| At a basic level, security is indispensable both for document management tasks and for maintaining search capability integrity at Global. Regarding document management, access to sensitive data must be restricted ”some end users will be responsible only for viewing certain documents, while others might take part in creating, modifying, and approving these documents in preparation for a larger audience. In search scenarios, on the other hand, it is critical that all end users view only the results of searches for which they have explicit access. All of this remains essentially true regardless of the scope ”enterprise or other ”of a Microsoft SharePoint Portal Server deployment; however, the challenges facing larger organizations, with perhaps multiple corporate-wide and business-unit “specific Search servers and millions of documents, is intimidating indeed. In a large portal deployment like Global's pilot, where folder hierarchy and category structure may vary greatly between geographies or sites, a single security policy will be inadequate. Users may hold different roles for different folders in the same workspace, for example; not to mention different roles in separate workspaces. Furthermore, security policies to be implemented after building every workspace (presumably supporting different business units across the enterprise) will need to address quite a few areas: -
Security must be mapped into each workspace. This can be a daunting task in and of itself for large implementations . -
If external content is key, then specifying content sources is required. In an enterprise implementation, access to external content is almost always necessary. This access to external content may subsequently drive changes in the company's firewall or DMZ implementations. -
Users must be assigned to appropriate roles, which can also represent a great amount of planning and work in large implementations. -
Folder Coordinators must not only be assigned, but must also be specifically "designated." While not a challenge in SBU deployments, larger deployments benefit from more elegant approaches (such as shared resources across multiple folders and workspaces, perhaps depending upon functional role or group ). -
Approval routes must be identified and implemented. Complex approval routes may be generated in large organizations. -
Best Bets must be identified (and managed!) over time. That is, how many users are given specific authority to update the Properties page for each file so as to identify it as a Best Bet, and how this capability is managed, must be addressed. At a higher level within the enterprise, each server in the Portal solution must be covered by the overall company-wide security and domain/directory models. If secure transactions over an extranet or the Internet are required, support for SSL should be enabled as well. And as the Portal evolves, consideration must be given to providing additional Coordinators access to manage security profiles and monitor security infractions. Microsoft provides the general security tools and approaches required to manage the enterprise environment, but the real challenge is in simplifying the security model or security approach whenever possible. One method of doing this is by leveraging roles. Remember, a role identifies a specific set of permissions at a folder level (with a few exceptions) for Coordinators, Authors, and Readers.  To read more about the three SPS roles, see "Workspace Overview," p. 48. The best way to illustrate potential security simplification is by taking a look at Global Corporation's planned security approach. Global's initial architecture dictates 16 discrete workspaces, hosted across the three primary data center sites. We assume that five workspaces will be installed at two locations, and six at another. If we create a master Coordinator User ID and use this for each of the three Portal installations, we then only need to concern ourselves with mapping, assigning, and managing this one ID. SharePoint Portal Server automatically assigns this user ID ”the one used to create each workspace at the three different sites ”to the Coordinator role at the workspace level, as well as on all of its folders. Benefits of a Single Installation User ID The benefits are many. For instance, a single user ID may not only carry out the purposes illustrated above, but may also be leveraged for easily creating indexes and automatically scheduling index updates when warranted. A site-wide or enterprise-wide document check-out or publishing process may also be facilitated more easily in this manner. And the usual process of adding Authors and Readers to each workspace/folder is still unchanged, though now the default workspace contact is quite apparent. As the portal is eventually customized and deployed after the installation, a new and valid workspace contact will be identified. In the meantime, though, all communications directed to each individual workspace (via the email address assigned for the workspace contact) will "roll up" to a Global Coordinator, thereby facilitating consistency and accountability in cross-workspace deployment planning issues. |
