Microsoft has long used the same “object oriented” approach to security within its various “object namespaces”. SharePoint is no different. And Microsoft does have some SharePoint Security Best Practices you may want to consider.
Ah… what is an “object namespace” you ask?
The Microsoft platform of integrated applications has layers. Each layer is an “object namespace”. For example, starting at the following diagram illustrates the concept.
Each layer is like a database. In fact, my long held view has been that the Microsoft platform of integrated applications is nothing but a whole bunch of interrelated databases, each with its own set of objects. Let’s take a simple one like the File System. The File System has three main “objects”
Each of the above namespace objects has its own Access Control List (ACL) containing individual Access Control Entries (ACE) that determine who can do what with and to an object, like a Volume, Folder, or File.
The second thing to understand is how a Microsoft Operating System processes an application like SharePoint’s request for given a user access to an object within its own object namespace. Granting or denying access to an object is a two part process:
What do you think happens when the object’s Access Control List is full of hundreds or thousands of Access Control Entries? It slows the validation and verification process down. And the larger the Access Control List the longer that process takes.
So how does this relate to the SharePoint object namespace when we are considering SharePoint Security Best Practices?
Remember that every SharePoint namespace object, including Site Collections, Sites, Libraries, Lists, Documents, and Items, each have their own individual Access Control List. If you start using Unique Permissions (non inherited Access Control Entries) on these objects over time the Access Control List gets very large with many entries because no one ever removes the old ones. Gradually over time it takes longer and longer and longer to access these objects because of the two phase process for object access validation and verification.
The SharePoint Security Best Practice, not just with SharePoint but with all Microsoft Object Namespaces, is to keep the Access Control List as small as possible so that the access validation and verification process is as fast as possible. In Article 2 I will demonstrate how to achieve this Microsoft recommended best practice in a SharePoint environment.