In the second half of 2010, WikiLeaks has been in the media and top of mind for many people who are responsible for sensitive information. The world is well aware of the numerous data leaks made available on the internet over the past 6 months. These include over 70,000 log entries from the Afghan war, almost 400,000 log entries from the Iraq war, and the planned release of approximately 250,000 U.S. diplomatic cables spanning from 1966 to 2010. I imagine that many SharePoint administrators and corporate security officers are asking themselves, “what kind of sensitive documents are my users uploading to SharePoint and how much am I at risk of a similar data breach?”. Although the WikiLeaks breaches did not involve SharePoint, the concern is still very real and the risks are very similar for sensitive documents in SharePoint.
Archive for 2010
A lot of companies are starting to use SharePoint 2010 Managed Metadata Service to add meaningful metadata to the documents. This metadata can then be used for search, retention, or to help them manage security of their SharePoint documents.
Before SharePoint 2010 was released this was hard to do on an enterprise basis. It was always possible to add site columns or content types to sites, but it was difficult to distribute these across SharePoint farms and sites prior to SharePoint 2010. With the new Managed Metadata Service an organization can easily define an enterprise metadata term store and have that used across all SharePoint farms in the organization.
In addition to adding metadata to SharePoint 2010 documents using an enterprise term store it is now possible to automatically add permissions to documents as they are being created based on the terms (metadata) assigned to the document. More on that later, first let’s have a look at how to setup the Managed Metadata Service.
Setting up Managed Metadata Service can be a little complex. It seems like you have to set this up in 3 or 4 different places before you can get it working. It took me a while to get this working. In terms of the different steps you need to go through to turn on Managed Medata Service and define a term store I found this a useful blog:
Once the Managed Metadata Service and Term Store is configured, we can start to use the terms in our Document Libraries. This can be done in a number of different ways, but the easiest way is to create a new column of type Managed Metadata in your document library. When creating the column select the Managed Metadata type. Then you get prompted with the screen below which allows you to associate a term store with the column.
In this case we’ve added a column called classification. Once we’ve added the column we can prompt the user to select the metadata every time a new document is created or uploaded.
Ok, now we have our documents and the associated metadata. Next we want to automatically add security permissions to the documents based on the metadata tag assigned. For example, if a tag of PUBLIC was selected for the document we can allow everyone to have Read access. If a tag of CONFIDENTIAL – LIMITED DISTRIBUTION is assigned we can assign Read permissions to a specific group, perhaps the Managment team. This can be done using the Titus Labs Metadata Security for SharePoint product. The most recent release of this product (V2.1) fully supports SharePoint 2010 Managed Metadata Service.
In addition, for very sensitive information some customers have deployed the Microsoft Rights Management addon for SharePoint. This allows DRM permissions to be assigned to documents as users open them or remove them from a SharePoint library. Using Metadata Security for SharePoint, the permissions automatically assigned to documents will be used by Rights Management to assign appropriate DRM permissions.
Have more questions on how to secure SharePoint 2010 documents or items. Let me know and I’ll see if I can help…Charlie
Well, I’m back from vacation. They do pass quickly. I’m caught up on my email, so time to get back to the blog. We’ve recently been doing some work on folder level security so I thought it would be a good topic for this week’s post.
There have been many blogs written on the use of folders vs metadata to organize lists and documents within Microsoft SharePoint. Many SharePoint experts believe folders should not be used. For example, this blog by Chris Poteet “The Folder-Less SharePoint Paradigm” discusses many of the reasons why folders are not usually recommended. In this blog, SharePoint Folders vs Metadata, Eugene Rosenfeld takes a more objective viewpoint pointing out the benefits of both approaches.
One of the sections Eugene uses for his comparison is Security. He notes that security can be applied at the folder level, but cannot be applied based on metadata. This is true in the base SharePoint product from Microsoft. With the addition of the Titus Labs Metadata Security for SharePoint product, we can use metadata to build security permissions. So security would not be a disadvantage for metadata when doing a folder vs metadata analysis.
My intention was not to get into the metadata vs folder debate in this blog. What I wanted to cover is how folder level security works, and how this can be automated via metadata. First of all let’s look at how basic folder level security works:
- Open the list or library that contains the folder for which you want to set security.
- Click the drop-down menu to the right of the folder, and then click Manage Permissions. The displayed Permissions : page displays all users and SharePoint groups with permissions to the folder and their assigned permission levels. In addition the page description describes the inheritance status for the folder. If check boxes do not appear next to the user and group names on the Permissions page, permissions are being inherited from a parent (list or document library).
- If your folder is inheriting permissions, you must first stop inheriting permissions to edit permission levels. To do this, on the Actions menu, click Edit Permissions, and then click OK to confirm.
- Select the check boxes for the users and SharePoint groups on which you want to edit permission levels.
- On the Actions menu, click Edit User Permissions.
- In the Choose Permissions section, select the permission levels you want, clear those you do not want, and then click OK.
- Repeat for as many users and groups as you want.
- In order to add additional users or groups, click the New menu, and select Add Users
- On the Add Users screen, type inthe name of the users or groups you want to add permissions for, and indicate what permission levels you want them to have.
- Click OK to finish.
The above process would need to be repeated for every folder for which you want to manager permissions. Now let’s look at how you could automate the same thing using metadata.
Using the Titus Labs Metadata Security for SharePoint product you can build rules to automatically assign permissions based on metadata. For example, we can build a rule that says “For all documents tagged as Finance, assign full control to all users in the Finance group. Remove permissions for all other users”. Here is a screen shot of what the rule would look like in the Titus Administration tool:
These rules can apply to all files or only files within a folder. In addition, these rules can be applied across multiple folders so that you can automate the assignment of permissions across many folders at once.
The benfits of using metadata to assign permissions are:
1) no need to manually define permissions in a folder
2) defining a single metadata rule can set all folder / file permissions
3) metadata rule can span folders so no need to repeat work for each folder
4) changing the security is as easy as going in and changing the metadata rule. All permissions will be adjusted automatically.
Cheers, have a great week…
Another great presentation to another great group – the Sacramento SharePoint User Group!
I had the pleasure of speaking to this group on May 20 and would like to thank them for allowing us to provide some background on Titus Labs, and on our SharePoint product line – Metadata Security, Document Marking and PDF Control for SharePoint .
The feedback at these events is always mutually beneficial. It allows us as a vendor to educate users on increasing security and protecting information in their SharePoint environments. And, on the flip side, it continues to provide us at Titus Labs with endless ideas on future releases, use cases and ideas for functionality that we can bring to our developers who are always ready and eager to hear customer feedback. What the people want, the people get!
Some key themes came up in the Q&A session after the presentation – SharePoint 2010 support; reporting; and how we license our products.
1)When will we support SharePoint 2010?: As Charlie mentioned in his posting on May 26, we are in the final stages of doing QA testing for our Metadata Security for SharePoint product for SP 2010 and hope to have a beta release in the next few weeks. Many questions were based on curiosity as most companies have not yet, it seems, made the migration over to 2010. They have it on the list of ‘projects’ for this summer, so knowing that we can support the Security functionality for them upon completion of those projects is a must.
2) Reporting: Reporting, Reporting: This is a favourite! We did build out a deeper report in our second release of the Metadata Security for SharePoint product that provides the tracking and ‘quick view’ of what users/groups have access to in what documents in the library. This becomes important for auditing purposes. We can do it now, and it will only get better. We are in the planning stages of our third release of the product and there is even more reporting there to quench the thirst of the SP administrators/executives who can’t get enough!
3) Licensing: We currently license the product by ‘server’ – this makes things straightforward and more cost effective for companies to invest. They know the price, and there are no surprises down the road as they add more and more content to their repositories.
If there is one thing we have learned in all of these presentations and “meet and greets” with customers, it is that no two company environments are exactly the same. Having the flexibility with Titus Labs SharePoint Security suite of products allows organizations to customize the tools to their own specific environments and that is the biggest struggle for companies trying to implement SharePoint Security – they need to maintain control, but have the flexibility to customize it internally. Titus Labs bridges that gap for them with our SharePoint Security enhancements.
I look forward to hearing more from other user groups out there. Perhaps a SharePoint Saturday event will be in the near future for Titus Labs!
– Jennifer Lalumiere