Fixing a broken SharePoint environment might not seem easy, but the processes we discussed in our Survival Guide for Assessing SharePoint and Survival Guide for Fixing SharePoint enable you to locate and better understand problem areas. They provide an opportunity to become proactive, make a plan, and prepare to enforce a set of policies and guidelines commonly referred to as governance. More often than not, as an administrator, it is up to you to make sure governance is enforced and validated so that you don’t find yourself continually fixing the same problems you just solved.
As explored in our new Surivial Guide for Enforcing SharePoint Policies, enforcement is all about maintaining control of the environment. There are three specific areas SharePoint administrators need to consider for their enforcement strategy to enable business users to achieve more with SharePoint:
- Configurations and settings
- Permissions and security
- Content and data
1. Configurations and Settings
As we begin to tackle the topic of enforcement, it is important to understand the distinction between policies and guidelines. Policies are the critical rules that must be followed to maintain a functional and compliant environment, and automation can be used to enforce them. For example, if duplicate content was a major issue during your cleanup, limiting library versioning settings may be a policy for you.
Guidelines are important but not critical. We are going to want to enforce what we can, train on what we can’t automate, and regularly validate conformance. For example, if naming conventions for sites, lists, and documents were an issue during cleanup, you may want to provide best practices and regularly audit these settings.
So how much control do you need to keep and how much can you give away? Like most answers in SharePoint: it depends. Let the policies and guidelines guide you on the specifics.
Natively in SharePoint, users with permissions above “read” are going to be affected by your guidelines, and those above “contribute” run the most risk of violating policies. It is important to know who the individuals are with those permission levels. The Security Search feature in DocAve Administrator can easily give you a report of all these privileged users by the sites and libraries in which they work. This not possible with SharePoint alone.
Taking this idea a step further, permission levels are not always effective when controlling access to configurations and settings. Heavily restricting permission levels across the board is like turning off the internet to block a few sites. With the Policy Enforcer feature in DocAve Administrator, you can target the specific settings you want to control, and leave the user free to enjoy all the other rich capabilities SharePoint has to offer.
A real customer example is a large bank that has policy around two site features: Legal Hold and Newsfeed. With a simple Policy Enforcer profile, the customer can target team sites and ensure that the Legal Hold feature remains activated and the Newsfeed feature remains deactivated without heavily restricting the permissions users have to their sites.
2. Permissions and Security
The principle of least access comes naturally to SharePoint administrators. I know an administrator who has a sign in their office they point to anytime someone asks for full control. It reads, “With great power, comes great responsibility.”
End users don’t want their colleagues to be bothered by Access Request screens that nobody ends up approving. Nor do they want to download a copy of a document because the original cannot be edited. They are working too fast for that, and bypassing SharePoint by using email attachments is always an option. If an option like “Owners Group” makes sense to them (“they do own the documents after all”), or the phrase “Full Control” (“what on earth is the difference between Edit and Contribute?”), or assign to “Everybody” (“great, I will never have to do any of this again”) then they will use it.
It is time to go back to what was learned during cleanup. Did the DocAve Security Search reveal a troubling number of Full Control users, or “NT_Authority\Authenticated Users”, or even one “NT_Authority\Authenticated Users” with Full Control?
DocAve Policy Enforcer helps enforce least access in SharePoint. For permissions, many of our customers elect to use Policy Enforcer’s feature to automatically fix violations as it finds them. For example, if you want to lock the Owners Group to trained users, changes to the group can be automatically reverted while you and the user get an email detailing what happened. This can become an excellent teachable moment for the end user.
The customer mentioned above uses Policy Enforcer to solve a business problem critical to their business as a bank: ensuring an ethical wall exists between their analysts and consultants. In this case, Policy Enforcer profiles are used to validate whitelists and blacklists of users appropriate for specific information in SharePoint. The customer also uses Policy Enforcer to automatically fix any anomaly it finds while notifying the compliance department.
3. Content and Data
Several customers have shared stories of working hard to get search working well in SharePoint only to be asked to turn it off because it lead users to sensitive content they weren’t supposed to see. Search is the only way SharePoint knows what is inside of the documents it is hosting, and while the platform itself may not be smart enough to know the implications of that, a user can easily search for “salary”, “financial report”, or “confidential.”
So how can a SharePoint administrator avoid the uncomfortable conversation with their CEO when private information ends up in the wrong hands? They must adopt the role of steward as well as administrator when it comes to data governance policies. Enforcing proper permissions is half of the story, but it does not help if a potentially sensitive document is added to a non-restricted area of SharePoint. They need more visibility into what is actually in those libraries and if it should cause concern.
The ideal solution is regular scans (not an index) of content to identify patterns and terms that suggest sensitive content. When found, sensitive content can then be validated with the permissions policy. If the permissions are found to be inappropriate, the audit logs for the content can be examined for suspicious activity. Actions will be available to protect the content and fix violations.
AvePoint Compliance Guardian automates this entire process or, if required, guides the human review of violations through workflow. For each incident, you get a risk profile with complete permissions and audit history. This completes the enforcement profile by providing control and guidance to users for not only what they do in SharePoint, but what they store in the system as well.
While implementing new technology is important, the value administrators bring to the company is empowering colleagues to do their jobs as efficiently as possible. Business moves quickly and we know things will get messy. Setting and automating enforcement controls gives us the chance to prepare for the unexpected.
With the proper enforcement, we are taking a step towards being proactive with SharePoint rather than simply putting out fires. We can at least be alerted to potential problems and at best use technology to automatically remediate them. At the same time, enforcement allows the business user maximum agility with the correct guidance to be a responsible corporate citizen.
Want more advice on how to enforce policies in your SharePoint environment? Access our free Survival Guide for Enforcing SharePoint Policies today!