IT or Business? Who should manage SharePoint site security?

One of the decisions you have to make once you create an Intranet portal in SharePoint is who will manage SharePoint site security. I have recently published a similar post on pros and cons of AD groups vs. SharePoint groups. However, that was more of a technical decision. Today, I want to concentrate more on the governance aspect of the same topic. Would you let IT control the access or let Business users own the security aspect and be able to add users to their sites themselves?

Who should manage SharePoint site security?

In order to help us make the right decision, let me explain the 2 most common security models for SharePoint Intranets:

1. Role-based model
2. Site-based model

Let’s get to know both little better and then take a look at pros and cons for each.

Role-based model

Role-based security model is based on the notion that you have access to the sites that are driven by your role within the organization. In simple terms that would mean that you will be part of certain security groups in Active Directory or SharePoint that would make you belong to a certain department, subset of users, etc. Below are the examples of such security groups:

• Accounting Members
• Finance Members
• HR Members
• IT Members
• Executives

In SharePoint that means that you would use a combination of those predefined groups on every SharePoint site and assign corresponding permissions (based on objective of the site). For example, on Finance site, Finance Members would get Contribute access, Executive members could get Read Only, while IT members would get Full Control.

Because these groups are unique and centralized, they are controlled by a small group of users, usually an IT department

Site-based model

In contrast, Site-based security model relies solely on the objective of the site. In other words, this group relies on the 3 default SharePoint security groups created for each site:

• [Site name] Members
• [Site name] Owners
• [Site name] Visitors

Depending on the permissions users need to have, each user is added to one of those default groups, thus getting corresponding access. Each group is unique to the site, thus making it easier to add/remove users, without impacting other sites in the Intranet Portal.

The access and group membership in this case is typically controlled by the Site Owner (usually Business), and not IT.

Pros and Cons of each model

Now that we are  clear on what each model is, let’s  evaluate pros and cons of each approach:

Role-based model

Pros

• Allows for standardization of the security groups, naming convention

Cons

• Requires that a single group of people (usually IT) maintain it for everyone
• Can become tedious and cumbersome process to maintain, especially for matrix type organizations and sites (where there is mix of users from different departments)
• Can potentially hurt SharePoint User Adoption due to strict IT oversight and control
• If you use Active Directory (AD) Groups – you are almost certainly locking yourself into Role-based model (unless you are nesting them inside of default SharePoint Groups, which means you are using more of Site-based model).

Site-based model

Pros

• Improves User Adoption
• Empowers Site Owners, by giving them greater control of their assets

Cons

• Decentralized approach to security groups leads to too many redundant groups
• Most groups end up being used only once (since they are unique to the SharePoint site)

Recommendation

Role-based model is great for function-specific “static” sites, like Department sites, where roster of users is more or less fixed and is rarely altered.

Site-based model is great for matrix type organization and sites. An example of such sites would be Project Team Sites, where roster of users is comprised of employees from various groups and where it constantly changes from project to project.

As with many other things in life, there is no right or wrong answer here. Just like the argument about Active Directory vs. SharePoint groups, the decision depends on your company structure, culture and other factors. If you really like both models, I recommend blended approach. Let IT manage a central pool of groups for department/operations or security-sensitive sites (i..e Executive sites). However, when it comes down to team sites, let business/site owners manage those. This will ensure a healthy equilibrium and will keep both groups happy.

I personally prefer site-based security model. While I am somewhat of a control freak, it is inevitable to let it go and let business users manage their own sites. The industry is marching towards that approach already. If you think about it, user’s own OneDrive account gives all the power of sharing and security to the owner of the account, with little oversight from IT. Office 365 Groups, have very primitive security settings, allowing everyone to join and have access to content in an instance. Of course, you should not just let Business manage the sites and security without proper site owner training and governance framework in place.

Whatever you do, I do not recommend that you implement a strictly Role-based model (where IT will manage each and every site and security group). Such authoritative approach is never a winner and is a sure way to kill SharePoint User Adoption.