FREE Secure Score Assessment for Cyber Security Awareness Month
Book now
layer 1 layer 2 layer 3 layer 4 layer 5 abstract shapes

SharePoint Permissions: Why Businesses Should Tighten Security

Posted 11th May 2023

SharePoint Online permissions evolve and change over time – left unchecked this can lead to security breaches or access to confidential information.  In this article we explore the benefits of SharePoint, the need to focus on permissions and some best practice advice.

Why organisations use SharePoint Online

Before we look at the issue of SharePoint Online permissions, it’s worth affirming the decision to use it. SharePoint Online is an incredibly powerful and versatile option for organisations and businesses, with countless benefits and opportunities for customisation. Businesses that use it often cite its multifunctionality as a key benefit, and in the digital age it is coming into its own on several fronts. Among the key benefits are:
• Document management
• Collaboration tools
• Application integration support
• Advanced security features
• Mobile capabilities
• Subscription pricing model

When it’s configured properly, and with the right tools in place, SharePoint Online is a fantastic, and incredibly secure, as-a-Service software.
So what’s the issue with permissions?

The evolution of SharePoint

As more businesses and organisations digitise their operations, either with cloud-first strategies or hybrid deployments, the issue of data access and permissions needs a shift in thinking too. Many businesses have gotten used to doing things a certain way with SharePoint, accepting the closed-circuit nature of on-premises SharePoint Servers that have traditionally allowed IT teams to easily and completely isolate the system from the outside world. As these organisations move to SharePoint Online, the infrastructure becomes a cloud-based one and it can be easy for certain permissions to get overlooked. The very nature of the architecture, however, demands that this is the time to give permissions much more thought, not less.

A new architecture needs a new mindset

As a cloud service, SharePoint Online requires users to be authenticated before they can access anything, let alone confidential data. Ostensibly, this should make the data much more secure – and in fact when it’s done right, it does just that. But if the internal permissions aren’t set correctly, or they haven’t been set at all, it can result in confidential data being ‘open’ to anyone with initial access to the environment. If somebody can log in to SharePoint and there are no further permissions set for the data being held, stored or shared within it, that user could end up with access to the most confidential data the organisation holds.

Default groups with default permissions

Unlike legacy SharePoint Server setups, where the hierarchical structure of sites and sub-sites allows permissions to be set for various levels, the SharePoint Online Information Architecture (IA) is flat. Every site that’s created lives at the same level, with its own set of SharePoint groups and default permissions, and access needs to be managed differently.

The ‘default’ aspect of this is where potential problems can arise. Microsoft has built groups and permission levels into SharePoint Online for communication sites, and into the Microsoft 365 environment for team sites, and assures users that these defaults will ‘cover most common scenarios’. But for organisations that hold, store and share masses of confidential data, access will need to be managed on a more fine-grained basis.
For subscription Microsoft 365, for example, one default group gives permission to ‘everyone except external users,’ and contains any and every user that gets added to the directory. Even in the most open organisations, it’s arguably rare that this degree of access is necessary.

What permission levels can be set?

Permissions allow SharePoint users to perform certain actions, such as to access items, edit items in a list, or create a site. But individual permissions can’t be assigned to individual users – these have to be grouped together into a permission level, which is subsequently assigned to a group that includes the users you want to assign permission to.

The default permission levels for each group are Full Control, Edit and Read, but other options include:
• Design
• Contribute
• View Only
• Create new subsites
• Limited Access

Limit permission to preserve data

As with most cloud-based solutions, the best policy is to deny first, review later, and the same holds true for permissions in the SharePoint Online environment. Whenever and wherever permissions are involved, there are certain best-practice principles that should be applied as standard, including:
1. Keeping it as least permissive as possible
2. Securing the largest objects possible
3. Avoiding granular permissions wherever possible
4. Avoiding breaking permissions if at all possible
5. Building for security, not by organisational units

As a general rule of thumb, it’s almost always better for someone to not have access to something they need and grant it later, than for someone to have access to something they shouldn’t and have to revoke it at a later date. People will always come and tell you if they can’t access the data they need, but very few will come and tell you if they’ve got access to something they shouldn’t have – not least of all because they might not even know about it.

Professional support for SharePoint permissions

SharePoint Online is a hugely powerful application that brings a mass of benefits to businesses and organisations. In the age of hybrid work, it enables a modern workplace and a more collaborative, communicative and productive workforce. Businesses can tailor the environment to be exactly what they need it to be. But its versatility also makes securing data a daunting prospect.

BCN is an experienced SharePoint development services provider, and our expert technicians know their way around a custom environment – as well as what needs to be done to best protect it. Our SharePoint Permissions Audit is designed to help you see – and then manage – who has access to what data, with specialist help on-hand to implement any recommendations, as well as the option of enlisting ongoing support for your users.

Find out more about our audit services here, or book a call with one of our team today.