No, security is not all about a Dalek yelling ‘Exterminate’ if you don’t follow rules concerning access to information 🙂 Access to information can be controlled at many different levels within Sharepoint. The question of where best to implement control of user access is answered only with an understanding of available options and requirements. As part of training those who need to manage security on the sites, even if they themselves do not set the security permissions, it is a very important that you communicate a policy concerning when and where to apply site security.

The best practices are as follows:

  • As a general rule, grant access at the lowest possible level without breaking permission inheritance.
  • Consider the audience and intended use of a specific site or site type when deciding how to assign permissions
  • As a general rule, use Sharepoint security and explicit group membership for management of site members.
  • Do not use Active Directory groups unless they are explicitly going to be used for security and or cross group related.
  • Use Active Directory groups when as part of the Sharepoint security group membership within sites.
  • Use Active Directory groups when needing to grant the same permissions over two separate sites
  • Do not grant explicit access to any member if there is a group that already targets the role in the site.

Defining Access

Below are the common site type audience/usage combinations. It’s important to understand how a site will be used and by whom. Without this information, it becomes difficult to make intelligent decisions about how to best secure the information contained within the site.

It also becomes far more likely that a given site and its defined user access will morph over time, creating a scenario in which unintentional access and even participation might occur. Look at the following examples based on SharePoint site templates and the relevant audience types.

Audience Usage
Member audience (equal views / contributors) Team Collaboration, Document Collaboration, Meeting Collaboration
Wide audience (many viewers, few contributors) Publishing site, Collaboration Portal
Managed audience (controlled, role-specific access) Records Centre

Collaboration sites tend to be used for the creation and development of content. More often than not, the only people who need access to these sites are those individuals directly involved in the content development process. It is therefore generally best practice to limit access on collaboration sites to members, as explicitly defined within the standards those groups provided, and only set visitors when absolutely required.