Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to unpredictable to assume that users will understand that concept.
That's me though. I'm not your user.
On 10/27/06, Harvey Kamangwitz <[EMAIL PROTECTED]
> wrote:
Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was "not only no, but hell no!" to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled.And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access?
- Harvey
On 10/21/06, Al Mulnick <[EMAIL PROTECTED] > wrote:My first reaction is, "NOOOOOOOOOOO" don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources.
Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization.
From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases.
I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above.
TokenBloat is not the only concern you have here, Harvey.
On 10/20/06, Harvey Kamangwitz <[EMAIL PROTECTED] > wrote:Hi all,I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way.We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint.Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org ( e.g. your work group for a weekly meeting site), or you create a new group to manage access.Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access.Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal.Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400!So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a "you really don't want to go beyond there" limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this.Thanks,Harvey
