Thanks guys, this has all been terribly reassuring.

 

Has anyone else got something to add which might further depress me? ;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Chris Grist
Sent: Wednesday, 2 July 2008 6:15 PM
To: listserver@ozMOSS.com
Subject: RE: [OzMOSS] SharePoint Groups and Permission Levels

 

What I have done is have

 

Owners - full control, which inside it has a sharepoint admins group,
and a sharepoint owners group(i.e. reps across company who are
sharepoint leaders).

 

Then a group for each unit, i.e. finance, hr, business dev etc.

 

These more specific groups have full control to their units set of sites
by breaking inheritance where they need.

 

I had lots of planning to set it up just right and what im annoyed about
is that say I have the following structure:

 

Home

-          Site1

o   Site2

 

Say I give groups Owners, Members permission over the whole thing. Then
at site2 for "shared documents" an individual group/user is given full
control over that. When viewing the permissions for "Home" they will
appear as "limited access". I could be doing something wrong but all im
saying is that it does seem to end up in quite a bit of a mess J

 

 

Chris Grist
Network Support Officer
education.au Limited

 

Level 1, 182 Fullarton Road
DULWICH SA 5065

 

p +61 8 83343291
f  +61 8 83343211

 

e [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
w www.educationau.edu.au <http://www.educationau.edu.au/> 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Witherdin, Nigel
Sent: Wednesday, 2 July 2008 5:06 PM
To: listserver@ozMOSS.com
Subject: RE: [OzMOSS] SharePoint Groups and Permission Levels

 

We have followed the supposed "best practice" of creating AD groups for
each site (Owner, Approver, Contributor and Visitor) and adding these to
the equivalent MOSS groups.

 

I agree that if you have a large site collection it means that you are
going to end up with hundreds of AD groups, but for us it makes sense
because:

- Our site owners are still coming to grips with the added
responsibility of managing their site (design, content approval, etc.),
having them worry about security would not be acceptable

- use of AD groups means the centralized Starter and Leaver processes
take care assigning/removing peoples access to the portal

 

cheers.

 

Nigel Witherdin

Senior Support Analyst

Eversheds

 

Direct Dial: +44 (0) 84 549 754 17

Mobile: +44 (0) 7738 553256

 

www.eversheds.com <http://www.eversheds.com/> 

 

 

________________________________

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Paul Culmsee
Sent: 02 July 2008 07:11
To: listserver@ozMOSS.com
Subject: RE: [OzMOSS] SharePoint Groups and Permission Levels

I used scriptlogic's other security-explorer products for a large AD
redesign a couple of years ago and had a bug they could not repro which
rendered the product unusable in my case. While the product would have
been ideal if it had worked for me, as a potential client their end-user
support I found disappointing in my case. 

But that may be a once-off incident.

Anyway, the first thing in large AD deployments is that 'best practice'
isn't always best at large scales. The theory will tell you to create AD
groups and add them to SharePoint groups, but if you are putting in
SharePoint to decentralise the administration and delegation of content
admin, then this is not going to help you.  So as a former AD
specialist, I actually have no fundamental objections to adding user
accounts directly into SharePoint groups - particularly team portals
where there is a designated 'site administrator' that has enough rights
to manage access. This is purely a philosophical decision (as is many
SharePoint decisions)

However, if you are of the philosophy that the IT "thought police"
should stay in control of access, then it makes sense to manage it via
Active Directory.

Additionally, one AD redesign I did also had adopted the 'best practice'
of "local groups", with "global groups" as members of the local groups.
However because of a complex filesystem, there were 350 AD groups for
each project file structure (read, write, delete for subfolders with
global and local groups.)  Result? over 35000 groups in AD across all
projects - scary. So many groups had issues with Kerberos authentication
among other things.

So I guess the first thing is to determine the type of site you are
delivering and the philosophy around management of sites and delegation
or centralisation of that management.

Is this any help?

Paul

www.cleverworkarounds.com

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Paul Noone
Sent: Wednesday, 2 July 2008 10:51 AM
To: listserver@ozMOSS.com
Subject: [OzMOSS] SharePoint Groups and Permission Levels

Hi guys,

I've recently been tasked with providing a list of groups and
permissions for a new MOSS site collection with a significant Active
Directory.

Does anyone have a no-nonsense approach to this?

I've been looking for a table of SharePoint Groups and their applied
Permission Levels but can't seem to find any detailed or practical
information on this obviously important first step.

I did come across what seems like a fantastic management tool once
things are up and running though. Would be interested to know if anyone
has experience with this.

http://www.scriptlogic.com/products/security-explorer/sharepoint/

Kind regards,

Paul

________________________________

________________________________________________________________________
____
This e-mail is intended for the use of the addressed recipient(s) only
and may contain confidential and privileged information. If you have
received this message in error, please delete the message and any
attachments and copies immediately; and notify the sender by return
e-mail.

Any views expressed in this message or any attachments are those of the
individual sender and do not necessarily represent the corporate opinion
of the Catholic Education Office (CEO), Sydney.

The CEO Privacy Policy is located at http://www.ceo.syd.catholic.edu.au
________________________________________________________________________
____ 

-------------------------------------------------------------------
OzMOSS.com - to unsubscribe from this list, send a message back to the
list with 'unsubscribe' as the subject.
Powered by mailenable.com 

-------------------------------------------------------------------
OzMOSS.com - to unsubscribe from this list, send a message back to the
list with 'unsubscribe' as the subject.
Powered by mailenable.com 

********* This email is sent for and on behalf of Eversheds LLP
*********

This email is sent for and on behalf of Eversheds LLP which is a limited
liability partnership, registered in England and Wales, registered
number OC304065. Registered office One Wood Street, London, EC2V 7WS.
Registered VAT number GB820704559.  A list of the members' names and
their professional qualifications is available for inspection at the
above office. Regulated by the Solicitors Regulation Authority (see
www.sra.org.uk <http://www.sra.org.uk/> ). 

Confidentiality: This email and its attachments are intended for the
above named only and may be confidential. If they have come to you in
error you must take no action based on them, nor must you copy or show
them to anyone; please reply to this email and highlight the error.

************* [ www.eversheds.com <http://www.eversheds.com/>  ]
************* 

-------------------------------------------------------------------
OzMOSS.com - to unsubscribe from this list, send a message back to the
list with 'unsubscribe' as the subject.
Powered by mailenable.com 

 

________________________________

IMPORTANT: This e-mail, including any attachments, may contain private
or confidential information. If you think you may not be the intended
recipient, or if you have received this e-mail in error, please contact
the sender immediately and delete all copies of this e-mail. If you are
not the intended recipient, you must not reproduce any part of this
e-mail or disclose its contents to any other party. This email
represents the views of the individual sender, which do not necessarily
reflect those of education.au limited except where the sender expressly
states otherwise. It is your responsibility to scan this email and any
files transmitted with it for viruses or any other defects. education.au
limited will not be liable for any loss, damage or consequence caused
directly or indirectly by this email.

-------------------------------------------------------------------
OzMOSS.com - to unsubscribe from this list, send a message back to the
list with 'unsubscribe' as the subject.
Powered by mailenable.com 



____________________________________________________________________________
This e-mail is intended for the use of the addressed recipient(s) only and may 
contain confidential and privileged information. If you have received this 
message in error, please delete the message and any attachments and copies 
immediately; and notify the sender by return e-mail.

Any views expressed in this message or any attachments are those of the 
individual sender and do not necessarily represent the corporate opinion of the 
Catholic Education Office (CEO), Sydney.

The CEO Privacy Policy is located at http://www.ceo.syd.catholic.edu.au
____________________________________________________________________________



------------------------------------------------------------------- OzMOSS.com 
- to unsubscribe from this list, send a message back to the list with 
'unsubscribe' as the subject.

Powered by mailenable.com

Reply via email to