Security at the Site-Collection Level in SharePoint Online

Balancing security and usability are core to ensuring people can collaborate effectively without interrupting the necessary flow of information across organizations.  With SharePoint Online we’ve been at work developing security and sharing controls that are scoped at the site collection level.  This allows Tenant administrators to configure more restrictive controls at the site collection level, than those that are configured at the Tenant level providing a balance between the need to protect corporate information and the requirement to collaborate effectively across and outside of the corporate boundary.

Topics: SharePoint, SharePoint security, sharepoint online, security, SharePoint Online Management Shell, Site Collection

Ben Curry and Scott Edwards to Lead Governance and Security Talks at SPTechCon in DC

Scott Edwards and Ben Curry were chosen to present during five different sessions alongside 27 other industry leaders at SPTechCon (Nov 12-15) in Washington D.C. 

Topics: SharePoint, SharePoint security, SharePoint governance

IT or Business? Who should manage SharePoint site security?

One of the decisions you have to make once you create an Intranet portal in SharePoint is who will manage SharePoint site security. I have recently published a similar post on pros and cons of AD groups vs. SharePoint groups. However, that was more of a technical decision. Today, I want to concentrate more on the governance aspect of the same topic. Would you let IT control the access or let Business users own the security aspect and be able to add users to their sites themselves?


In order to help us make the right decision, let me explain the 2 most common security models for SharePoint Intranets:

1. Role-based model
2. Site-based model

Let’s get to know both little better and then take a look at pros and cons for each.

Role-based model

Role-based security model is based on the notion that you have access to the sites that are driven by your role within the organization. In simple terms that would mean that you will be part of certain security groups in Active Directory or SharePoint that would make you belong to a certain department, subset of users, etc. Below are the examples of such security groups:

  • Accounting Members
  • Finance Members
  • HR Members
  • IT Members
  • Executives

In SharePoint that means that you would use a combination of those predefined groups on every SharePoint site and assign corresponding permissions (based on objective of the site). For example, on Finance site, Finance Members would get Contribute access, Executive members could get Read Only, while IT members would get Full Control.

Because these groups are unique and centralized, they are controlled by a small group of users, usually an IT department

Site-based model

In contrast, Site-based security model relies solely on the objective of the site. In other words, this group relies on the 3 default SharePoint security groups created for each site:

  • [Site name] Members
  • [Site name] Owners
  • [Site name] Visitors

Depending on the permissions users need to have, each user is added to one of those default groups, thus getting corresponding access. Each group is unique to the site, thus making it easier to add/remove users, without impacting other sites in the Intranet Portal.

The access and group membership in this case is typically controlled by the Site Owner (usually Business), and not IT.

Topics: SharePoint, SharePoint security

Know your insider security threats

As more organizations are storing more sensitive business content and data, security becomes a top concern. Most deal well with hacks from outside the organization, via encryption, preventing data from being downloaded onto mobile devices or moved via e-mail, and many other techniques. Those same organizations, though, have a difficult time assessing vulnerabilities from threats that originate inside the organization.

Topics: SharePoint security, Metalogix

Protect your SharePoint content at the content level

According to a CNN report last week, there’s another Edward Snowden-type leak of national security documents happening in Washington. As you might recall with the Snowden security breach, blame was placed on SharePoint, which the U.S. government, local governments and other public and quasi-public institutions use for document management, intranet and collaboration.

Some tried to put the blame for Snowden’s ability to get the documents on SharePoint itself. Security experts, though, see a different cause: access and permissions.

Topics: SharePoint security