Administration accounts and roles

Administration can occur at a number of levels of granularity in SharePoint. Microsoft refers to this as a three-tier administration model.

The broadest, most powerful tier is that of Farm-level Administrators. This type of account provides control over the entire SharePoint farm.

The next level down is that of Shared Services Administrators. This type of account provides control over SharePoint's "Shared Services" servers, which provide search, excel services, user profiles, and other common functionality made available to standard SharePoint sites.

Administration of SharePoint site collections is conducted by Site Collection Administrators.

Finally, within each site, site configuration and membership can be administrated by Site Owners (or, more specifically, by people assigned particular site configuration permissions.)

Roles and responsibilities

Role compartmentalization

Some compartmentalization of these roles can be achieved through the configuration of permission levels, especially with regard to Shared Services Administrators.

Implementing enterprise-wide policies and controls

SharePoint provides very little out-of-the-box support for the implementation, enforcement, and management of enterprise-wide policies. Typically this is achieved through procedural and personnel controls, aided by the use of 3rd party additions to SharePoint.

Decisions regarding administrative access - especially bad decisions - can have a large negative impact on security and business continuity. Proper assignment of administrative powers is therefore a key factor in establishing a good SharePoint governance model.

Guidance

• Ensure that granting administrative powers are assessed in terms of a risk / benefit analysis
• Consider the impact of administrative tasks and decisions in your SharePoint Governance model
• Consider the use of 3rd party tools to aid with the implementation of an enterprise-wide policy and controls.