SharePoint Groups – They Exist With Good Reason
When you become accustomed to best practices it is easy to start thinking that the knowledge you have obtained is general common knowledge. This is especially true when walking in to a large company in IT where you would expect these best practices would have been adopted. Much to my surprise, this often is not the case. Over a year ago we worked with a company where they did not utilize SharePoint groups to manage permissions. Rather, there were thousands of users listed individually with broken inheritance across the site. Not only does that become horrendous to manage, but since SharePoint sites by default will inherit permissions from their master sites, to try to lock down permissions on any sublevels becomes a time-consuming and tedious task. Permissions weren’t meant to be used this way – with thousands of individuals listed, in order to reduce permissions we had to select small groups at a time( i.e. all users with the last names A and B) and then remove their permissions. Something that should take seconds to manage suddenly becomes an hour long ordeal – and that is only if SharePoint doesn’t time out on you! It seems like a quicker solution at the time, but in the long run, adding an individual will end up being much more difficult to manage.
An area where SharePoint doesn’t help encourage the proper behavior is when you turn on access requests. Inevitably, a user requests access to a site or library, the site admin approves via the email link, and by default, the individual gets added to the site as an individual user rather than added to a group. Do not follow this practice! Instead, when you receive a request, review the location they are attempting to obtain access to (which itself can be tricky), and then add them to the proper group. Also, always ensure that you are only putting the user into the group with the permission level necessary for them to perform their tasks. Permissions are easily abused on SharePoint so this is critical. Also, if you have the ability to use AD groups to add user groups to SharePoint groups, this is preferable as all permission management will be done via AD, and you won’t have to worry about turning on/off permissions through SharePoint at all!