Microsoft’s SharePoint platform is designed for sharing and managing content across an enterprise, including documents, presentations, spreadsheets, images and notes. While SharePoint offers numerous advantages over traditional file systems for content management, it still requires permissioning to control access to content. The types of permissions available can vary depending on the type of object being accessed, such as lists or sites. SharePoint administrators may face challenges similar to those encountered by file system administrators, including difficulties in understanding the level of access a user has to a specific resource. Below are some of the most notable SharePoint permissions best practices.
SharePoint Permissions Types
SharePoint permissions define the level of access and control for users within a site or group. There are five types of permissions:
- Team permissions: Automatically assigned based on group membership, allowing owners, members, and visitors to access the site.
- Communication site permissions: Allow owners, members, visitors, and custom SharePoint groups to be assigned, granting different permissions to individuals or groups.
- Hub site permissions: Control who can add more sites and are managed through the corresponding Microsoft 365 group or SharePoint group.
- Shareable links permissions: Allow sharing specific site data, with permissions that can be edited to allow access to everyone or specified users.
- Guest sharing permissions: Allow collaboration with external parties, with permissions that can be edited to control access to specific site data.
SharePoint Permissions Best Practices
Below are the most notable best practices for securing sensitive data in SharePoint online:
1. Apply security at the site level
A common misunderstanding about SharePoint is that it’s just a digital file cabinet, where users transfer their file shares and cloud storage habits. However, SharePoint offers a more structured approach with concepts like sites, document libraries, and folders. To ensure security, it’s crucial to focus on maintaining security at the site level, rather than at the file, folder, or document library level. This means that permission control and access management should be applied to the site as a whole, rather than individual files or folders, to maintain a robust and secure environment.
2. Use built-in security groups for Communication & Team sites
When securing a SharePoint site, there are three built-in security groups which you should use: Site Visitors, Site Members, and Site Owners. Each of these groups corresponds to a specific permission level: Read, Edit, and Full Control. While it’s possible to create custom permission levels, it’s advised to stick with these default groups for Communication Sites and Team Sites created without a group. By using the built-in security groups, you can simplify the management of your site’s permissions and adhere to best practices for SharePoint site security.
3. Manage Site Sharing settings
In order to maintain SharePoint security, site owners must not only implement security measures such as permissions and access controls, but also manage site sharing settings. Unfortunately, this is a common oversight. By configuring sharing settings, site owners can prevent unauthorized sharing of sites and their content, which can occur even with security measures in place. This is crucial for maintaining control and thus securing data. By understanding and locking down these settings, site owners can further secure their sites and ensure that only authorized users can access and share their content.
4. Disable external sharing on certain sites
By default, SharePoint is set up for ease of collaboration, which means that external sharing is enabled, allowing any site to potentially be shared with external users. This can be a notable concern for many organizations, as it can expose sensitive information to unauthorized parties. Instead of locking down external sharing entirely, it’s recommended to strike a balance by disabling external sharing on some sites, but not all, and configuring additional external sharing settings within the SharePoint Admin Center. This approach allows for more control and flexibility, enabling organizations to share information with external partners and collaborators while still maintaining security and protecting sensitive information.
5. Review shared files and remove users as necessary
It is crucial to regularly review shared files and folders and remove unnecessary users to maintain data security and organization. Users often forget to do so, but it is a vital step to ensure that only authorized individuals have access to sensitive information. While users may readily invite colleagues and guests to share sites, libraries, files, and folders, it is equally important to revoke their access when it is no longer needed. By removing unnecessary users from shared files and folders, organizations can prevent unauthorized access and maintain the integrity of their data.
6. Grant the least permissions possible to the site
Maintaining minimal permissions is a crucial aspect of site security, yet it’s often overlooked. It’s commonplace to see sites with multiple users holding Full Control, which is a significant risk, as they can delete the site altogether. Similarly, regular members are often granted Edit permissions, when read-only access would be sufficient. This lax approach to security is akin to leaving valuable items unattended in a public place, such as a restaurant. Instead, it’s essential to adopt a cautious and conservative approach to permissions, granting only the minimum necessary permissions to users to perform their tasks. This will help mitigate potential security risks and prevent unnecessary breaches. By being mindful of permissions and not being overly generous with access, users can rest assured that their data and sites are safe.
7. Grant the least permissions possible when sharing links to files and folders
When sharing files and folders in SharePoint, it’s essential to be mindful of the default permissions. By default, SharePoint creates links that grant access to “People in your organization”, allowing anyone in the organization to access the shared file if the link is forwarded to others. To improve security, it’s recommended to choose a more specific type of link, such as “People you choose”, which limits access to only those intended. Alternatively, you can modify the default sharing link in the SharePoint Admin Center. If you want to restrict file sharing altogether, you can implement the technique outlined in Tip #3, which allows you to manage site sharing settings.
8. Active Directory vs. Microsoft 365 Groups
When deciding on collaboration and permission management within your organization, you are faced with a crucial decision: Should you use Active Directory Security Groups or Microsoft 365 Groups? Additionally, you may also need to consider setting up unique permissions for files and folders.
9. Conduct security awareness training
It is crucial to invest in staff training to ensure the security of your site. This is particularly important for site owners and members, as live training sessions can educate them on the best practices for site security. Not only is training vital for user adoption, but it also plays a critical role in securing your content. By providing live training, you can ensure that your team is equipped with the necessary knowledge to keep your site secure and protect its assets.
10. Discover & classify sensitive SharePoint data
Identifying and classifying sensitive data is crucial for effective governance, as it allows SharePoint administrators to properly manage and secure this information. By understanding where sensitive data is stored, admins can take critical steps to lock it down, including implementing robust access management and creating precise permission structures. Additionally, removing stale and outdated sensitive data is a simple and effective way to significantly reduce risk, with minimal impact on the users.
If you’d like to see how Lepide can help you keep SharePoint data secure, schedule a demo with one of our engineers.