Anyone who users SharePoint knows that security is one of its greatest strengths but also one of its greatest weaknesses. Its strength lays in its ability to interface with Active Directory and allow almost all SharePoint objects, sites, libraries, lists, items, documents, folders, etc., to have unique permissions. Its weakness lays in the way it SharePoint displays SharePoint permissions to you.
Here’s a screenshot that illustrates the problem:
The Human Resources site has unique permissions and has three SharePoint groups. However, in the administration screen, Site Permissions, you are given no information about what objects in the site these 3 groups have access to or who is included in the groups. Also, users Joe and Minnie are listed as having “Limited Access” permissions. What this means is that this user has some kind of permission to at least one object in the site below the site level, but SharePoint gives you no idea what this permission is. The only way to figure out what permissions are assigned to which objects in OOTB SharePoint is to check each and every one individually! This awful situation has not gone unnoticed and many companies make security administration products for SharePoint. Two of the most popular are DeliverPoint :Permissions and Quest Site Administrator.
DeliverPoint :Permissions Review
(Rating: 3 out of 5)
DeliverPoint, a fairly simple solution, adds two options to the “Site Settings” dropdown—“DeliverPoint 2007”, which gives you a treeview of your sites and “Discover Site Permissions” which shows you the users permissioned on a selected object. The “DeliverPoint 2007” option gives you a treeview of your SharePoint sites with handy icons that allow you to see if a site inherits permissions or uses unique permissions and indicates with a slash if the site contains child objects with unique permissions:
However, to see permissions you have to launch the “Discover Site Permissions” app. It shows the site permissions by user on the selected object, so as opposed to the OOTB SharePoint view above, you see the user detail of the SharePoint groups and you don’t see the annoying “Limited Access” users.
The problem is that DeliverPoint is showing you permissions pretty much the same way that SharePoint does, object by object. To see the permissions that caused SharePoint to show the “Limited Access” users, you still have to search through all the objects one by one.
Where DeliverPoint does shine, however, is in it’s unique permissions view, which is available from the “Account Centric” view of the “DeliverPoint 2007” app. This view shows one user’s rights, “Reader” in the example below, for the entire web application and is perhaps the main reason to invest in DeliverPoint:
DeliverPoint also allows you to copy, transfer or delete a user’s permissions. To find out the details of how DeliverPoint works, you can watch their excellent training video online at http://www.lightningtools.com/deliverpoint/sharepoint-permission-management.aspx.
Quest Site Administrator's "Security Explorer" Review
(Rating: 4 out of 5)
Quest Site Administrator provides security administration via the “Security Explorer”, which is part of a larger application, “Site Administrator”, one of a suite of five products Quest provides for SharePoint. Site Administrator includes four tools: a site browser, a report manager (the reports are not very useful unfortunately), a policy manager (very few people use this), plus the Security Explorer. It utilizes SQL Server Reporting Services for reports. The site browser shows you a tree view of your sites in the left panel, displaying the SharePoint page of the site object you have selected in the right pane instead of just help information as DeliverPoint does:
Right-clicking on any object in the treeview provides a submenu of various tasks. For instance, right-clicking on a document library gives you several options, one of which is "Customize". Choosing "Customize" brings the document library's settings page into the right pane of the management console, from where you can make changes. Being able to access and act upon all of your SharePoint sites and objects from one console like this is a real timesaver.
Security Explorer, which you launch separately, also has a treeview in the left panel, allowing you to zip through the hierarchy of your SharePoint sites and quickly to see which objects inherits permissions and which do not and what permissions users and groups are assigned. For instance, in the screenshot below you see that “Bus Unit A” folder does not inherit permissions from the document library level since the “Allow inheritable permissions …” checkbox is unchecked. And right below this check box the unique permissions for the folder are shown.
Like DeliverPoint, Quest Security Explorer allows you to add, modify, delete, and transfer rights. However, it gives you more bells and whistles, like advanced lookups. For instance, the “Grant” dialog box gives you a handy list of all the site users in the left column and clicking on one of the users automatically populates the “Group/User” textbox on the right. Slick!
You can expand the “SharePoint Groups” and “Domain Groups” and “Domain Users” dropdowns to see the contents of these groups as well. Clicking “Add” as you select each user and/or group you want to grant rights to is much, much faster that performing the same task in native SharePoint.
Finally, the extremely flexible “Search” tab allows you to find permissions in many different ways—by permission level, inherited or explicit, or by user/group, filtered by site, item or list. This feature offers a great deal more functionality than the DeliverPoint “Unique Permissions” report. And the left column in the Search dialog box allows you to scope the search to any SharePoint site:
The Bottom Line
Quest Site Administrator gives you a lot more functionality, but is a bigger product designed for medium-sized to large SharePoint installations. DeliverPoint is a quick and dirty application that doesn’t do a lot, but is easy to use and more accessible since it positions itself on the “Site Actions” menu. Security Explorer, because it offers so much more functionality, has more of a learning curve.
Another thing to keep in mind is that DeliverPoint is a small company and Quest is a really large company. Given that Quest just added the Security Explorer to their “Site Administrator” product free of charge, and offers several other SharePoint products such as a very robust Recovery Manager, it’s clear that Quest is making a big commitment to SharePoint. And I must say that their recent hiring of Joel Oleson, one of the most well-known SharePoint experts, really impressed me.
In any case, if you are planning to spend money on a security add-on for SharePoint, downloading the evaluation copies of both of these products and playing with them a bit is the only way to find out which one is right for your environment.