Confidentiality

Breaking Is Not Hard To Do

Ellen van Aken4 Comments

BreakingPermissionsDo you know what the following questions all have in common?

  • “I see a completely different homepage menu/libraries/folders than my other team members”
  • “I can no longer check out or edit a document”
  • “I know he has access to the list, but he can not access the link I send him”
  • “I have given her full control, but she still can not see that library”
  • “I can no longer access the site or library that I am supposed to manage”

Yes, you guessed it – these questions are all permissions-related.

It sounds really neat and useful to be able to limit access to sites, libraries and folders in SharePoint. It is easy to add groups and individuals and set it up just the way you think is best.
Many people, however, do not realize the full consequences of breaking permissions (= giving subsites, lists, libraries and folders different permissions than the site). As a result, I provide a lot of support on permissions-related issues.

I have found it hard to help users understand how it works in words, so I have created a series of pictures for clarification. You know I am not a designer, so if you have better visuals, please share!

Default site permissions.
First, let us show what the permissions in a “normal” site look like.
The fat dark blue line is a site. The blue blocks are libraries and lists. Or apps, as SharePoint 2013 calls them. 🙂
The purple circles are user groups. There is an Owners group (O) with Full Control, there is a Members group (M) that can read, add, edit and delete, and a Visitors group (V) that can read.

This is the default permission setup of a site - the site and all lists and libraries have exactly the same permissions.
This is the default permission setup of a site – the site and all lists and libraries have exactly the same permissions.

All lists and libraries have the same permissions throughout the site.
When we add an individual or another group to the site, (the circle with the person icon), this person/group will also have access throughout the site.

A new group or individual will automatically have access to all content.
A new group or individual will automatically have access to all content.

2. Site containing a library with different permissions.
Let us assume there is one library that contains confidential information, and we do not want Visitors to see that. You go to “Library Settings” and “Permissions for the library”, you edit permissions and remove the Visitors group. You add a note to the description of the library that this has different permissions. Visitors will not see the library anymore.
The permissions have now been broken, hence a dotted line around the library.

Broken permissions- one library has different permissions.
One library has different permissions, and Visitors no longer see or have access to the library.

Next, you want to add new people to the site. The best way is to add them to one of the groups – they will have the correct access. But if you add a new group or an individual to the site, they will not see the library. That is because the permissions have been broken, meaning that the site and this library no longer align and you need to maintain both entities. So, you have to give this person/group access twice…that is double the work!
But…Owners often forget that they have broken permissions. So they give someone access to the site, but that someone can not see the library. They then give that someone Full Control to the site, but they still can not see the library.
I hope the picture below shows you why.

Adding an indivudal to a site with broken permissions.
When you add an individual or group to the site, they do not automaticaly get access to all content. Permissions have been broken.

Now you know why I recommend to add a message in the description field of the library – that helps the Site Owner remember! And of course you see the benefits of adding new people to an existing group instead of as individuals.

So yes, breaking permissions is easy to do. Maintaining and supporting, however, is a lot of work!

Next time I will show you a few other scenarios.

You may also like:

The Key and the Team Site
Frankly my dear, they are just not that into your content

Title inspired by “Breaking up is hard to do” by Neil Sedaka.

Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net

Playing “Hide and Seek” in SharePoint

Ellen van AkenLeave a comment

* Reviewed and updated in February 2015 *

After my earlier rant about people who want to secure their content for no good reason, I thought I would give some suggestions for alternative ways to hide content when it makes sense.

First let me stress that I recognize that some content is sensitive and really needs to be secured. But there is also a lot of content which is not confidential, but which you still may want to hide, to avoid information overload in general. Specific reasons may be:

  • The content is only relevant to a certain audience
  • You do not want people to influence each other
  • You want to allow people to focus on their own content, e.g. in projects or tasks lists

Next to giving permissions there are two other ways to hide content that I know of,  but I will be happy to learn new ways!

1. Targeting.

In SharePoint it is relatively easy to target web parts to an audience. In any web part menu, click open “Advanced” and add the audience, SharePoint group or person(s) to the Target Audience box on the bottom. Only they will see the web part.
We have used this especially to target links on the Homepage – in the main navigation, every employee had a link to the Employee Information of his/her country.
I have also used targeted web parts in Monthly Reporting in a Team Site.

2. Configuration.

a. Item-level permissions.
For surveys and lists, you can let people read only the items that have been created by themselves. (Advanced settings). This is nice if you do not want people to influence each other, but not very useful when you want to show the collected information to your audience. I usually apply it only in survey-type occasions.

Item-level permissions
Item-level permissions in the advanced settings

b. Created by = [Me].
When not using the item-level permissions, I like to use this filter for the default public view. That way people see their own items first and are not influenced by others, and they can not easily edit other people’s content. You can have additional public views showing all contributor’s items, or the process owner can create personal views and use web parts to display content from all contributors.

c. Impossible filters that show an empty default view.
We have used “Created < 01-01-2000” as the only public view to create an empty looking document library, accessible to all employees. The documents were distributed to other (secured) sites via Content Query web parts. Of course, the owners of the documents created personal views to see all documents. The advantage for the content owners was that the owners of the secured sites could manage access for their site.

d. Hidden columns.
In older versions (e.g. SP2007) you can create views without the Edit button, and without the “Name” column instead of “Name (linked to item/linked to document with edit menu)”. This way,  your readers will be unable to click on any items to see the complete item. Of course this is useless for Document Libraries, unless you only want to show that the documents are there.
Perhaps this can also be done in Office 365, but since I am the only one in my environment, I have too many permissions to test this.

e. Closing/hiding the web parts in the list or library.
You can close or hide the system web part of the list or library to avoid anyone seeing the content, including the site owner. I would recommend this only for very specific occasions, since it is very annoying to have to make the webpart visible every time you want to do something. Besides, every visitor will immediately see there is something wrong with this page.

f. Sending people to a non-default page after submitting data.
I often send people to a Thank You page after completing a survey or other data collection, by customizing the link. It is a nice gesture, it confirms that submission has been succesful and it allows you to give more information about next steps. It also hides other people’s responses from view.
I have also sent people from a topsite to a request form in a subsite, and after completion sent them back to the original page in the topsite. They did not have to see other people’s requests, and this way they could continue to do what they were doing in the topsite. Well, you will get the idea; you can use this with all pages within your environment.

How to do it?  Your links will normally have this format:
http://IntranetName/TeamSiteName/Lists/ListName/NewForm.aspx?Source=http://IntranetName/TeamSiteName/Lists/ListName/ViewName.aspx
The part before “newform.aspx?” is the “data entry” part of the list, the part from “Source=” the location where people will go after clicking “OK” or “Finish”. You can replace the part after “Source=” with a link of your own choice. Please note this only works when you send a link in an email, use a Links list, or create a button. If you click “New Item” from the list, the link will always use the system format.

Thank you page
Simple Thank You-page

g. Removing the link from the title of a web part.
The title of a list/library web part on a page is clickable and leads you to the complete list or library. If you do not want that, go to the web part menu, open the “Advanced”  section and replace the link under ” Title URL”  by “#”.  Jasper Oosterveld also shares the screenshots.
People will still be able to go to the list/library via Site Contents, though.

Warning:

  • Targeted or hidden content will normally still turn up in Search. People can also see it when they have the link to the information, or know how SharePoint works. This is not confidential information, so it is not a problem, but it helps to be aware of it. Do not be afraid that people will go and look for this info – they do not know it is there and they probably do not care if they knew.
  • Many people do not understand the difference between targeting (visible yes/no) and setting permissions (access yes/no), especially that you target a web part, but set permissions on a library or list. Be prepared for questions.
  • If you are the site owner, but you are not in the targeted audience, you will not see the content, so it will be difficult to maintain the web part. This is especially the case with Content Editor and Summary Links web parts, because they are not represented in the “back-end” of your site, i.e. the page showing all site content. This may occur when you are managing global content distributed over various “country” web parts.
  • If you target something and you are in the audience, you may forget that the content is not visible for everyone. Mention it in the web part title as a reminder.
  • Remember to discuss any targeting and personal views when handing over responsibilities for a site!

What other ways have you used to hide content without changing permissions?

Image courtesy of Willem Siers at FreeDigitalPhotos.net; Post title inspired by Howard Jones’s “Hide and Seek“.

Frankly my dear…they’re just not that into your content.

Ellen van Aken4 Comments

“Oh yes, our employee benefits information should definitely be secured”, the country  HR manager said. “We do not want everybody to see that information”.

It took me some time to convince him that this was really not a good idea. I had to come up with various arguments:

  • Why would employee benefits be confidential content at all? Of course, people from other countries could see it and perhaps be jealous. But everyone knows there can be local differences in benefits, due to local laws and customs.
  • The information was published in a not very visible place and only employees in that country would have a link to it on their Homepage. Everyone else could find it in Search, or navigate to it if they knew where it was, but that would take a conscious effort which not everyone has the patience for.
  • The information was meant for about 700 people, how confidential is that?
  • Maintaining security for 700 people would mean a lot of work.  (Generally a good argument against securing content, by the way :-))

In the end I won him over by telling him that he already had a perfect natural security system: he was the  HR manager from Sweden and the majority of his content was in Swedish…;-)

This is just one example of people thinking their content needs to be secured. I have worked with many who were under the delusion that without restricting access, their site would bend under the weight of visitors and servers would crash by the flood of people eager to get a glimpse of that fabulous intranet content or application.

Wake up to the harsh truth, content owners! We still have to drive people TO your content, rather than chase them away FROM it. More organizations are struggling with a too low usage (“I can not find it”, “I did not know it was there”) than with too high usage. What is “too high” anyway? And what actually happens when “too many  people” see your content? Perhaps the site becomes slow or you get an error message when too many people try to access at the same time, but it is not that your site will break.

We are not satisfied with most intranet search tools because they can not find what we are looking for. Why do we then think that everyone will be able to immediately find our content, and will jump on it when they have found it? I still have to hear of one example of “too popular” content. (And please let me know when you have an example)

Because this is how things go with content:

  • If people do not know it’s there, they will not visit
  • If they know it is there but they cannot find it, they will not visit
  • If they know it is there, they can find it but are not interested, they will not visit

Of course I know that some information needs to be secured, but everything that is not business-critical should be open as far as I am concerned. It will be difficult enough to attract the right visitors to your content, so it is better to spend your time improving your content, usability and findability than on maintaining security groups.

Because frankly my dear, most employees don’t give a damn about your content…

Title and footer inspired by the movies “Gone with the Wind” and “He’s just not that into you

How confidential is an intranet design?

Ellen van AkenLeave a comment

ConfidentialWhen I was developing snack products,  I was never allowed to talk about my work with people outside my company. Others might copy our ideas! I always felt this was a real pity, because I was convinced that other product developers would have exactly the same problems that I had and we may have shared  solutions. Of course I am not talking about sharing secret recipes, but about topics like: how do you do consumer tests, how do you set priorities, how do you work with marketeers who want new products NOW while you, as a developer, want GOOD QUALITY products?

Now we all had to re-invent the wheel ourselves. (Which I hate with a vengeance!)

But now that I find myself in the wonderful world of intranets, life is suddenly very different! Intranet managers continually share knowledge and experiences with acquaintances and strangers, at home and abroad, online and offline, because we share a profession.
Is that because many intranet managers have a background in Knowledge Management? Because we have learned how inspiring, comforting, or just easy it is to listen to the experiences of someone else? Do we all have the same “evangelist gene” that causes us all to passionately change our organizations for the better? Or are we all just lazy, er…I mean efficient, and do we all hate to re-invent wheels :-)?

Or is it perhaps because we realize that this profession does not have many secrets? Our secrets are in the content. Our secrets are NOT in our design, our platform, our governance or information architecture. What an organization does with its intranet is always based on the strategy and culture of that organization. (Well, at least I hope it is!) So copying another’s  design, navigation or position of the  web parts  on the page is useless, because it will never fit with your organization.
But you can always learn from other intranets of course – if only that you have made the right choice for yours!

Of course I have also had my doubts about the amount of information I could share in my presentations. I have given lectures and removed the screenshots from my presentation for the handout. But later I have just hidden any sensitive information from my screenshots and just left them in.  (Screen capture tools like Snagit allow you to “erase” confidential information easily)
A picture really says more than 1000 words! And whether your company news is in the center or left, with a summary or not, is interesting, but it is certainly not mission-critical information.

What then is your confidential content? In general: sales and customer data, financial data, employee personal data, and information about projects in such areas as innovation, lawsuits, contracts and acquisitions. This is generally information that an intranet manager will not have access to, anyway. We may facilitate the collaboration, but we do not own the content.

So…let  screenshots do the talking and let’s share more screenshots of our intranets!

Image courtesy of thanunkorn at FreeDigitalPhotos.net