Do you hate SharePoint? Part 3 of 4

If the answer is yes, could your hatred be caused by your local implementation? In this blog series we look at four common problems with SharePoint implementations and how you can address them.

We continue our series by Neil McIsaac, SharePoint MCT, for putting this together. Happy reading! If you missed it you can still read Part 1 and Part 2 of the series

SharePoint is an interesting platform and as it grows as a product and with its already incredible adoption, it is an important cornerstone for many organizations. But ask the people that work with it, and you will find a divided love it or hate it passion for the product.

Why hate it?

It’s my experience (which dates back to the site server/dashboard days), that many customers have difficulty handling the product and I mean this a number of ways. Here’s the issue:

SharePoint will amplify your problems.

So why do we hate it? I would hate anything that made my problems larger. But did SharePoint create the problem? That would be like blaming the carpenters hammer for building a crooked house. The problems are our own doing in the majority of cases. In my experience, the most common problem SharePoint seems to amplify are the following;

1. Information Management
2. Project Management
3. Information Security
4. Business Intelligence

This week we look at Information Security.

3. Information Security

SharePoint has a confusing security architecture. A friend of mine continually jokes that you can do anything in SharePoint, as long as you know the 6 strategically placed security settings you need to set to allow users to interact with your content. I like to keep things simple. I always start addressing security by asking these 3 basic questions;

What are the requirements?

This question is pretty straight forward and we do it relatively well. Who gets access, and who doesn’t.

How do we know we meet the security requirements?

This is one area where SharePoint poses some difficulty, since it lacks any worthwhile reporting tools and has enough security layers that are hidden in the UI that it feels like finding an answer to this question is akin to finding the meaning of life itself. Paired with the products inability to properly handle security inheritance and the lack of a proper method to deny permissions and you are on a never ending hunt for individualized permissions. Yuck. Unfortunately the best security reporting tools are third party. Your team needs to sit down and address how your organization will address security reporting and auditing.

When is the last time we checked?

Security audits are often checked at implementation, but rarely checked afterwards. Permission elevation happens for various reasons such as troubleshooting, making it necessary to schedule our audits. If running an audit is painful because we haven’t properly addressed the above question, then scheduling it will hurt that much more. Again, get a good security tool.

Information Security Tips

Here are a few tips on implementing security in SharePoint to help make things a little more manageable.

Libraries/Lists are for security

I am not a fan of the Shared Documents Library which comes as a default. If you have ever heard me talk on the subject, you know I get a bit worked up about it. I am a fan of lists/libraries in SharePoint and I completely understand Microsoft’s position in adding it. It was a necessary evil. The problem that I have with it is what most people put in it. It goes against pretty much every information management principal that we have. Many organizations use this library and why not? It says "Shared" and I want to share my stuff, so why not? The reasons are many, but at a simple level, you will end up with a folder structure that mimics your old file shares, and make it work by placing individual permissions on folders and files to compensate for your lack of proper architecture. If you think of lists and libraries as containers, which if you were paying attention in the previous blog post when I ranted about the importance of structure, you can shape these containers to better store its information. You can change the shape (think ‘content types’), and you can change the behaviour (think ‘workflows’ and ‘views’) to better aid the end user in the task they have at hand (think ‘Use Cases’). Coming back to permissions, if we have a container with similar information in it, we can control permissions to all of its content by controlling permissions to the container. In other words, permissions in SharePoint are best handled at the list and library level and not at the folder or file/item level. Which brings me to a solid point: If you are not sure how many libraries you should have, look at the common permissions to your content. If a group of people need read access to one type of content but not to another type of content, then the content should be in the same list/library and we can control permissions to the content by setting the permissions once on the list or library. So how many lists or libraries should you have? The answer is in how many groups of content with the same permissions you have. This is not always the answer, but it is a good starting point.

Use SharePoint groups as functional roles

SharePoint groups are best used to reflect functionality rather than entity. Since we typically use Active Directory groups, adding the AD groups to our SharePoint groups to reflect the same group would be redundant. For example, having a Sales group in AD, which we mimic and create a Sales group in SharePoint usually offers little benefit. Having a group in SharePoint that reflects their ability is preferred. For example, I can create a group in SharePoint called Sales Lead Generators that can better reflect what anyone in that group can ‘do’ rather than who they are. Not only does it simplify security administration, it makes audit reporting a lot easier to read and verify.

Use Information Rights Management

Information Rights Management has been around for some time now. Surprisingly, most organizations that want to secure documents rely on securing the folder or physical media where the file is stored. The problem is that this security simply doesn’t follow the document where ever it goes. IRM on the other hand, does! You just have to ask someone if their documents are just as secure after an employee that has proper permissions to the file copies it to a thumb drive, or inadvertently emails it to the wrong person. SharePoint and IRM integrate very well. You can check out more about IRM here.

Next week, part 4 business intelligence…

YOU could be an MCT sooner than you think!

About ten years ago, I was awarded my Microsoft Certified Trainer (MCT) certification, I can honestly say I have never looked back. I really love being an MCT and being part of the MCT community. MCTs are geeks with personality. If you are passionate technology and like sharing your knowledge, consider becoming an MCT! There is something incredibly motivating and empowering about being able to help people master a concept or a technology. At the MCT Summit in October there is a fantastic promotion to help you earn your MCT, details are at the end of this post, but first I’d like to help you understand what it means to be an MCT.

Many consultants have an MCT certification. Training is a different skill, but can make a fun break from 6 month contracts writing code or doing OS upgrades. Some consultants discover they like training so much they do it full time.  The skills you develop earning your MCT certification and through the MCT program will also improve your credibility and your skills as a consultant. If you really love the classroom, you can become a full time contract trainer, or some training centers have full time instructors on staff, so you can have the stability of a full time job with the constant change and fun of teaching different courses to different students. It can be a lot of fun, make no mistake it can also be a lot of work, but it is a lot of fun. Imagine earning a living where your job description is to learn and stay on top of the latest technology and then share it with others!

Teaching a course can seem intimidating at first, you worry that there will be students in the class who know more about some aspects of the product than you do. Guess what, that will happen. But every student is in class to learn what you know and I can assure you that every student in that room can learn something from you! When you walk in front of that class, you are already seen as the expert, share what you know effectively, admit to what you don’t know, when you get questions you cannot answer be honest, research the question and get back to them with an answer. The students will leave happy and talking about what a great instructor you are.

Sometimes you introduce a feature that is completely new to a student, when the student finally “gets it”, when they understand how this feature will help them, how they can apply it at work, seeing the light go on in their eyes is addictive . You can see the excitement as they imagine looking like heroes when they walk back to the office Monday morning and show everyone this feature. You are really helping them with their day to day jobs, with their projects, with their careers!

There are other small aspects I enjoyed about training. Getting evaluations every Friday from my students. When you get a performance evaluation at work it always focuses on what you have to improve. To get any praise you have to go way above and beyond expectations. Students will praise you for simply meeting their expectations. It’s true! If you take a course and you leave feeling like you learned a lot, you will leave happy and you will say so on the resume. There is nothing quite like reading “The instructor is awesome” to start off your weekend right. I’ll let you in on another little secret about training, the students don’t generally want to listen to you lecture at 4:30 on Friday, so you often (not always, but often) get to go home a bit early on Fridays

Of course eventually you will have one of “those” weeks. A week where technical problems are causing you pain, or a particular student is being difficult, or (yes it happens) you discover you should have spent more time preparing for the class and the students know it. Like any other job it has its highs and lows. But at least when you are teaching a course, the lows end when the course ends on Friday .

Working as an MCT also can open up other opportunities, I’ve had the opportunity to write courseware, get involved in certification exam development, work at Microsoft conferences, author or review books, meet an incredible network of other MCTs from all other the world who I would happily meet for a drink (and frequently do) when our travels find us in the same town. The MCT community is another great benefit of earning the certification. MCTs tend to be intelligent, outgoing, supportive, and friendly, and in general excellent company.

So that’s my story, there are MCTs all over Canada, in fact we are now making it easier for Canadian MCTs to connect through the MCT Canada Rock Stars on Born To Learn (you do need to be an MCT to access this forum, if you aren’t signed in, clicking the link will take you to the sign in page, click the link again after signing in to visit our forum). Have I sparked your interest? Then read on to find out about a great opportunity to get jump start your MCT certification and at a discount!

The 2011 North America MCT Summit offers a unique opportunity to anyone who’s ever thought about becoming an MCT. A 1.5 day bootcamp style Train the Trainer event will be offered the Tuesday before and the Wednesday during the MCT Summit. This event will satisfy the requirement for proving instructional presentation skills for the MCT credential.

Due to the nature of the event, there will be some prep work that will be required beforehand. The prep work will be sent out to all TTT attendees beforehand. There will also be homework on the Tuesday to ensure success.

You can expect a very busy 1.5 days. During the event, you’ll work on your instructional skills to improve your effectiveness as a trainer. As a trainer you never stop working to improve, and the course will also help you work on a personal action plan for continuing your development.

Hopefully this event will be the starting point of a career as an MCT.

Beside the style of the event, this is unique in the timing and cost as well.

The timing is right before the MCT Summit, and entry to the event includes your fee for the MCT Summit. The MCT Summit is a conference for MCTs by MCTs. It’s an amazing chance to network with colleagues, who often become friends, and improve both technical and presentational skills.

On top of that, the fee for the TTT will also include the fee for the remainder of the MCT enrollment period, which ends in April of 2012 and normally costs $400 USD.

So if you are considering becoming an MCT, this is a great opportunity. I’ll be at the MCT summit, presenting, and talking to MCTs.  If you have any questions about MCT certification, the Summit, or life as an MCT, drop me a line (sibach@microsoft.com).

Hope to see you in San Francisco!

This post is also available on Canadian Developer Connection