Best practices for Microsoft SharePoint permissions

1) Encryption of Data in Transit

Data is an irreplaceable asset, and encryption serves as the strongest and the last line of defense in a multi-layered data security strategy.
There are multiple data encryption methods, algorithms and protocols that used by Microsoft for all its products and services to provide a secure path for data to travel through the infrastructure as well as to help protect the confidentiality of data that is stored within the infrastructure.

Data is encrypted when the data is in transit. Data moves from user to the data center, and from server to the data center, which uses 2048 bit keys.
Two different scenarios for data transit:

First Scenario: Client communication with the server.
SSL/TSL connections is used for all SharePoint Online communications across the internet. All SSL connections for ShaePoint Online are established using 2048 bit keys.
Second Scenario: Data movement between different data centers.
The primary reason and the objective to move data form one to another data centers is for geo replication to enable disaster recovery.
For an example – MS Access transaction logs and blob storage deltas travel along this line. Though the data is transmitted through the private network, it is additional protected with best-in-class encryption.

2) Encryption of Data at Rest

Microsoft uses some of the strongest, most secure and safe encryption protocols in the IT industry, act as a barrier against unauthorized access to your data.When data is in the database (rest), two types of encryption are used: disk encryption and file encryption.
On disk level encryption - BitLocker is used to secure data by user id and password.
On file level encryption – Every file is secured with Advanced Encryption Standard (AES) with 256 bit keys. It is a Federal Information Processing Standard (FIPS) 140 2 compliant.

3) Virus Detection in Microsoft SharePoint Online

In Microsoft SharePoint Online, anti-malware protection is in-built feature and automatically provided for files that are already saved or uploaded to document libraries. This protection is provided by the Microsoft anti-malware engine. This anti-malware service runs on all Microsoft SharePoint Online Content Front Ends (CFEs).Files are scanned for viruses before they are uploaded. If a file is found to be infected, a default property is set so that users can’t download it from the browser. Even the file does not sync with the OneDrive Sync client.

4) Control Access Based On Network Location

Microsoft has introduced conditional access capability. One of the major feature is to restrict access on the basis of network location, it can be configured via SharePoint Online Admin center.The policy helps to meet regulatory requirement and prevent data loss and leakage from not trusted networks. IT Administrators can limit and stop the access to specific network from the SharePoint Admin panel. When it  is properly configured any user who attempts to access SharePoint, OneDrive for Business from outside network will be blocked.

5) Custom Script based Restriction

If you want to restrict your users to customize the SharePoint Site collections, this feature helps you to achieve the goal.
As per the different needs of the organization, users can be allowed to customize SharePoint sites and pages by inserting script.
However, users who is inserting script should be aware of the security implications of custom script.
When users allowed to run a custom script, you can no longer enforce scope the capabilities of inserted code, governance, block specific parts of the code, or block all custom codes that have been deployed.The script is allowed, by default, on sites that admins create. The script is not allowed on OneDrive, on sites that users create themselves (such as  Office 365 Group or Modern sites) or on the root site for your organization.

6) Manage External Sharing for SharePoint

External sharing is the widely used key features offered to collaborate with non-licensed external users. However, External sharing is also increasing the possibility of information exposure and data loss. Users can unknowingly share the files with anonymous users and data becomes vulnerable if proper security is not applied.For large organizations that keep their confidential business information on SharePoint Online, we suggest external sharing links disabled for the complete tenant/farm.
Ensure that only authenticated users can access the content which is shared with them.

7) Access, Permission, and Sharing

There are 3 types of different users in Microsoft SharePoint online, namely Administrators, Power user, and End users.Administrators are the service admins or tenant/farm admins who define the policies and manage the service and site creation requests.Power users are those users who utilize the key features of SharePoint services such as managers, leads, and organizers. They are the ones who mostly interact with Tenant/Farm Administrators. Power users are the ones who manage the SharePoint sites as Site Owners or Site Administrators.End users are the actual contributors in SharePoint, who uses file system and almost all the features for productivity.

• Full Control – Contains all available SharePoint permissions. This is also called Tenant/Farm Admin permission.  By default, this permission level is assigned to the owner of the group. It can’t be deleted and edited for permission levels.
• Design – Creates lists and document libraries edit pages and apply themes, borders, and style sheets on the site. There is no SharePoint group that is automatically assigned this permission level.
• Edit – Add, edit, and delete lists; view, add, update, and delete list items and documents. By default, this permission level is assigned to the member’s group.
• Contribute – View, add, update, and delete list items and documents.
• Read – View pages and items in existing lists and document libraries and download documents.
• Approve – Edit and approve pages, list items, and documents. By default, the approver’s group has this permission.
• Manage Hierarchy – Create sites and edit pages, list items, and documents. By default, this permission level is assigned to the hierarchy managers group.
• Restricted Read – View pages and documents, but not historical versions or user permissions.
• View Only – View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded. File types that do not have a server-side file handler (cannot be opened in the browser), such as video files, .pdf files, and .png files, can still be downloaded.

You can create new permission levels and also edit existing permission levels.

8)All Permission Levels in SharePoint

Microsoft SharePoint Online also allows to create SharePoint-based groups. These groups are associated with permission levels in order to provide access to the users.
To manage easily, you just need to add the users in these SharePoint groups so that they added user can access multiple locations with one single group. For example, if you want to add group “Sales” to folders 1 to 10 and group “Production” to folders 11 to 20, you just need to add the group on the folders once. When a new user becomes a member of any group mentioned above, that user will automatically get access to the respective folders.

SharePoint Online also provide facility to use security groups based on active directory. Which can be added in the SharePoint sites.

Permission settings and Sharing is very easy to manage all users. To manage site level permissions and other settings in SharePoint, the user should have at least Owner permission or Admin rights on that sites.

No comments:

Post a Comment