Securing Sharepoint Content With Granular Permissions

ByThe SharePoint FAQs Team

Controlling Access to SharePoint Content

Microsoft SharePoint features a robust permissions model that enables granular control over access to sites, libraries, lists, folders, and individual files. By default, SharePoint applies permissions inheritance, where child sites, libraries, lists and folders inherit permissions from their parent. However, administrators can break inheritance and define custom permissions tailored to their specific organizational needs.

SharePoint includes specific permission levels out-of-the-box that provide common pre-configured capabilities: Read, Contribute, Edit, Design, Full Control. These permission levels encompass combinations of over 50 specific permissions covering actions like Add Items, View Items, Edit Items, Delete Items, Approve Items, Open Items, View Versions and more. Some key permissions that control access include:

  • Read – Allows users to view pages and items, without editing.
  • Contribute – View, add, update and delete lists, documents, pages.
  • Design – Contribute plus customize pages layouts, site appearance.
  • Edit – Contribute plus manage lists, edit pages, and customize site settings.
  • Full Control – Full rights and permissions for site, content and configuration.

Permission Inheritance

By default, SharePoint objects like subsites, libraries, folders inherit permissions from their parent object. For example, when you create a new Document Library it will inherit permissions from the Site that contains it. Any new folders you add to that Library would then inherit the Library permissions. This inheritance model makes permissions management easier, allowing admins to set access at the site level and have those propagate down through subsites, libraries and folders.

Custom Permissions

While inherited permissions work in many cases, administrators may want to define custom permissions for specific libraries, folders or even individual files and list items. For example, they may wish to break inheritance on a sensitive Human Resources library and limit access to only HR staff. Or grant a subset of users additional privileges to manage a particular site or content area.

Breaking Permission Inheritance

When inheritance no longer meets your business needs due to privacy, compliance or access requirements, you can break inheritance and define granular custom permissions. Here are the basic steps:

  1. Navigate to the library, list, folder or other item you want to configure unique permissions for.
  2. From the ribbon select Library or List tab.
  3. Click Permissions for selected item.
  4. Click Stop Inheriting Permissions.
  5. Remove existing permissions or add new groups/users.
  6. Define desired permission level (Read, Contribute, etc).
  7. Click OK to apply and save permissions.

Now your selected list, library, folder or item will have its own distinct permissions, independent of the parent site or library. You can repeat this as needed to granularly control access to any SharePoint resource.

Setting Custom Permissions on Libraries and Folders

Once inheritance has been broken, administrators have full control to customize permissions as required. Some common scenarios include:

Allow View or Edit Access for Specific Users/Groups

Give individual users or SharePoint groups access to a protected document library or folder using the steps below:

  1. Select the library/folder and break inheritance if needed.
  2. Click Grant Permissions button in ribbon.
  3. Enter user/group names you want to allow access.
  4. Check appropriate permission level boxes.
  5. Select Add to add with selected privileges.

Permission levels like Read will allow users to view files. Contribute or Edit enables uploading, editing and deleting documents in the folder. Design permission additionally lets users customize appearance.

Limiting Access with Item-Level Permissions

Using a similar process, you can also set permissions for individual files and list items within a SharePoint library or list. This allows administrators to securely grant access to documents like executive salary info or acquisition data to authorized viewers only, leaving all other items in the library untouched. To configure item-level permissions:

  1. Navigate to the document/item and select the ellipses to access menu.
  2. Choose Shared With > Advanced (or Permissions depending on version).
  3. Break the inheritance from its parent object.
  4. Add specific users/groups and assign granular permissions.
  5. Click OK to save new permission settings for item.

Now only the designated users or groups will have customized access to this particular item, while other items in the library remain unaffected. This provides added information security within SharePoint.

Advanced Permission Strategies

In addition to basic permissions for sites, lists, libraries and content, SharePoint offers advanced features to further extend access controls and improve security on sensitive enterprise information.

Managed Metadata Column-Level Permissions

SharePoint metadata can be leveraged to enable dynamic security policies and selective restriction of access to items and data. Settings column-level permissions on key metadata allows showing or hiding documents and list items based on values matching user attributes.

For example, files tagged Human Resources could have column permissions set so only users in the HR department would be able to access them. Similarly, documents marked Confidential Global could be limited to only executives and associates in specific regions. Consult your SharePoint admin on utilizing managed metadata for enhanced access controls.

Dynamic Access Control with User Profiles

SharePoint's audience targeting features allow dynamic restriction of access based on user attributes and group membership instead of defined individual permissions. This simplifies applying security at scale. For example, site owners could ensure only sales staff with job level Regional Manager or higher can see certain documents or pages by adding rules based on the user profile data and Active Directory attributes.

Automating Permissions with Workflows

Workflows in SharePoint provide options to trigger actions like modifying permissions based on specific events or user activities:

  • Revoke access automatically after certain number of days/weeks
  • Reduce document permissions as approval status changes
  • Add users to visitor group temporarily for review task

Consult your SharePoint administrators on implementing automated rules to improve security and access controls. Customized workflows can be created to meet the specific permission change needs of your content and business processes.

Securing Sensitive Content

When working with particularly sensitive or confidential documents and information, additional SharePoint security options are available to prevent data leakage.

Encrypting Document Libraries

Enable encryption at the SharePoint library level to ensure all files stored within can only be accessed by authorized users with the decryption key. Encrypted document libraries safeguard information allowing only viewing and editing within SharePoint, with attempts to extract data externally blocked. Consult your IT team on enabling encryption on priority document libraries.

Applying Information Rights Management (IRM)

To control usage of downloaded documents beyond your SharePoint environment, Information Rights Management restrictions can be implemented. Rights management controls things like preventing editing of files, limiting print capabilities, disabling copy-paste functions and adding dynamic watermarks.

Usage restrictions travel with documents downloaded from IRM-protected libraries to limit exposure. IRM integrates with Microsoft Azure Rights Management (AIP) allowing revocation of access if a file is leaked or user privileges change.

Enabling Document Access Auditing

SharePoint provides robust site activity and audit log reporting to track user access and changes for compliance and security policy monitoring. Ensure document libraries with sensitive data have auditing enabled to log downloads, edits, deletions and modifications by users.

Audit reports can be scheduled to provide visibility into document usage and any policy violations for further investigation. Enable auditing under Library Settings > Versioning Settings to track all critical document and list activities.

Example Scripts for Common Permission Tasks

Utilizing SharePoint PowerShell scripts allows administrators to automate configuration and modification of permissions. This enables efficient bulk updates as needed. Below are common use cases and examples for reference:

Grant Site-Wide View Permissions to Marketing Team

$web = Get-SPWeb http://sharepoint/sites/myportal  
$group = $web.SiteGroups["Marketing Team"]
$roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($group)
$roleDefinition = $web.RoleDefinitions["Read"] 
$roleAssignment.RoleDefinitionBindings.Add($roleDefinition)
$web.RoleAssignments.Add($roleAssignment)  
$web.Update()

This script allows the Marketing Team group to have site-wide Read permissions, enabling viewing of pages and documents published across the portal. Run this in SharePoint Management Shell after replacing the site URL.

Revoke Delete Permissions from External Contractors 

$web = Get-SPWeb http://sharepoint/sites/projects
$user = $web.EnsureUser("ext_contractor")
$contractorsGroup = $web.Groups["External Contractors"]  
$contractorsGroup.RemoveUser($user)
$web.Update()

By removing a contractor account from the External Contractors group, you revoke permissions like the ability to delete documents in Project sites. This script assumes permissions were already granted through that group association.

Email Alerts When Legal Files Are Downloaded

  
$list = $web.Lists["Legal Documents"] 
$user = $web.CurrentUser
$fileUrl = $event.SourceUrl
$sentTo = $user.Email 
$body = "File $fileUrl was downloaded by " + $user.Name
Send-MailMessage -To $sentTo -Body $body -Subject "File Download Alert"

This workflow script triggers email notifications to site owners anytime someone downloads files from the Legal Documents document library. Helps track access and prevent unauthorized external sharing of sensitive information.

Leave a Reply

Your email address will not be published. Required fields are marked *