Let’s do a quick test of your knowledge of the WSS 3.0 security model. Please consider the following scenarios:
Scenario #1
Human Resources is migrating all personnel data to SharePoint. A new list of “Employees” has been created, including columns such as Salary, Performance Rating, and Stock Options Granted. By policy, only Directors within Human Resources and a specified list of administrative personnel may view this list. The HR site is not the top level of the site collection. By default, all members of the Human Resources department have “Contributor” rights to the HR site. Item level security has been applied to the list. Only named members of a Cross Site Group called HR Managers may view or edit the “Employees” list.
Question: Could employees other than those specified in the Cross Site Group view or edit this data?
Scenario #2
Research & Development maintains a document library in their team site. This document library contains Word documents that describe new technologies in development. It is critical that these documents are not circulated outside of the company. The R&D site is not a top level site collection. By default, all members of the Research & Development department have “Design” rights to the site. By default, employees who are not part of R&D have only “Read” access to the R&D site. Object level permissions have been assigned to the document library, providing access only to members of a SharePoint Group called “R&D Authors”.
Question: Are there circumstances in which an employee who is not a member of the Research & Development could gain access to the protected document library?
Do you know the answer to these questions? Are you willing to bet your job that you’re 100% correct? How would you test for these scenarios? What happens as new employees come and go and changes are made to your SharePoint deployment?
The seasoned administrators in the audience saw through these questions immediately, quickly realizing there wasn’t enough information provided to give any kind of real answer. The point of these scenarios is simply to point out that with the robust capabilities of SharePoint with regard to security, things can get complicated quickly. With permissions being inherited, superseded and overwritten, it is possible if not likely that corner cases will arise when sensitive data is exposed, despite our best attempts to protect it.
One solution to such a scenario is “the nuclear option”. You can apply a brute-force, too-simple-to-screw-up technology. Allow me to introduce Bamboo’s version of Fat Man and Little Boy, User Redirect Web Part and Group Redirect Web Part.
Both Web Parts do exactly what you would guess based on their names. Drop either Web Part on a page, specify either the user name or identify a group (SharePoint or Active Directory) and input the URL of the page that these users should see instead.
Is this a SharePoint Best Practice? Is this an elegant way to architect security in your SharePoint farm? Surely not. However, is this a surefire way to quickly keep people from seeing content they shouldn’t? You bet. With either of these SharePoint redirect Web Parts in your Web Part gallery, it will literally take you 30 seconds or less to unilaterally exclude individuals or groups from part of your SharePoint site.
With very little imagination, I’m sure you can imagine many situations in which these simple Web Parts could be a handy addition to your SharePoint toolbox. However I would be remiss if I forgot to mention how great they are for practical jokes! Start “Rickrolling” individuals in your company by redirecting them from SharePoint to the amusing site of your choice. For your convenience, we’ve pulled together a list of sites guaranteed to confuse and amuse: Top 10 Corporate Redirects.
We’ll leave you with a screen shot of the tool pane for User Redirect and Group Redirect Web Parts.
User Redirect Web Part Tool Pane
Yes, you're reading those settings correctly. The next time Bamboo's SharePoint Blank author John Anderson visits our department site, he'll be redirected to a Rick Astley video on YouTube ;)
Group Redirect Web Part Tool Pane
Download a Free 15-Day Trial of User Redirect Web Part
Download a Free 15-Day Trial of Group Redirect Web Part
For more on Group Redirect Web Part, check out this previous post by Nate Sullivan, Group Redirect 2.0 Directs Traffic Better Than Ever
Posted
Apr 21 2009, 03:26 PM
by
Steve Gaitten
My name is Steve Gaitten, I am Director of Online Operations at Bamboo. My primary mission is to make Bamboo Nation the most useful SharePoint community site on the web. I am also focused on ensuring a world class shopping experience for customers who visit the Bamboo Solutions Online Store. Prior to Bamboo, I spent over a decade at America Online. At AOL my most recent roles included Director of Product Management in the Messaging & Social Media division as well as Managing Editor of AOL Money & Finance. I am a patented inventor, a bad golfer, an enthusiastic horticulturalist and a dog lover.