As the diagram shows below, there are three main elements to SharePoint security, the permissions assigned, the user or group assigned the permissions, and the object secured (site, library, document etc).
The standard SharePoint security model is primarily based on the concept of inheritance. Permission inheritance is the easiest way to setup security for SharePoint. By default, permissions for a library are inherited from the site, and permissions for the documents are inherited from the library. Inheriting permissions is the easiest way to manage security for a group of sites or document libraries. However, permission inheritance assumes that permissions for a particular document should be the same as permissions for all the other documents This is often not the case as some document libraries may contain more sensitive information.
To change the permissions for a particular document the standard inheritance model must be broken. Inheritance for any securable object at a lower level in the hierarchy can be broken by editing the permissions (creating a unique permission assignment) on that securable object. For example, you can edit the permissions for a document, which breaks the inheritance. This copies the groups, users, and permission levels from the parent site to the document itself. The administrator can then either add or remove specific permissions in the list to create a unique set of permissions for the document. This is called item level security. For a demonstration on how this is done, see my Youtube video at http://www.youtube.com/watch?v=rL-nq7_vxDk.
Item level security is extremely powerful as it gives you the ability to filter which documents users can see. The shortcoming of item level security is that you must go into each document one at a time in order to setup permissions for the documents. This process can be extremely time consuming and error prone. Alternative solutions to item level security include creating separate document libraries or separate folders containing documents that are appropriate for certain groups of users. An additional alternative is to use the Titus Labs Metadata Security for SharePoint product which will automatically set up item level permissions based on administrator defined metadata security rules.
Comments