Solved

SharePoint Security Design

Posted on 2015-01-19
5
8 Views
Last Modified: 2016-11-23
This question centers around securing files in a document library. I am designing an external SharePoint web site for users to log into.  All users and groups are part of a single Windows domain. I will be sharing files with users based on which security group they belong to. I need to ensure that files that are meant to be seen by one group are not viewable/searchable by anyone else not in that group.  My first thought is to setup a separate site collection for each group (all using the same Web Application) containing a unique library for that group.  However I could also just have one site collection that has a library for each group.  I could also just have one library that uses folder level security based on group membership or I could  assign permissions directly to the files. It is critical that one group does not see the other groups files or be able to search on them.  It should look like the user is logging into a personalized site that only contains their files.

What is the best security practice for setting up this SharePoint site. I know there are factors other than security to consider (and I would like to hear about those as well) but my focus right now is mainly on data security.
0
Comment
Question by:jledbetter
5 Comments
 
LVL 44

Accepted Solution

by:
Rainer Jeschor earned 250 total points
ID: 40558339
Hi,
imho it depends a little bit on your plans for further / additional usage of your SharePoint site. If it is just some kind of document storage without personalized / group dependent content (e.g. on the start page), you might go the route with dedicated document libraries.

For a more sophisticated way like customized start pages, I would suggest to create dedicated site collections (in separate content databases) - where you can simply configure each site collection setting independently from the other (e.g. recycle bin, retentions ...).

In general you should avoid setting permissions on the lowest levels like files or folders - but this is mostly due to an increased user administration / management effort/work load.

Just my 2ct
Rainer
0
 
LVL 14

Assisted Solution

by:SneekCo
SneekCo earned 250 total points
ID: 40559048
It is critical that one group does not see the other groups files or be able to search on them.  It should look like the user is logging into a personalized site that only contains their files.

Having that above statement in your questions, Rainer is spot on. Use at least separate site collections. If really really secure then possibly separate web applications, if you can stay under the new 2013 recommendations on the number of web apps (10 - 20 web apps is the new max.) The advantage of web apps would be the addition of web app level user policy. Otherwise the individual site collection model would work fine for you. Rainer is also spot on for everything else, so he should get all the credit on this one.

Hope that helps...
0
 
LVL 1

Author Comment

by:jledbetter
ID: 40559981
Thank you both for your feedback!  I don't envision ever having more than 50 people log into the site. I would like to have personalized text when the user logs in however I found that some companies such as Bamboo Solutions make a web part that displays content based on the user or group (Hello web part) so that I don't need to build customized content on each site collection. This is really all of the customization that I need. Therefore it would be nice if I didn't have to build a separate site collection for every group from an administrative stand point but not if it compromises security.

If I would never have more than 100 top level folders, then what is the harm in assigning permissions for the groups at the top level folder for simplicity?  I wouldn't need to adjust any down-level permissions.  I also don't see the size of the library growing beyond 25 to 50gb.  Is there a security flaw in this design?
0
 
LVL 17

Expert Comment

by:GreatGerm
ID: 41898812
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
We had a requirement to extract data from a SharePoint 2010 Customer List into a CSV file and then place the CSV file into a directory on the network so that the file could be consumed by an AS400 system. I will share in Part 1 how to Extract the Da…
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now