SharePoint 2010 : Securing Information - Securing Site Collections

1. Custom Site Collection Policies

At the site collection layer, you can group different information policies together, which are then made available to list managers for use on content items within their lists. This can be useful if you have a large number of lists, each of which should be configured with the same information policy. You only have to create it once at the site collection level, and then you can apply it multiple times across multiple lists and libraries.

You can create as many site collection policies as you want—just be sure to give them descriptive names that indicate what the policy accomplishes. You can also export these policies from one site collection and import them into multiple site collections manually.

2. Auditing Activities in a Site Collection

Although some people will think that auditing should be included in a discussion on security, others will not, because it is merely a reporting tool that tells you what has happened in the site. Auditing cannot stop anyone from accessing anything to which they have permissions. Nevertheless, it is worth a brief discussion, because you can use auditing to help with compliance reports and to track chain of custody and chain of ownership for a legal dispute.

Auditing is turned on and reported at the site collection layer. The audit settings can be divided into several categories, as shown in Table 1.

After you turn on auditing, especially if you are going to audit everything, be ready to see a long report, because nearly every click can be tracked in one way or another.

3. Security Trimming for Navigation

For sites that have the publishing features turned on, you have the option to turn off the security trimming of the navigation. The effect of this is that links in the navigation will appear even if the user does not have access to the sites where the links point. Security trimming for navigation is turned on by default, but in rare instances, you might want to turn it off, if for some reason it is imperative that your users see links to pages and sites to which they do not have permissions.

You can turn off this feature at the site collection level by clicking the Navigation Settings link, which will take you to the Navigation Settings page (Sitenavigationsettings.aspx).

4. Site Collection Administrators

It’s important to distinguish between site collection administrators and site owners. The latter is a group given Full Control permissions through the local site, whereas the former is a role that has pervasive authority throughout the site collection. Those who have the site collection administrator role assigned to them have complete authority throughout the site collection. Breaking permission inheritance between sites or between a site and a list or library cannot keep out a site collection administrator.

A site collection administrator’s ability to access any content in their site collection is a key reason that you’ll need a number of site collections in which to host your collaboration. If you’ve been told that your organization can do most of their collaboration within a single site collection, don’t believe it. At a minimum, each time you need a unique set of permissions at the site collection administrator layer, you’ll need another site collection. Placing information in a site collection that the site collection’s administrator should not see creates a security issue that can be resolved only by moving the content to another site collection or by removing those who should not see it from the site collection administrator’s role.