One of the decisions you have to make once you create an Intranet portal in SharePoint is who will manage SharePoint site security. I have recently published a similar post on pros and cons of AD groups vs. SharePoint groups. However, that was more of a technical decision. Today, I want to concentrate more on the governance aspect of the same topic. Would you let IT control the access or let Business users own the security aspect and be able to add users to their sites themselves?
WHO SHOULD MANAGE SHAREPOINT SITE SECURITY?
In order to help us make the right decision, let me explain the 2 most common security models for SharePoint Intranets:
1. Role-based model
2. Site-based model
Let’s get to know both little better and then take a look at pros and cons for each.
Role-based security model is based on the notion that you have access to the sites that are driven by your role within the organization. In simple terms that would mean that you will be part of certain security groups in Active Directory or SharePoint that would make you belong to a certain department, subset of users, etc. Below are the examples of such security groups:
- Accounting Members
- Finance Members
- HR Members
- IT Members
In SharePoint that means that you would use a combination of those predefined groups on every SharePoint site and assign corresponding permissions (based on objective of the site). For example, on Finance site, Finance Members would get Contribute access, Executive members could get Read Only, while IT members would get Full Control.
Because these groups are unique and centralized, they are controlled by a small group of users, usually an IT department
In contrast, Site-based security model relies solely on the objective of the site. In other words, this group relies on the 3 default SharePoint security groups created for each site:
- [Site name] Members
- [Site name] Owners
- [Site name] Visitors
Depending on the permissions users need to have, each user is added to one of those default groups, thus getting corresponding access. Each group is unique to the site, thus making it easier to add/remove users, without impacting other sites in the Intranet Portal.
The access and group membership in this case is typically controlled by the Site Owner (usually Business), and not IT.