Wednesday, February 6, 2013

Using Office 365 security groups with SharePoint Online

It is best practice to create security groups and assign these groups rights in SharePoint, for once the security groups have been correctly configured there is no need to return and fiddle with SharePoint securities if new users get added for example. All that now needs to be done is to add the new user to the appropriate security group. When they are added they automatically receive the appropriate rights in SharePoint simply because they are part of the security group that already has assigned SharePoint rights. Thus, you only ever need to add the security groups to SharePoint once. You should never add individual user rights they should all be done via security groups.

To do this with Office 365 you’ll need to login to the administration portal.

image

Then select the Security Groups from the menu on the left hand side under the Management heading. This will display any existing security groups.

image

To create a new security group select the New link.

You’ll then be asked to provide a name and description for the security group. My advice, when it comes to specific SharePoint Security groups is to always start them in the same way. That way they will appear together in a list. Here I have chosen to create the security group SP-Accounts-RO.

image

Once you have created the group you need to add users to the group. You can return later and edit this if you need to. To add users simply place a check in the box to the left of their name and press the Add link.

 

image

When complete you should see the security group listed. Remember what name you used.

image

If you visit your SharePoint site and select Site Actions then Site Settings from the top left.

image

Now select Site Permissions in the top left under the Users and Permissions heading.

image

By default SharePoint securities inherit. This means areas have the same rights as the area directly above them in the hierarchy. To create unique rights you’ll need to select the Stop Inheriting Permission button. Press OK to proceed past the warning confirmation dialog you receive.

image

You should now see that you can select existing groups and users and remove them if desired.

To add the security group just created press the Grant Permissions button.

image

In the dialog that appears enter the security group name into the Select Users area at the top (here SP-Accounts-RO).

In the Grant Permissions area you can elect to give this user or group direct permission or make them part of an existing SharePoint Group. In this case we’ll elect to make the newly created security group part of the existing SharePoint group, Team Site Visitor, which has Read permissions to the site. Remember, adding something to a pre-existing group will provide that user or group access to everything the group has access to the site. Thus, by adding the newly created security group to the SharePoint Team Site Visitors group every user in the security group will effectively have read permissions to every part of the site, not just the one being edited here. If you don’t want that then only give the user or group direct permissions (i.e. the second option above).

image

Once complete you should now see the name of the newly created security group appear in SharePoint as shown above. In this case, since we made it a member of Team Site Visitors group in SharePoint that is where it appears.

SharePoint security is easy if you map it out before and implement it using this best practice. In my opinion, no user should be granted direct access to a SharePoint site, they should be part of a security group and that security group is assigned rights in SharePoint.Configuring things this way is gong to reduce confusion and make it less likely you’ll assign the wrong rights, which is easy to do as securities become more complex.

Remember, distribution groups are typically used so lots of users can receive e-mail sent to a single e-mail address. The primary purpose of a security group is to assign permissions to a large group of users instead of assigning permissions to individual users one at a time. If you're a Microsoft Online e-mail organization, use security groups if you need to assign users permissions to resources in other hosted online services such as Microsoft SharePoint Online.