Wednesday, June 29, 2011

To AD or not to AD, that is the Question.


It has always been a point between System Admins vs
SharePoint Admins. Active Directory and SharePoint Group Permissions.

Should you use or not AD Groups in SharePoint instead of the native SharePoint
groups? Many have found wondering on implementing solutions without really
taking a look at the actual needs for the enterprise.

I found a very simple solution or "mind state" that can quickly put to rest
on how to choose and properly set permissions, depending on your IT environment.

1. If you have consultants working on the server, until they are a full employee,
you don't want anyone snooping around in your AD. In this case, allowing
them to add and manage users in SharePoint is the proper course.

2. We all know you can have file level management, but do you really want to enter
this world of chaos? Do you really want to manage all content at a file level permission?
This is ridiculous and very time consuming, simply there is no need. In a large
SharePoint environment, allowing users to manage at a file level is not the recommended
course. As a matter of fact, most companies simply do not allow it. So how do you manage
files and all other SharePoint items?

You use both, Active Directory and Custom SharePoint Groups. I say custom, cause in reality
and in most cases only 3 groups are actually needed and you can name them almost the
same as the naming convention used in AD. Example:

3. Create three SharePoint groups for a portal:  XYZ CONTENT MANAGERS,  XYZ CONTRIBUTORS, XYZ READERS.
Content managers have full control of their portal, contributors can add and edit items, readers can only view.

In AD create a Main SharePoint Group in which all sub group will be stored. It should look like this:

SHAREPOINT GROUPS --(top level)
            SP XYZ -- ( Portal Group Name )
                        SP XYZ CONTENT MANAGERS
                        SP XYZ CONTRIBUTORS
                        SP XYZ READERS

In SharePoint simply add the AD group name into the SharePoint designated group. In AD, add the user to their respective
AD Group to allow the proper access. If in SharePoint you have a document library that only contributors should have access too,
in the setting for that list, set permission not to inherit from the parent site, and add the group that should have access.

If you keep this "process" you will have a very organized SharePoint permission structure. More to come on Active Directory and SharePoint.

Fasty.
Posted by Fasty at 6:57 AM 0 comments
Subscribe to: Posts (Atom)