Advantages
1. Extremely easy to setup. When you create a new document library, you are off to the races. No special security configuration is needed. This is strength in small distributed SharePoint implementations where the group shares everything and security is not a big concern. In this type of environment simplicity and speed are the most important factors.
2. It is always possible to break the inheritance and assign specific permissions for an object. So, in addition to being very easy to setup, it is also flexible enough that you can tailor permissions for certain objects which require special security.
3. Any change to a permission in the parent site is automatically applied to any child sites. This means I only need to make a security change in one place and that change will be automatically applied to all the child sites.
4. Does not require special administrator training on security. You don’t need a security expert to setup SharePoint. Your standard SharePoint administrator can handle all the security tasks.
5. Inheritance can cascade down several levels. If you have a folder created in a document library, which is part of a site, the permissions can flow down to the folder and all of the documents in the folder automatically.
Disadvantages
1. Because it is so easy to setup, many SharePoint administrators don’t even think about security permissions. This can lead to situations where certain sensitive information saved to SharePoint can be inadvertently compromised.
2. Permission inheritance assumes that permissions for a particular document library should be the same as permissions for all the other document libraries. This is often not the case as some document libraries may contain more sensitive information.
3. This model is hard to administer if you want to change permissions. If you don’t want to inherit the permissions there is no way to stop the inheritance. You still need to break the inheritance from the parent object and then go in and manually remove all the permissions that are not appropriate. This can be a very time consuming task. The only situation where you can say that you don’t want to inherit permissions is for a sub-site. It would be nice if you could do this with other objects like document libraries and lists.
4. There is a lack of tools for administrators if an organization does not want to use inheritance. Setting up unique permissions for libraries and documents is difficult and time consuming. Maintaining these unique permissions is even more difficult. How does an administrator know which libraries or documents have unique permissions? There are no reports which provide this information. As a result it is very hard to track and maintain objects which have unique permissions which may need to be changed at some point.
To learn more about standard security for SharePoint document libraries and inheritance check out my SharePoint Security video on YouTube.
Charlie
Some comments about the disadvantages:
2. The permissions for a library or list are assumed to be the same as the parent site, not other libraries.
3. You can enable/disable permission inheritance at any level (Site, list/library and list/library items).
4. It's pretty easy to create a SSRS report to access SharePoint web services and provide this information.
Brad
Posted by: Brad | 10/08/2009 at 01:01 PM
Hi,
"How does an administrator know which libraries or documents have unique permissions"
On a site or library, go in the permissions panel. On the yellow top bar just click on "Show me uniquely secured content" and that's it ;)
Posted by: Alexander | 10/06/2010 at 08:26 AM
Alexander,
I don't see this in SharePoint 2007. Is this SP 2010 only?
Posted by: Charlie | 11/12/2010 at 11:12 AM