Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Item level security without sys admin being able to acces it

  Asked By: Coty    Date: Jun 24    Category: Sharepoint    Views: 2216

We are dealing with the situation that the Head of the company wants to put
files on SharePoint, only accessible to the company owners. They don't want
the SharePoint team to be able to view this important documents. The
situation now is we made a site-collection with sites designed as they
wanted, and afterwards we made them site-collection owners. They don't want
anyone from the ICT department to view this documents...

The above situation is far from desirable. The head of the company wonders
if people are still able to view these documents. Until this question is
awnsered they are not gonna put any files on SharePoint. (They think ICT
can't access the C:\ or there Inbox i guess.) My question is: Is there a way
to put security on a list wich makes it even impossible voor sharepoint
administrators to open or even see the documents that are in it? I think the
awnser is no.. but still there should be some way to solve this. We want to
satisfy the company owners and make them use and like sharepoint as there
workspace. a way to do it could also be using encryption or passwords on
file lvl...before uploading it...

I was thinking of RMS. Or maybe tell the company owners that they can see
who last viewed it and then go to the person in question to ask why he
viewed the file. Some speculations, i was hoping to get your points of view
on this matter.

Any tips or hints are welcome!



4 Answers Found

Answer #1    Answered By: Irvin Foley     Answered On: Jun 24

In WSS v2 (SPS 2003) this was indeed a problem. But since v2 SP1, IT
staff (ICT) does not have access  to content unless they grant themselves
access (an auditable event) or are granted access by the content owner.

So, briefly, if the ITC members are not individually or a member of any
AD Group that is listed: as a Site Collection Administrator, in any
SharePoint Groups, in any role assignments (Advanced Permissions link in
Site Settings), AND there isn't any Web Application policy granting them
access then they don't have access. They cannot even "see the documents
that are in it".

Setting unique permissions on the Web, List/Library, Folder, or even the
Item (WLFI) do not improve/enhance the previous statement; they just
make it possible to have a different sets of people  with access to the
given WLFI.

While ITC members do not have access by default, those that have access
to Central Administration (Farm Administrators) could at any time grant
themselves access using either a Web Application Policy (auditable!), by
making themselves a Site Collection Administrator (auditable, I think),
or by adding themselves to an AD Group that has access (auditable, I
don't know). But as you point out, those same administrators could grant
themselves access to absolutely any networked storage location including
the local c: drive that the "Head of the company" uses.

BillG himself had this concern (I've been told) and was the catalyst for
the current security  structure (ops has no access to content without
audit). You can imagine that he didn't want the documents  that he put  in
the Document Library in his private My Site to be visible in any way to
the snot-nosed college intern helping in network operations. To my
knowledge, BillG is satisfied with the current implementation, as am I.

Answer #2    Answered By: Deonte Stein     Answered On: Jun 24

Thank you very much, this is very clear and sounds logical. Since the head
of the company  isn't good when it comes to IT there should be an easy way to
keep it auditable by them. With it I mean who has permissions within AD, who
has granted themselfs acces  to content or a WebApp Policy. But this is
another topic i think. Something nice would be that the head of the company
would get an e-mail when a member is added to the group.

I will mention this solution and see what feedback we will get. Again thanks
for your help. I appreciate it.

Answer #3    Answered By: Stephon Valentine     Answered On: Jun 24

In the next version of DeliverPoint we plan to include the ability for
developers to run custom code when security  events like Add User, Delete
User, Modify User Permissions, etc. are fired by the user interface.