SharePoint is a powerful platform for collaborating and sharing information throughout the organization and this includes sharing with partner organizations, customers, and other employees.
Because of this ease of use, end users often share sensitive data on this platform, so it is therefore crucial to have regular audits of SharePoint permissions to minimize the risk of data leaks and compliance violations.
By having a clear understanding of SharePoint permissions, you can ensure that you are operating on a policy of least privilege where users only have access to the information they need to do their jobs and nothing more. Any misconfigured or maliciously obtained permissions enable users to view, copy, modify or delete sensitive or confidential information that they should not have access to.
The current effective permissions for your SharePoint site collections can be listed by using Microsoft PowerShell, but these are quite complex and require a good knowledge of PowerShell scripting. An alternative, more straightforward solution is to use the Lepide Data Security Platform.
In this guide, we will first look at the native way of running a PowerShell script to see SharePoint user permissions and then the more straightforward way using the Lepide Auditor.
PowerShell to Get SharePoint Permissions Report
- Open the PowerShell ISE. Import the PowerShell snap-in for Microsoft SharePoint by running the following cmdlet:
Add-PSSnapin Microsoft.SharePoint.PowerShell - Run the following script on your SharePoint server, specifying the SharePoint site URL ($SPSiteURL) and the file path for export to csv ($ExportFile):
[void][System.Reflection.Assembly]::LoadWithPartialName
("Microsoft.SharePoint")
$SPSiteUrl = "http://sharepoint/sites/ent"
$SPSite = New-Object Microsoft.SharePoint.SPSite($SPSiteUrl);
$ExportFile = "C:\root\Permissions.csv"
"Web Title,Web URL,List Title,User or Group,Role,Inherited" | out-file $ExportFile
foreach ($WebPath in $SPSite.AllWebs)
{
if ($WebPath.HasUniqueRoleAssignments)
{
$SPRoles = $WebPath.RoleAssignments;
foreach ($SPRole in $SPRoles)
{
foreach ($SPRoleDefinition in $SPRole.RoleDefinitionBindings)
{
$WebPath.Title + "," + $WebPath.Url + "," + "N/A" + "," +
$SPRole.Member.Name + "," + $SPRoleDefinition.Name + "," +
$WebPath.HasUniqueRoleAssignments | out-file $ExportFile -append
}
}
}
foreach ($List in $WebPath.Lists)
{
if ($List.HasUniqueRoleAssignments)
{
$SPRoles = $List.RoleAssignments;
foreach ($SPRole in $SPRoles)
{
foreach ($SPRoleDefinition in $SPRole.RoleDefinitionBindings)
{
$WebPath.Title + "," + $WebPath.Url + "," + $List.Title + "," +
$SPRole.Member.Name + "," + $SPRoleDefinition.Name | out-file $ExportFile -append
}
}
}
}
}
$SPSite.Dispose();
- Open the file produced by the script in MS Excel. The following shows an example of this:
How Lepide Can Help
A more straightforward approach is to use the Lepide SharePoint Auditor. The Permissions by SharePoint Object Report, included within the Lepide Solution, provides visibility over all your SharePoint Permissions and requires no knowledge of PowerShell scripting. An example is shown below:
To run this report:
- Select Lepide Trust, Reports
- From here, expand Current Permission Analysis
- Select the Permissions by SharePoint Object Report
- Select Generate Report
- Expand the required folder to see related permissions
The report is generated and can be filtered, sorted and exported to CSV and PDF format.
