IT vs Business: SharePoint Permissions Strategy

Recently, I have ensured again that the main challenge for SharePoint professional in an organisation is the business processes setting up. There is no problem to organise corporate information and to build information architecture. There is no problem to provide shared workplaces for the business teams. Even there is no problem to automate existing processes. The problem is to set up correct business process when there is nothing existing.

Let's take some common process of permissions management. IT guys would like to control everything and would like to manage each particular operation with sensitive data. And this approach may be useful, but not for collaboration. In SharePoint, all content is the collaborative asset. So, the main business value of that system is sharing and team work with the documents. The mandatory condition here is a read-write access to document for each team member. The real life systems, unfortunately, rarely meet this simple condition.

Commonly, I encountered a situation when all SharePoint permissions are managed by IT Service Desk. This does mean that SharePoint system administrator is receiving 50 tickets each day with sentences like “I need access to sales report for March of 2011”, “Why am I unable to read the corporate financial statement” or “Could you please remove that party photo where I am dancing on a table”. And our system administrator has no idea where this files are located. So, he or she has two options: find file and grant the access or ask a team leader whether the person should have the access. In the first scenario, it is obvious that corporate security is not working – each employee can have access if they are asking for it. In the second scenario, the ticket returns back to business representative for approval.

We have more requests, more bureaucracy, more time, more routine work for IT, less value for the business, less satisfaction with IT department, less satisfaction with SharePoint. And the only reason for that is the total control for IT guys and misunderstanding of the base principles of collaborative environment.

To avoid such problems, we need to build the business process based on another strategy. IT guys just should admit that they do not own the corporate data. And they do not manage it. IT is just providing a hosting environment; a service for the business.

So, the suggested approach is to have a business owner for each business team site. The business owner or team leader will have the full permissions on a team web site. Full means full – creation of the custom lists, sub sites and pages without any restrictions. This business representative is the only person who knows exactly how the team information is sensitive. That person can make a decision and delegate an access to team members depending on his/her own understanding. If somebody needs access to team information, then he or she can directly contact the team leader and get the permissions. If something goes wrong, the team leader can still call the IT service desk and ask for help.

This permission management strategy improves the corporate security for sensitive data, reduces the number of requests to IT and makes environment more open and collaborative. To support that strategy, it is good to have an article on a portal which describes the process and a list of the business owners for each part of the corporate portal. Access to shared corporate pages like a news or branding information can be managed automatically based on organisation units membership.

For example, if we have hired an HR professional and have created an Active Directory account for the person, then the account will be included in HR organisation unit which has access to shared upper level sites on the portal. This process does not require a lot of efforts and should be done only on creation of the account. 

The described approach is successfully used for some of our customers. If you have some thoughts, feel free to share it in the comments. Thank you for reading!

CodeProject