Elaine van Bergen Bacchus van Loo @laneyvb Elaine.vanbergen@obs.com.au Regulatory Landscape Considerations How SharePoint permissions work What about Office 365 ? Permissions and Policies Methodology.

Elaine van Bergen Bacchus van Loo @laneyvb [email protected] Regulatory Landscape Considerations How SharePoint permissions work What about Office 365 ? Permissions and Policies Methodology.

Transcript Elaine van Bergen Bacchus van Loo @laneyvb [email protected] Regulatory Landscape Considerations How SharePoint permissions work What about Office 365 ? Permissions and Policies Methodology.

Elaine van Bergen
Bacchus van Loo
@laneyvb
[email protected]
Regulatory Landscape
Considerations
How SharePoint permissions work
What about Office 365 ?
Permissions and Policies
Methodology
every company
on the FTSE 350 list had left employee
usernames, email addresses and sensitive
internal file location information online
80%
Transparency/
Collaboration
Data Protection/
Management
WorkFlow Farm
User
Load Balancer
12
(1) Web Access
HTTP/80
HTTPS/443
1
(2) Central Admin Access
Administrator
2
HTTPS/443
(3) Outgoing Email
SMTP 25
8
(4) AD Authentication
6
7
TCP/UDP 445 (Directory Services)
TCP/UDP 88 (Kerberos)
7
Web Front
Search Index / Query
(5) Name Resolution
TCP/UDP 53
3
8 9
External Content (OLAP)
6
7
(6) SQL
TCP 1433, UDP 1434, custom non
default port
7
Distributed Cache
(7) AppFabric Caching
Service
10
9
TCP 22233 – 22236
10
External Content (File Shares)
Search Administration, Crawl
Content Processing
Analytics Processing
Application Server
(UPS Service)
11
SMTP (mail server)
(8) Search Index
Component TCP 16500 – 16519
(9) SMB – Index Propragation / File Shares crawl
TCP/UDP 445 (Over TCP) OR
TCP/UDP 127, 138, 139 (Over NetBIOS)
(10) User List Resolution /
Kerberos pwd. change
11
TCP/UDP 389
TCP/UDP 464
(11) People Search / FIM
TCP 5725
5 Name Resolution
SQL Server
DNS
AD
(12) Workflow Manager
HTTP 12291
HTTPS 12290
Intranet
1 factor internal auth
Extranet
1 factor auth
Secure external portal
2 factor auth
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Site
Site
Library
W
Security Scope
Site
Site
Security Scope
Role Assignment
Library
Role Assignment
W
F
D
C
R
Permission Level
Site Permissions
People and Groups
Assign permissions
Permissions selected when creating a group are scoped to the site
Add user
Site Permissions  Grant Permissions
Can also grant permissions directly to a group (e.g. Active Directory group)
Not recommended to grant permissions directly to users or Active Directory groups
Site
Default: Adds user to the Site Members group
Show Options: Add user to another group
Email to one address when site access requested
A user without access attempts to access site and requests access
A site user without full control shares the site with a user who does not have access
Add user to appropriate group
Site Settings  Access Requests and Invitations
Subsites inherit permissions from parent sites
Choose Unique Permissions
Site Permissions  Stop Inheriting Permissions
Site
Site
Site
Report
Invite
Manage
Site, List or Library, Folder, Item or Document
Use the Share interface
When you share, you break inheritance
Use the Share With interface
Use the Advanced interface
Use the Advanced interface: Delete Unique Permissions
Included in Design permission level
Share sites or documents
No additional license required
No user account required in your authentication provider
Add to access group
Choose access level: Edit or View
Require sign-in or use guest link
Anyone with the link can access the content
View or Edit only in Office Web Apps. Cannot download or open locally.
• Revoking permissions to external users
• Disabling and deleting guest links
• Disabling and re-enabling sharing
Site
Site
Library
W
W
W
User
• There is no visibility that the user belongs or has access
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Group
AD User
User
AD Security Group
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Advantages
Disadvantages
“Intranet” sites
“Collaboration” sites
AD groups  SP groups to define access
Add users directly to SP groups
Ideal world
Synchronization of membership
changes to parent permissions no longer affect child objects
all Web Part content on ASPX pages is no longer indexed
User
F
D
C
R
Permission Level
Role Assignment
Site
Security Scope
Group
Permissions
Web App
F
D
C
R
Permission Level
ANONYMOUS
ACCESS & POLICY
User
Role Assignment
Site
USER POLICY
Policies
Security Scope
Group
Permissions
ANONYMOUS
ACCESS & POLICY
USER POLICY
Policies
ANONYMOUS
ACCESS & POLICY
USER POLICY
Policies
audiences are not security
Assessment
1
Analyze
Design
2
Identify
Assess Risks
Control
4
3
Access
Monitoring
Metadata
Optimization
7
6
Implement
5
Regulatory Landscape
Considerations
How SharePoint permissions work
What about Office 365 ?
Permissions and Policies
Methodology
http://channel9.msdn.com/Events/TechEd/Australia/2013
http://www.microsoftvirtualacademy.com/
http://technet.microsoft.com/en-au/
http://msdn.microsoft.com/en-au/
1.
Keep up to date with all the latest Office 365 information at
http://ignite.office.com
http://fastTrack.office.com
http://office.microsoft.com