Back to Blog

Security Groups in SharePoint

by | Mar 25, 2020

 GroupsSharePoint security in general can be somewhat tough to manage. The biggest difference is that a few years back it was a bit more simple, since there were only SharePoint groups with limited capabilities. Now there are also Office 365 groups that are much more difficult to control and have far more versatility and functions, making the whole process even harder to manage.

What are SharePoint Groups?

A SharePoint group is essentially a number of users with similar fields of work or similar access level. When it comes to permission management, it is much easier to work with permissions assigned to groups of people than individuals – it’s easier to control and trace users activities.

SharePoint groups can be considered a relatively old addition to SharePoint. Since the beginning, any site that’s ever been created in SharePoint has security groups created alongside it with a set of permissions.

From a technical standpoint, a security group is a SharePoint object that has a set of users and a set of unique settings. Those settings might be anything, like owner permissions, administrator permissions and so on.

How are they created?

Typically SharePoint groups are created when a new site is created, and the number of those groups may depend on the selected website template. However, there are typical groups that are created most of the time, such as:

  • Site members;
  • Site owners;
  • Site visitors, etc.

SharePoint security groups can be created manually via a site collection menu, but this is rarely done. Nesting one SharePoint group inside a different group is impossible. That includes nesting within O365 groups, as well as other interactions with Office 365 products like Planner or Exchange. At the same time, you can still nest existing AD DS (Active Directory Domain Service) groups inside of a SharePoint group.

What are AD DS Groups?

Speaking of AD DS, there are two common groups that are used for organization purposes:

  • Distribution group – a group that’s used to distribute e-mail, with no additional security. This specific group type isn’t listed in DACLs (Discretionary access control lists), which are used to set permissions for resources or objects.
  • Security group – a group that has the ability to be listed in DACLs, but is still eligible to be used as an e-mail service.

Even though adding security AD DS groups can be used for management purposes, they still don’t provide full coverage over everything that is happening with users. There’s a lot of little things that aren’t as good as they are supposed to be. For example, if you try adding a security group to a SharePoint group for an existing site – the site won’t appear in the My sites menu. Each individual user would have to contribute in some way before he or she appears in the User information lists. Furthermore, the more complex your security structure is, the more chances for it to break some SharePoint sites completely.

Best Practices for SharePoint Groups

One of the best practices when working with SharePoint groups is to always have each user assigned to one of the SharePoint security groups which makes management that much easier and gives administrators more granular controls.

There are several things you should consider when choosing how to control your user base – through SharePoint groups or with the help of Active Directory groups:

  • Reusability of a SharePoint group is a bit weaker than the AD group;
  • Maintaining an AD group is easier than the SharePoint one;
  • You’ll need somewhat more of an administrative effort to spend on SharePoint groups rather than the AD one.

Unfortunately, it’s quite common for users to suddenly lose track of their groups and what each of them was originally needed for. That’s why you should always remember not to overcomplicate your group structure and never give permissions to single users – those two points are the most important with regards to SharePoint group management.

Even though O365 groups might have more versatility, SharePoint groups can also be useful in some specific cases. Let’s discuss these below:

Members of SharePoint security groups:

  • Can:
    • Interact with SharePoint content in any way, including changing, editing, reading, etc.
  • Can’t:
    • Have access to Exchange
    • Have access to Microsoft Teams
    • Have access to Planner

The groups are great tools for establishing security in your SharePoint infrastructure. Don’t forget to use them efficiently for permission level management and your SharePoint will be protected from internal and external threats.

White Paper: Dynamic Data Loss Prevention in SharePoint

Achieve Real-Time, Attribute-based Data Security in SharePoint

Share This