SharePoint is the environment offered to large companies by Microsoft to share content: documents, presentations, spreadsheets, notes, images, etc.
While SharePoint has many advantages over a raw file system in terms of content management, access to content is still governed by rights with SharePoint Development.
SharePoint has its own types of rights (read only, limited access, read, contribute, etc.) which can vary depending on the type of object (lists, sites, etc.).
– For a complete list of all SharePoint rights and their meanings, we invite you to consult this Microsoft resource . –
SharePoint administrators can be equally confused by the level of access available as a filesystem admin. In fact, it also boils down to understanding the true rights that a particular user has for a specific resource. It is not easy to achieve this alone. Varonis DatAdvantage for SharePoint helps organizations understand SharePoint rights.
Common data issues with SharePoint
Direct assignment of users to ACLs.Many SharePoint sites and directories are directly accessible to users. Assigning users directly complicates the management of ACLs: since these users do not belong to a group, it becomes difficult to keep track of each user's ACLs when they need to be updated. Generally, they go unnoticed and are never recertified.
Absence of recertification of access
Most SharePoint groups are managed by non-business people rather than IT, and they often don't have the time to keep ACLs up to date. This is often a problem when an employee changes groups or leaves the company.
Too many users with full control
Due to the nature of SharePoint groups, the Owners group has full control over the site/directory it is assigned to. Typically, SharePoint groups are managed by regular company employees. While IT has the ability to recertify, most current employees are unaware of this process and never recertify their data.
Too much outdated data
Outdated data is a problem that affects many SharePoint systems. Obsolete data, that is to say data that is no longer used or that no longer fulfills the role for which it was created, unnecessarily consumes resources that the rest of the site needs. Keep in mind that stale data may contain personally identifiable and other sensitive information and therefore increases the risk to the business in the event of an attack or incident.
Varonis Best Practices for SharePoint
Identify sensitive data actively accessed
Assign rights and access based on data content , especially when it requires more granular protection, such as sites/directories containing sensitive data.
Create data-specific security groups for these sites and directories, and avoid direct permissions.
For example, a service company may have sensitive information about its customers that should only be accessible to certain people. Once the company has identified the sites/directories that contain this data, it should only grant rights to people who belong to a specific group – not assign access rights to this folder to specific groups. departmental scope.Varonis DatAdvantage for SharePoint locates sensitive personally identifiable information
Classify and monitor sensitive data
Classification and identification of sensitive data is the key to proper governance. By knowing where sensitive data resides, SharePoint administrators can lock it down through access management and by defining relevant rights structures. Deleting outdated sensitive data is an easy operation that significantly reduces risk while having little or no impact on the user community.
Archiving and deleting obsolete data
To limit the risk of sensitive data exposure and get quick results, administrators can review their outdated data. Archive and transfer data to a location where rights are assigned to a limited administrative group to effectively deny access to other users. At the end of the period set by the company for the retention of obsolete data, these must be deleted.
Identify and use data owners during the authorization and recertification process
Identify the owners of sensitive and protected data, and involve them in the rights assignment and recertification procedures.
Manage and maintain an owner-to-data mapping to ensure proper execution of authorization and recertification processes. The data owner's goals should be aligned with those of the site owner or site collection administrator on the SharePoint side.
Access governance
Develop a clear process for access requests and recertification after ownership of a SharePoint resource is assigned to a business user. An authorization workflow can ensure that users follow the correct procedure for requesting access by allowing company employees who own the data to approve or deny requests. For auditing purposes, keep a log of all accepted/denied requests.
A recertification workflow is essential for SharePoint groups since they are typically not managed by IT and continue to contain users who no longer need access. Without an authorization and recertification workflow, ACLs can get messy again.
It's important to disable native SharePoint access requests for sites that don't use external sharing. This will have the effect of limiting requests for access to the chosen tool offering more capacity within the framework of requests.
Define access rights standards
The same procedure can be used from the Actively Accessed Sensitive Data section and applied across all managed sites and directories. Create data-specific security groups for these sites and directories, and avoid direct permissions.
Many customers use different permission types for their SharePoint sites and directories. By implementing a least-privilege model , the customer has the assurance of granting access only to users who need it and with an appropriate level of access. In most cases, a basic set of three SharePoint rights should be able to provide the required access: Owners (Full), Members (Contribute), and Visitors (Read). The fact that SharePoint offers a level of rights allowing full control of sites should encourage extra care in choosing who is in this Owners group.