SharePoint – Managing the Security Model

SharePoint delivers a security Model that is a combination of AD and SP Users & Groups.

Which makes a granular approach for setting up security on SharePoint Objects.

But the Downside is that is get’s misty after a while when you want to control the security Farm wide 😦

Therefore I tried to introduce this simplified approach

I created in AD 4 OU’s :

– Department Groups

– Distribution Groups

– Security Groups

– User Structure

clip_image004

In the User Structure I have an OU per subsidiary.

And in the OU just a list of all individual users in that subsidiary.

clip_image008

The Security Goups are used to add AD users in specific Groups, to be used in SharePoint are for other applications  access like MS SQL access etc.

image

In Distribution Groups are the AD Groups used in Exchange as Email Groups per Department per subsidiary.

image

In Department Groups are the AD Groups per Department containing users across the subsidiaries.

image

Coming back to the SharePoint Security settings.

Here is an example on how you can keep an overview on the Site or Site Collection Access Permissions.

Extra benefits are that if new users come in, you just add them to the proper AD groups. And they get automatically access to the correct Sites Collections / Sites in SharePoint. Without too much interference of IT.

clip_image016

The Members SharePoint Group, is left empty

clip_image018

The Owners SharePoint Group, contain the Administrator

clip_image020

The Visitors SharePoint Group, Contain all AD Department Groups

clip_image022

And as last we added a Domain Group  domain\all in Pxx which has all Subsidiary AD users in it.

On downside adding AD Groups is that SharePoint can’t check who is in the AD Group as user immediately, depending on your Token Timeout settings. Default is 24 Hrs 😦

clip_image024

Also try to make special SharePoint Security Permission levels on top of the standard ones.

Like Contribute_MinDelete or Contribute_MinEdit etc.

Go to Site Actions -> Site Permissions -> Permission Levels

clip_image026

image

Tips using AD groups

Adding AD users to the AD Group are not immediately reflex in the Check Permission box ?

Solution is to set the token refresh timer to a more reasonable frequency, standard it is set at 10 Hours?

CLS if((Get-PSSnapin | Where {$_.Name -eq "Microsoft.SharePoint.PowerShell"})
-eq $null) 
{ 
Add-PSSnapin Microsoft.SharePoint.PowerShell; 
} 

$sts = Get-SPSecurityTokenServiceConfig 

$sts.FormsTokenLifetime = (New-TimeSpan -Minutes 60) # <- default 10 hour 

write-host $sts.FormsTokenLifetime 

$sts.WindowsTokenLifetime = (New-Timespan –Minutes 5) # <- default 10 hour 

write-host $sts.WindowsTokenLifetime 

$sts.LogonTokenCacheExpirationWindow = (New-Timespan –Minutes 2)
# <- default 10 mins 

write-host $sts.LogonTokenCacheExpirationWindow 

$sts.Update() 

# Do a reset on WFE ! 

# iisreset 
[/sourcecode Language]

If the PS script does not work use the stsadmin.exe tool instead. I had to use this method instead too ?

Default is 1440 min or 24 Hrs !

“%CommonProgramFiles%\Microsoft Shared\web server extensions\14\BIN\stsadm.exe” -o getproperty -propertyname token-timeout

“%CommonProgramFiles%\Microsoft Shared\web server extensions\14\BIN\stsadm.exe” -o setproperty -propertyname token-timeout -propertyvalue 30

# Do a reset on WFE !

iisreset

Second problem that may occur is that the Security Group Scope is not set correct when the AD Group was created. Don’t use Distribution Groups !

Change it from UNIVERSAL to GLOBAL

clip_image030

Bottom Line :

So as you can see by combining the SharePoint Group with AD Groups, you can keep in control.

Rule number one, is to limit individual access permissions as much as possible in SharePoint.

Advertisements

One Response to SharePoint – Managing the Security Model

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: