Archive for July, 2010

SharePoint Folder Level Security vs Metadata Based

Thursday, July 29th, 2010

Well, I’m back from vacation. They do pass quickly. I’m caught up on my email, so time to get back to the blog. We’ve recently been doing some work on folder level security so I thought it would be a good topic for this week’s post.

There have been many blogs written on the use of folders vs metadata to organize lists and documents within Microsoft SharePoint. Many SharePoint experts believe folders should not be used. For example, this blog by Chris Poteet “The Folder-Less SharePoint Paradigm” discusses many of the reasons why folders are not usually recommended. In this blog, SharePoint Folders vs Metadata, Eugene Rosenfeld takes a more objective viewpoint pointing out the benefits of both approaches.

One of the sections Eugene uses for his comparison is Security. He notes that security can be applied at the folder level, but cannot be applied based on metadata. This is true in the base SharePoint product from Microsoft. With the addition of the Titus Labs Metadata Security for SharePoint product, we can use metadata to build security permissions. So security would not be a disadvantage for metadata when doing a folder vs metadata analysis.

My intention was not to get into the metadata vs folder debate in this blog. What I wanted to cover is how folder level security works, and how this can be automated via metadata. First of all let’s look at how basic folder level security works:

  1. Open the list or library that contains the folder for which you want to set security.
  2. Click the drop-down menu to the right of the folder, and then click Manage Permissions. The displayed Permissions : page displays all users and SharePoint groups with permissions to the folder and their assigned permission levels. In addition the page description describes the inheritance status for the folder. If check boxes do not appear next to the user and group names on the Permissions page, permissions are being inherited from a parent (list or document library).
  3. If your folder is inheriting permissions, you must first stop inheriting permissions to edit permission levels. To do this, on the Actions menu, click Edit Permissions, and then click OK to confirm.
  4. Select the check boxes for the users and SharePoint groups on which you want to edit permission levels.
  5. On the Actions menu, click Edit User Permissions.
  6. In the Choose Permissions section, select the permission levels you want, clear those you do not want, and then click OK.
  7. Repeat for as many users and groups as you want.
  8. In order to add additional users or groups, click the New menu, and select Add Users
  9. On the Add Users screen, type inthe name of the users or groups you want to add permissions for, and indicate what permission levels you want them to have.
  10. Click OK to finish.

The above process would need to be repeated for every folder for which you want to manager permissions. Now let’s look at how you could automate the same thing using metadata.

Using the Titus Labs Metadata Security for SharePoint product you can build rules to automatically assign permissions based on metadata. For example, we can build a rule that says “For all documents tagged as Finance, assign full control to all users in the Finance group. Remove permissions for all other users”. Here is a screen shot of what the rule would look like in the Titus Administration tool:

Metadata security rule for automating file / folder permissions

These rules can apply to all files or only files within a folder. In addition, these rules can be applied across multiple folders so that you can automate the assignment of permissions across many folders at once.

The benfits of using metadata to assign permissions are:

1) no need to manually define permissions in a folder

2) defining a single metadata rule can set all folder / file permissions

3) metadata rule can span folders so no need to repeat work for each folder

4) changing the security is as easy as going in and changing the metadata rule. All permissions will be adjusted automatically.

Cheers, have a great week…