I was lucky enough in my illustrious SharePoint career to have managed the SharePoint Helpline [sarcasm intended].  I can confidently say that more than two-thirds of our problem tickets are permissions-related.  You don’t have to manage the Customer Relations Management team to take my word for it.  Being a basic SharePoint Administrator will get you close enough to feel the annoyance that permeates from SharePoint site permissions.

Gather around younglings.  Though I won’t solve your permission problems, I will share with you how I navigate these murky waters.

Let’s Talk About It

That’s it.  That’s what I did – talked about it.  Discussion after discussion, most of the time, included a white-board, are what we had to do in order to hash out a manageable security model.  The security model, of course, had to be compatible with all the business cases.  Sometimes, the business owner, site owner and content owner were all the same person and sometimes, the were all different.

Users, SharePoint Group and Global Security Groups in Active Directory adds to how convoluted it quickly becomes.  In the end, our security model solution is a simple (even though getting there was NOT).  Here is the policy:

No one should be creating groups.  The only groups to be created should be the SharePoint default groups that gets created during a Site Provision.
Those groups are (ABCD = team name/site name):
  • ABCD team owners (Full Control Access)
    • Users in this group:  a handful of users are in this group
  • ABCD team members (Contribute Access)
    • Users in this group:  the team’s AD Group
  • ABCD team visitors (Read-only Access)
    • Users in this group:  company_all AD Group or empty if the team wishes to ‘hide’ the site.


We developed a diagram and communicated it to all the respective content owners:

Click to Enlarge

I hope everyone all finds this useful.  Happy planning.