Archive for August, 2009

SharePoint Item Level Security

Wednesday, August 26th, 2009

As the diagram shows below, there are three main elements to SharePoint security, the permissions assigned, the user or group assigned the permissions, and the object secured (site, library, document etc).


The standard SharePoint security model is primarily based on the concept of inheritance. Permission inheritance is the easiest way to setup security for SharePoint. By default, permissions for a library are inherited from the site, and permissions for the documents are inherited from the library. Inheriting permissions is the easiest way to manage security for a group of sites or document libraries. However, permission inheritance assumes that permissions for a particular document should be the same as permissions for all the other documents This is often not the case as some document libraries may contain more sensitive information.

To change the permissions for a particular document the standard inheritance model must be broken. Inheritance for any securable object at a lower level in the hierarchy can be broken by editing the permissions (creating a unique permission assignment) on that securable object. For example, you can edit the permissions for a document, which breaks the inheritance. This copies the groups, users, and permission levels from the parent site to the document itself. The administrator can then either add or remove specific permissions in the list to create a unique set of permissions for the document. This is called item level security. For a demonstration on how this is done, see my Youtube video at

Item level security is extremely powerful as it gives you the ability to filter which documents users can see. The shortcoming of item level security is that you must go into each document one at a time in order to setup permissions for the documents. This process can be extremely time consuming and error prone. Alternative solutions to item level security include creating separate document libraries or separate folders containing documents that are appropriate for certain groups of users. An additional alternative is to use the Titus Labs Metadata Security for SharePoint product which will automatically set up item level permissions based on administrator defined metadata security rules.

Microsoft Windows Server 2008 R2 File Classification Infrastructure (FCI)

Tuesday, August 11th, 2009

Recently Microsoft has announced the File Classification Infrastructure (FCI) that will be part of Windows 2008 R2.  Windows Server 2008 R2 just RTMed a few weeks ago. FCI includes the ability to define classification properties, automatically classify files based on location and content, invoke file management tasks such as file expiration and custom commands based on classification, and produce reports that show the distribution of a classification property on the file server.  The best thing about FCI is that it’s free, as it is included when you purchase Windows Server.

Bringing file classification into the server operating system is definitely an interesting development.  But this is a SharePoint blog, so what does FCI have to do with SharePoint and metadata?  Well, it could potentially be a way to help organizations get more valuable metadata into SharePoint.  But more on that later, first let’s have a closer look at what FCI can do.

FCI is basically a process that can be scheduled on the file system.  It can be used to automatically classify files.  This classification doesn’t usually happen as soon as you save a file, but rather sometime during the day when the process is scheduled.  Microsoft has delivered a number of classification functions with the server such as the ability to apply classification by file folder, or based on the content of the file.  Microsoft has also published the APIs which allow other third parties to extend the classification capabilities, or to provide other file functions such as storage management based on the classifications.  FCI allows organizations to define rules to manage their data more effectively and to decide what should be retained and where should it be stored. This potentially can reduce the cost of storage and mitigates risks for data loss or retention purposes.  For example: the organization might have a policy to expire files that are 10 years old and are not critical to the business. This policy can be translated to use the new file management tasks to expire files across file servers.

Microsoft says that FCI can be used to identify files that:

  • Contain sensitive information and are located on servers with lower security and move the files to servers with higher security.
  • Require different backup schedules and backup the files accordingly.
  • Require different backup solutions based on the sensitivity of the information in the files.

Classification on the file server can be very useful.  But what if a user wants to change a classification that was set by FCI on the server?  For example, based on finding PII in the content, FCI may classify a file as INTERNAL. When a user opens this file in an Office application, they remove the PII and want to re-classify the file. Microsoft does not provide this type of classification on the desktop.  Perhaps this is something that will come in a post Windows 7 operating system?  The desktop classification products offered by TITUS provide this desktop functionality today.

But let’s get back to SharePoint. What value could FCI bring to SharePoint? FCI could be used as a means to populate metadata into Office documents before they are saved into SharePoint.  This could be true for new files, or could be used to add metadata to older files.  Using one of the available classification methods (by folder, by content etc.) a number of files could be classified.  The screenshot below shows an example of a classification rule in FCI.  In this case all documents in the folder will get the same classification.

Classification Rule Definitions

The classification metadata is inserted into the custom properties of the Office document when it is classified.  So this metadata will travel with the document.  The following screenshot shows the metadata of a document called “Test from Alice” in that folder after the rule has been applied. Notice the property name called Classification and its value RESTRICTED.

Test From Alice

When the document(s) is saved to SharePoint all of the metadata is available.  The metadata can be displayed in SharePoint by defining a custom column with the same name as the classification property that was created in FCI. The screenshot shows the document after being uploaded to SharePoint.  Notice a custom column called Classification was added to the SharePoint document library.

When your organization makes the move to Windows Server 2008 R2, have a look at FCI, it’s an easy way to get started in the world of classification.