SharePoint Knowledge Base

Dec 15
SharePoint Security Best Practices

What are the best practices for managing SharePoint permissions? This post addresses that. We suggest keep it as simple as possible!

  • Never use individual level security. There is always a way around it!
  • Try to manage security at the site level and not the list level. You can show content from subsite lists in parent lists in many ways
  • Create test users and use another browser to log in and see what the test user can see
  • Audit your security
  • On a subsite consider listing the security groups that have access to the site right on the home page under the Contact Info that shows who owns this page area (which is another best practice)


AD Security

Using AD groups is suggested but there will be exceptions. For best practices users are often not added to SharePoint groups directly but rather an AD security group which is added to SharePoint groups.


SharePoint Security Guidelines

  • Do not add users individually to a web site but use SharePoint groups instead
    • SharePoint can handle about 2000 security principals per web site
  • If you add 1000 users or Windows security groups to a SharePoint group, it counts still as one principal
  • If you add 1000 users individually to a SharePoint site, they count as 1000 principals
  • Nested Windows security groups are problematic either because 1.) They contain contacts items or 2.) Are nested too deeply
    • Permissions on sites with security groups is definitely a good practice. Nested security groups beyond a couple can be problematic especially when a contact or DL is in the mix or when a global group is used improperly. The following list shows problematic groups:
    • Distribution Lists with contacts in them
    • Security groups with contacts in them
    • Global security groups used in a separate "resource" domain (often happens in cross domain/cross forest migrations)
    • Security groups which contain contacts


We love to help companies get the most out of SharePoint

Contact us if we can help you solve your security issue.


There are no comments for this post.