SharePoint is a powerful collaboration tool that generally experiences rapid adoption and organic growth. Within a few years of usage thousands of sites can be in use containing several terabytes of data and combine that with minimal out of the box site lifecycle management, manual processes, constant organizational change, compliance and data security require and lean staff to manage, organizations have quite the handful to manage. This blog will take you through some lessons I’ve learned working with organizations on the topic. Case and Point , this survey by Cryptzone says it all – security holes due to its security model.
With SharePoint you can provision site collections, sites within the collection and add or remove lists and libraries from the site as you see fit. When provisioning, permissions, site provisioning options such as site templates that can be provisioned and basic provisioning settings govern how sites are created, configured, operated and dispositioned. For the average person, this is a complex topic and series of tasks and as a result will lead to confusion, services requests and degraded information architecture and non-compliance with data and security policy.
How do you solve the problem? Adopt a self service approach to provisioning and upkeep of SharePoint. For example, make the provisioning of site collections and sites, owner updates, security updates and simple self service requests. This can be accomplished with software designed to provide provisioning and upkeep questionnaires and service requests.
Before automating the provisioning, the logic behind the provisioning must be determined so that service requests can be automated. There are some questions that must be answered to make sure the site users obtain the functionality required, compliance obligations are met and security policy is adhered to.
The questions are as follows:
- What’s services does SharePoint provide?
- What functionality is required?
- How long is the service required?
- Who are the owners of the site?
- Are the compliance requirements?
- Are their specific security requirements?
- How will managed paths and URLs be managed?
When designing your provision solution, there are a few key areas to focus on. As you determine requirements work closely with the business to integrate their needs and when designing and building your solution, work closely with the team that manages provisioning.
The main areas to focus on are as follows:
- Services offered – what services are offered (team sites, project sites, BI, mobility).These services would be made available in a self service catalogue of sorts.
- Lifespan – how long the services (sites) will be in use. For example, for a short term project of say 6 months or a community site that could be in use for 5 or more years.
- Ownership – who the primary and secondary owners are of the site. This is important from a site management perspective, two people reconcile for maintaining the site and being the primary contacts for the site.
- Compliance – the site might require specific features to be activated such as archival, logging or records mgmt. application integration to name a few. This would ensure sites would meet audit requirements incase of audits. Sites that contain records must be managed by site admins and users with records mgmt. awareness training so they know to move records to the organizations records mgmt. application for long term storage and lifecycle management using disposition schedules.
- Security – includes policy enforcement on site security permissions such as not allowing certain users access to sites (Regulated) or adding authenticated user group to open a site. Additionally, policy regarding how groups are used and permissions applied.
- Upkeep – site ownership must be kept up to date and permissions as well to make sure data is protected over the lifespan of the site collection and its sites. For example, automated service requests would be created to verify site ownership is up to date. If ownership updates are required the provisioning solution would manage the workflow and communications to accomplish the task. This would be the same for permissions maintenance as well.
The following are some common gotchas (risks) from a provisioning perspective:
- Site ownership not maintained – primary and secondary ownership must be managed aggressively ongoing.
- Site quotas not applied – usage quotas must be applied from the start and kept to within the design guidelines of your environment. Using a range of 2GB to start and 4GB as limit is a good rule on average.
- Sites not dispositioned – sites are not deleted due to mature records mgmt. policy and controls. eDiscovery, operational jobs (indexing, backup, scans etc.), storage and administration costs escalate as a result.
- Data policy not mature – if your data security and compliance department can’t provide firm guidelines that are intelligible your at risk. What i mean by intelligible is that you can read once or twice and know how to execute and don’t feel paralyzed.
- Records mgmt integration – if you have compliance requirements then integrate SharePoint with your records mgmt system and educate site and admins and users with formal training programs.
- Use third-party add-ons recklessly – remember the fabulous 40? these created a support nightmare during 2010 upgrades. Assess long term viability of vender, offering and operational impacts.
- Keep branding simple – well executed branding can add a nice visual to sites but poorly executed branding can slow a site and create usability issues. keep to OOB settings and much as possible and avoid custom code to reduce technology risk. Educate branding team regarding product limitations to avoid nightmares.
The following configuration options must be addressed to retain control of sites:
- Provisioning tool – the tool must be configured to guide the user through the process of completing a services request for a site. Additionally the tool must enforce the data and security policy for compliance purposes.
- External and internal sites – keep your external and internal sites on separate farms and follow your organizations data security policy (consider Office 365 for external sites and use Third-party tools for managing provisioning). Clearly demarcated systems are easier to manage and therefore lower risk.
- Organization your site collections based on data value – by doing so you will enable the ability to focus resources based on data importance and risk. for example, provision sites based on risk, backup sites more effectively and report on them more fictively as well. Also consider organizing data using a work model (but not org chart) since how people work together. Being able to identify and categorize data within applications will help focus your lifecycle management activities.
- Site collection provisioning – The provisioning of site collections must be governed to ensure site collection owners are assigned and managed ongoing, permitted site templates are permitted and site collection settings are enforced. Consider a third party tool to help manage site provisioning life cycle).
- Sub sites – based on your information architecture, decide whether to allow subsets or to use site collections only. But make sure you can enforce your data policy for subsites based on the parent site. For example, if the parent site contains important/compliance related data, don’t provision subsites that that contain transitory data.
- Site provisioning – Self-Service Site Creation allows users to create and manage their own top-level websites automatically. When you turn on Self-Service Site Creation for a web application, users can create their own top-level websites under a specific path (by default, the /sites path). Self-Service Site Creation can be configured to create sites, instead of site collections, automatically. When turned on, this capability advertises itself with a new site link added to the Sites page of users’ personal sites. Because Self-Service Site Creation creates new top-level websites on an existing web application, any new sites automatically conform to the web application’s default quota settings, unused website notification settings, and other administrative policies. You can configure Self-Service Site Creation in a variety of ways to meet your needs. For example, if you have a web application dedicated to My Sites, you can enable Self-Service Site Creation but select to hide the new site link so that no one can use it to create new sites or site collections. You can also create a custom form that users utilize to create a site or site collection.
- Site deletion – establish policy and controls for using automated deletion and notification on sites that qualify such as short term project sites. If need be archive site contents but avoid using SharePoint formats due to the proprietary nature. Specifically, if you archive sites in 2007 format you will require a 2007 farm to recovery in case of litigation – huge expense. Instead export contents and user information to an archive solution.
Third party Tools
For some organizations, third-party tools help to manage provisioning of sites in a more granular manner than SharePoint in general. Also, third-party tools offer more controls such as:
- Granular provisioning – site creation on premise or on Office 365.
- eDiscovery – find data required for litigation purposes.
- Archival – site archival to meet compliance requirements.
- Reporting – on site ownership, usage and data.
- Policy enforcement – ongoing enforcement of compliance related site settings.
If your building a new environment, focus on an Information Architecture that classifies data according to data security policy, compliance requirements and how the organization works together. Use that model to build out farms, office 365, applications, site collections and sites.
Establish a provisioning solution that makes the provisioning and upkeep of SharePoint a simple service request. Such as provisioning site collections and sites, owner updates, security updates and other common requests.
If you have an existing environment, invest in tools that will inventory your datato provide with some insight regarding where data resides, its importance and ownership. Once you have the report you can then decide how the data should be handled – reorganized so management is sustainable or kept in place.
In either case this is a major undertaking and generally not well understood value wise unless your in a records management, audit, security or data compliance role. Be prepared to educate your colleagues regarding these topics and leverage individuals that do understand the topic. Also, if you have been audited, gain access to the audit report as leverage for your business case.