SharePoint security governance is based around ensuring the confidentiality, integrity, and availability of information and services, while also ensuring that operational activities comply with relevant compliance requirements.
In establishing a workable SharePoint security governance model, it is important to consider who is responsible for what. An example governance model is depicted below.
A Governance model is established through:
- Identifying appropriate roles and responsibilities;
- Structuring the roles and responsibilities to achieve proper accountability and delegation;
- Determining security activities;
- Establishing processes for the continual monitoring and control of activities;
- Ensuring that these activities take place.
Example security roles and responsibilities
| Responsibility | Assigned to | Escalates to |
| Ensure appropriate access controls on information | Site owner | SharePoint Governance board |
| Ensure secure site configuration (e.g. audit logging) | IT administrator | SharePoint Governance board |
| Ensure secure infrastructure configuration | IT team | IT Director |
| ... | ... | ... |
Example security procedures
Procedures may be required:
- Assess the business impact of change;
- Request access to sites;
- Request creation of new site / site collection / web application;
- Manage new user requests;
- To assess new SharePoint add-ins.
Example security activities
Secure site configuration in SharePoint includes:
- System administration;
- Content sensitivity assessment;
- Audit logging;
- Document versioning;
- Access controls;
SharePoint's search engine can remove particular search results from view by using what Microsoft call a "security trimmer".
A custom security trimmer is implemented as a .NET class that implements the ISecurityTrimmer interface, which provides for two methods:
BitArray CheckAccess(IList<string> crawlUrls, IDictionary<string, Object> sessionProperties) void Initialise(NameValueCollection staticProperties, SearchContext searchContext)
The CheckAccess method typically iterates through each 'documentCrawlUrl', and sets a flag within a bit array that says whether the result should or should not be displayed to the user.
Microsoft's example is adapted below to perform this. In our example, we trim out search results that contain the word "internal" in the Url.
public BitArray CheckAccess(IList crawlURLs, IDictionary sessionProperties) { BitArray retArray = new BitArray(crawlURLs.Count); // Windows authentication string strUser = WindowsIdentity.GetCurrent().Name; //For Forms authentication, uncomment the next line: //string strUser = HttpContext.Current.User.Identity.Name; for (int x = 0; x < crawlURLs.Count; x++) { // Determine whether user is allowed to see this Url retArray[x] = IsUserAllowed(strUser, crawlUrls[x]); } return retArray; } private bool IsUserAllowed(string username, string url) { // perform authorization logic here based on the user's identity // and the resource being requested. // for this example, we check if the Url contains the word "internal", // and if so, block it out if ( url.Contains("internal") { return false; } return true; }
Deployment
The class is compiled into a .NET .dll and deployed into the GAC, and then associated to a particular search crawl rule by using the stsadm.exe command line tool.
Here is some code that demonstrates how to use the SharePoint People picker PeopleEditor control inside a WebPart.
In the code below, note the use of the SelectionSet parameter. It is a comma-delimited string with valid values "User", "SecGroup", "DL", and "SPGroup". You can mix and match these values. SecGroup is an Active Directory Group, and DL refers to an Active Directory Distribution List.
The size of the control is influenced by the Rows property. For single entry, set this property to 1. The screenshot above shows 3 rows.
Also of interest may be the MultiSelect and AllowEmpty properties, whose names should be self explanatory. Both of these properties are booleans.
Another possibility is setting which account source the control should use - "All", "MembershipProvider", "None", "RoleProvider", "UserInfoList", or "Windows." .
public PeopleEditor pplEditor; protected override void CreateChildControls() { base.CreateChildControls(); pplEditor = new PeopleEditor(); pplEditor.SelectionSet = "User,SecGroup"; this.Controls.Add(pplEditor); }
You can read the resolved users and groups that the user has entered by using the editor's ResolvedEntities property, which is an ArrayList containing a list of PickerEntry objects. Each PickerEntry object contains an EntityData property bag which includes a "PrincipalType" field. You can use this to determine whether the resolved entity is a user or group.
foreach (PickerEntity entity in pplEditor.ResolvedEntities) { switch ((string)entity.EntityData["PrincipalType"]) { case "User": // ... do stuff here ... break; } }
You can also include the PeopleEditor control using inline ASP inside aspx pages. For example:
<%@ Register Tagprefix="wssawc" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
...Custom validation
Custom Validation can be implement server-side using standard ASP.NET server validation controls. If you'd like to do so client side validation (for usability, rather than security control) using javascript, Marc D Anderson has posted some sample code. We have not tested this code.
Filtering
The PeoplePicker control can be set to filter using stsadm.exe commands: peoplepicker-searchadcustomfilter and peoplepicker-searchadcustomquery.
Authorization Policies
Organisations define security policies.
Some example business rules derived from policy are:
- "Contractors cannot access information marked commercial-in-confidence"
- "Only board members can know the existence of merger-related documentation"
- "Non-US citizens cannot read documents labelled NOFORN"
- "Personnel accessing information classified SECRET must have a SECRET or higher clearance"
These policies are typically defined in an IT-agnostic manner: the challenge for Architects is in architecting a system that provides sufficient compliance with these policies.
SharePoint in particular is a challenge, as it lacks any real Policy-based Authorization policy enforcement.
Models
SharePoint is often described as providing Role-based Access Controls. However, this is only partly true, as SharePoint lacks granular DENY rules. So in practice, more advanced RBAC-based policy modelling is simply not possible with SharePoint without substantial bespoke development or third party tools.
Role-based access controls - See NIST's RBAC community
Mandatory access controls -
Discretionary access controls -
Standards
XACML
The Extensible Access Control Markup Language (XACML) is intended to be a core XML schema for representing authorization and entitlement policies. It allows for an organisation to define its policies in a declarative manner.
XACML not supported by SharePoint.
SharePoint groups are defined at the site collection level, and consist of a set of SPMember objects, being these either individuals or groups.
Access control is achieved by assigning each group a permission level (called a role), and assigning this to a particular securable object (called a securable scope inside SharePoint).
SPMember <--> SPRoleDefinition <--> Securable Scope (ISecurableObject).
Nested groups
It is not possible to put one SharePoint group inside another. If nested groups are required, you will need to use nested Active Directory groups.
Site collection groups
The hierarchy will look like this, for example:
Site Collection (SPSite) <--- groups including their members defined here
- Root Web site (SPWeb)
- - Sub site (SPWeb)
- - - - Sub site 1.a (SPWeb)
- - Sub site 2 (SPWeb)
- - - - Sub site 2.a (SPWeb)
- - - - Sub site 2.b
The groups used for a particular site are expressed through RoleBindings, which bind a securable scope with a particular group and permission level.
Breaking inheritance gives the site owner an option to create new groups, or re-use existing ones.
User interface pages
SharePoint provides the following user interface pages for configuring groups.
| Page | Title | SharePoint description | Notes |
|---|---|---|---|
| people.aspx | People and Groups: People | Use this page to view and manage all people for this site collection. | parameters : MembershipGroupId |
| groups.aspx | People and Groups: All Groups | Use this page to view and manage all groups for this site collection. | |
| user.aspx | Permissions | Use this page to assign permission levels to users and groups. | Also used for managing rolebindings for items that don't inherit permissions. |
| editprms.aspx | Edit Permissions | N/A | |
| role.aspx | Permission Levels | N/A | |
| addrole.aspx | Add a Permission Level | N/A | |
| permsetup.aspx | Set Up Groups for this Site | Use this page to specify who can access your site. You can create new SharePoint groups or re-use existing SharePoint groups. | |
| newgrp.aspx | New Group | Use this page to create a group. | |
| editgrp.aspx | Change Group Settings | Use this page to change the settings of this SharePoint group. | |
| aclinv.aspx | Add Users | Use this page to give new permissions. | |
| userdisp.aspx | User information | N/A | |
| mngsiteadmin.aspx | Site Collection Administrators | Use this page to add and remove site collection administrators. | |
| associatedgroups.aspx | Edit Group Quick Launch | Use this page to change which SharePoint groups appear in the Quick Launch on the People and Groups page | |
| ViewGroupPermissions.aspx | View Site Collection Permissions | Use this page to view the permission assignments that this SharePoint group has in this site collection. In addition to the listed URLs, this group has access to any sites, lists, or items that inherit permissions from these URLs. |
