HR department to be sure the information is locked down.
Another bonus about AD is the fact its a controlled environment. There is probably only a handful of people that are allowed to make any kind of changes to your AD. This is very good. The control will allow you to keep a consistency that might not otherwise be as achievable if opened to the masses. Lets face it, when it comes to security, the less hands that can touch the security environment, the more secure it would indeed be. The individuals who are in control of AD are well aware of the potential pitfalls and hazards that come with the adding of users into security groups, or better yet embedded security groups. (Read: Security groups that are held in security groups.) The assurance of a safe and accurate security groups certainly is a good thing. Warms the heart like a Cheshire Cat’s smile.
Using AD security groups to grant sweeping permissions to large numbers of people is a very good point to bring up. I think of the concentric rings in an archery target when I talk about granting permissions. Lets use a company portal, its pages and sub-sites as an example. One site collection with all the company wide information. Lets say that the bull's-eye in center is the the company portal. The first ring that circles the bull’s-eye is the read only permission set. This is pretty much everyone in the corporation. The portal is a place for your employees get information to help them with their jobs and be “on the know”. This is not really a place where you want anyone and everyone to be able to add, change or delete content. Using the power of SharePoint inheritance of security, you can very easily add AD security groups to the out of box SharePoint group Portal Visitors. This will grant view permissions to all your employees with ease.
Lets take that a step further. Lets move out to the next ring. This would be your contributors. Very few are desired. The executive AD security group is selected. We could place the security group in the out of box SharePoint Group Portal Members. This will enable your CXX’s be able to post information that is targeted to the company as a whole. A way to replace the never read email blasts your company currently uses
Moving to the next circle out we are going to create a AD security group called Portal Designers. This group could be placed in the SharePoint group Portal Designers. This is to allow a limited number of individuals who have extensive web design background to be able to add, change and delete content, look and feel and style of the Portal.
Lastly, one more step out in our concentric rings we come to the circle that encompasses the entire environment. This is our administrators. For our fictitious company we will say the AD security group Internal IT is used. This group could be placed inside the out of box SharePoint group called Portal Owners.
And the coup-de-grace, using AD security groups as well as individual accounts is a Best Practice! Granted there are trade-offs. These are covered in depth in the book that inspired the whole reason to hold the SharePoint Best Practice Conference. Microsoft Office SharePoint Server 2007: Best Practices published by Microsoft Press. You will find in depth analysis of the pros and cons of using groups versus individual accounts on pages 152 – 156.
I hope this teaser whets your appetite for more. I would love to see you all at the Best Practice conference. If you want more information on the conference, just click the banner below and know the information you will receive there is worth more than … 1 MILLION DOLLARS… Ok… so I like Austin Powers Movies a little too much, but the value of this conference is unbelievable. The caliber of the speakers is top notch, not to mention includes the two gentlemen who wrote the book! See you there!
Published: June 09, 2009 17:06 PM by
|The first day of summer is coming on June 21st. People from the northern part of the United States and Canada are now able to strip off a few layers of clothing thanks to the cool spring we have had. It also beings the most exciting count down toward the arrival of the third SharePoint Best Practices Conference. This is going to prove to be even bigger, better, faster, stronger… (oh wait no, that is the 1970’s show the Bionic Man) then again, it may just be a close match! Not only SharePoint Best Practices but SQL experts are being brought in as well. If you either have never heard of the Best Practice Conference or never have attended the conference this is the place you want to be. There are a lot of books out there on how to do configuration and administrations of SharePoint and SQL, but only one book about SharePoint Best Practices. This one book has spawned the SharePoint Best Practices conference as the popularity of the book quickly climbed up the charts at the same time trigger numerous other questions, what if scenarios and requested additional information. The question that we seem to learn to ask at a very early age, WHY?! This is the reason for the conference, why do you need to do certain things in your environment. These are the Best Practices to make your SharePoint environment not be just another application in your company, but a solution that your company could not be with out. A solution that will help your company become more streamlined, more productive, and more organized. All these thing turns out to become money saved, which in these economic times is a welcome benefit. |
Whether you are looking to bring SharePoint into your environment or have been using SharePoint for the last five years this conference is a must attend. The wealth of knowledge that you will gain from the conference will more than make up for the nominal investment to attend. The caliber of speakers is unbelievable. I have attended the first two, and will be at this one as well. The two authors of the book that launched this conference, Ben Curry and Bill English will be there, but that is far from being it. So many of the leaders in the SharePoint community will be there and it is going to absolutely rock! If I had the voice I would do a sound bite like the guy who does monster truck announcements on T.V. Ok enough gushing, I think you have gotten the idea.
And now for a shameless plug. I have received an invitation to rub elbows and be a speaker at this great event. I am both humbled and honored at this invitation and look forward to meeting all of you who do attend. I will be doing two different presentations. Here is a couple of tasty morsels to help you to decide to come.
SharePoint Planning: A Labyrinth of Choices
SharePoint is easy to get up and running, BUT the choices made before the install, during the install, after the install, and after its been in use for time What if you make this choice, what ramifications will happen due to that choice? SharePoint is indeed a collaboration environment, but becomes so much more to many companies. Choices made throughout the life of your SharePoint environment will affect things down the road that may not even be thought of when the original choice was being made. I will look at multiple permutations of the various paths a company could follow.
SharePoint Security: Through the Looking Glass
Journey with myself and Alice as we go into the world of SharePoint security. What to do with the AD Queen of Hearts and the SharePoint Groups Cheshire cat. There is the good, the bad and the ugly in this world. You have to be careful with the solutions of security you use. What makes sense, how to tackle different scenarios, how to combat security schema deterioration. This could be a chance to actually win back and know what your people are allowed to see and not see. Sometimes files servers become so complex, there are possibilities of accidents happening where an end user is given permissions to documents that may not be desired. Not to mention the government is starting to get involved with legislation of what we are supposed to hold on to, what needs to be audited etc. A lot of times, security seems to be a lot of smoke and mirrors, this talk is going to help bring a solid understanding to security within a SharePoint environment.
David J. Pileggi Jr.
Published: April 03, 2009 14:04 PM by
|Another post about a governance document? Absolutely. I have worked with many clients and this has seemed to boil to the surface more often than not. Well over 90% of the companies that I consult who are planning a SharePoint environment or already have a SharePoint environment do not have a governance document. There are a lot of reasons as to why there is a lack of these documents. I will try to cover a few of these reasons during this post. One of the things as the economic times are a bit more trying then usual, IT departments are being whittled down to skeleton crews at best. Their budgets are being slashed and yet they are expected to continue to run the company infrastructure and applications as well as continue to work on projects adding to their environment. If something happens in the SharePoint environment the possibility for a knee jerk reaction from upper management is a high possibility. A reaction that could be detrimental to the environment. This calls for a bulletproof shield. This calls for a governance document. A document, when created had buy in from the higher ups as well as all the stakeholders. A document that has the steps documented on how to handle situations in a logical manner, leaving the knee jerk reactions to the way side. A governance document is more than a bulletproof shield (protect) it is also to server. It is to serve as a map, a blueprint, a guideline for your SharePoint environment. A document to help mold and guide this unbelievable application into a well oiled, viable tool that solves specific business problems brought to the IT Department from multiple areas in the company. The governance document is also there to server your user community to facilitate in direction and focus. |
- One of the biggest, if not THE biggest reasons companies do not create governance documents is because of the price tag attached to SharePoint. It’s cheap! It is very cheap compared to other collaboration and document management systems. Your Documentum’s and your P8 (Filenet’s) out there have massive price tags. (Please understand, I am not bashing these systems. They are very good at what they do. They have also seen the value of SharePoint as they both have created web parts to tie into SharePoint) A good example of price tag is WSS 3.0. Its free, yet it has a lot of functionality and versatility. Having a tool that has little or no cost usually flies under the radar as something that would have a large business impact, or for that matter, become a mission critical application.
- The second reason that comes to mind, is the ease of deployment. SharePoint easy one button install makes it very appealing to install as well. Chose the stand alone radio button and let the installer do everything for you. Even get SQL Lite thrown in. Most companies use this deployment because it is easy and works quite well.
- Another reason is SharePoint is tenacious. Pieces of SharePoint can be miss configured or even out right non functional, yet the end users don’t even realize it as they are still able to use the environment to upload documents etc.
- The fly under the radar has been something I have encountered quite a bit as of recent. This is where a employee, usually a new employee has used SharePoint in their past place of employment and know the benefits and features of SharePoint. They usually ask for SharePoint from their IT, who more often than not, don’t really understand what SharePoint is. They throw SharePoint out of box install onto a server and let the user at it due to the #1 reason in this list. Well he tells his friends who tell their friends, and so on and so on. The next thing IT knows is when it goes down this application turns out to be mission critical.
Very likely, one or more of the reasons I listed may have affected you one way or another. If you are of the 10% who do have a governance document well done. There are numerous symptoms that come with an environment that does not have a governance document or any formal planning what-so-ever. These symptoms may include:
| || |
- No clear owners of the application as a whole
- No site structure or hierarchy
- No information architecture
- Only one content database
- No (or) 1 service account running the entire application
- Security is completely ad hoc
- No Disaster Recovery Plan (DR)
- No Business Continuity Plan (BCP)
- Search “doesn’t work”
- Navigation is atrocious
There is a lot more that can fall into the list, but for the sake of you not getting carpal tunnel syndrome from all the scrolling you would have to do, I will behave and keep the list to 10. The problems that come with lack of planning point to the fact that SharePoint is a “legitimate” application. Not some free piece of shareware, that is nice to have. SharePoint is indeed a contender in the content management arena. SharePoint also has a very strong end user adoption rate due to its ease of use. This is why I chuckle when I hear a company tell me, we have this SharePoint proof of concept up for the last 2 months, I have to laugh. I tell them, you mean its been in production for the last seven weeks then. SharePoint is viral…. highly infectious and will spread through out a company like a fire in a gasoline and match factory.
It never is too late to put a governance document together. If you don’t have a governance document, you want to start planning on creating one. If your SharePoint environment is in planning or it has been deployed since 2003 you want to build one. You may very well find that you will need to remediate your current environment or even build a second farm under the guidance of our governance document then migrate (Carefully!) the content and data from the first SharePoint environment to the new one. There are many companies out there that can help facilitate you in the building of the governance document as well as the remediation of your current environments if you find your IT staff spread thin already. I go through the paces with each client I work with to help facilitate them in this regard. When I first started in the consulting end of SharePoint, I tired to tell them of all the pitfalls and things to avoid, but never actually defined a document. I go back to the client a few months later and heard things like I know you said “not to Blah” but I did, or I don’t remember you telling me that. SharePoint has been a growing process for everyone it has touched. It will touch millions of other lives in time as well as it continues to grow more popular.
One thing you must be sure of is that all the stakeholders have a say, even at a token level as to what is in the governance document that pertains to them and their role. This will ensure a solid document that is backed up by the company as a whole. This will also give the IT team or whomever is designated as the owners of the SharePoint application/environment a bulletproof shield during those high energy knee jerk reactions. The bullets may fly, but the protection will be there. The ability to say, “We understand your pain point, we have a document that will help us get through this without causing other problems. Please remain calm.” – PRICELESS
I could go into what needs to be in a governance document but that is another blog post all together. There is a lot of good information out there of what needs to be in it. I wanted to give you the reasons behind why you need it. I love to talk as you probably well figured, and tend to be long winded at that so I best quit here before this turns into something that rivals War and Peace.
David J Pileggi Jr.