| The essential goals of workspace security are to restrict access to sensitive information, define and enforce document approval and publishing processes, and ensure that search results only reveal information about documents that the user should be made aware of and allowed to access. The planning process begins by surveying your documents and the various content sources you wish to include in your index. It is also important to identify the users who will need access to documents, any process controls that may be required, and the intended mechanisms for providing access to your documents using SharePoint Portal Server and Web folders or a dashboard site. Security and document management go hand-in-hand, so include this as part of your overall user survey if possible. The following information from your survey most directly pertains to setting up security within the workspace: Who will manage the workspace node on a day-to-day basis? Who, if anyone , will manage subfolders within the workspace? How will folders be configured to provide logical organization to documents and enable the use of selected SharePoint Portal Server features? What sort of document control processes, if any, need to be enforced, and who should administer them? What, if any, documents contain sensitive information and should only be visible or accessible by select users or groups of users? Will all documents be published for unrestricted access? What security considerations need to be made for external content sources?  For more information on the user survey see Chapter 10, "Managing Folders and Documents." Once your folder structure and document management processes have been identified, the process of applying the appropriate security controls is pretty straightforward. In general, any folder that contains information requiring selective access control or enhanced folder features such as version control, approval routing, or check-in/ check-out will require specific security configuration. If a folder does not contain documents requiring restricted access or document management features, its security configuration will likely be very simple. In addition, content sources outside the workspace that contain documents requiring any access control restrictions will also require special consideration when configuring SharePoint Portal Server to crawl the sources.  | To ensure that your documents are secure, see "Identify Documents Accessible by Unintended Users" in the "Troubleshooting" section at the end of the chapter. | As a general rule, it's a good idea to configure basic access permissions through the use of domain or local groups and assign more specific access permissions through individual user accounts. This method reduces the administrative complexity of managing security, and simplifies troubleshooting in the event a user is found to have inappropriate access rights. Within the workspace, the use of groups to assign roles is encouraged. The Reader role ”the most basic level within SharePoint Portal Server ”is often best assigned to a group of users as a single group assignment. Author or Coordinator roles, which both have the ability to make changes to contents of the workspace, should be assigned to small groups or individual user accounts, depending on the number of users applicable for each role. The granularity of assigning roles is somewhat subjective . A small organization's workspace will likely be used by a limited number of users and will typically require comparatively little administrative intervention once configured and deployed. A large organization may employ SharePoint Portal Server to service a large number of employees or groups, and may have a correspondingly complicated set of security requirements as a result. In either scenario, industry best practice has shown that managing security through the use of groups diminishes the likelihood of misconfiguration and greatly reduces the administrative demands of the environment. This is particularly relevant when sweeping changes are required to reflect the reassignment of security permissions or to make large-scale changes to the security configuration of the workspace, since configuring or changing a role assignment to a group requires the same administrative effort as that required for a single user.  | 
