A lot is based on security in SharePoint but it is basic at best.
In order for items to be available or not based on who the user is, the essence of security, an administrator needs to administer a lot.
- Create groups and populate them. (from external systems like AD or one by one)
- In the item location (site, list) assign rights to the groups. Sometimes the assignment is to the item itself (not recommended)
There is administration involved when new users are added to the organization (in SharePoint or outside) to match the existing groups.
Most organizations use the profile service provided by SharePoint, where we can have properties that depict attributes the user has in the organization. The only way to use these attributes, is to create audiences to be used in web parts. And even audiences are created by comparing property values to static values.
So for instance, if you wanted an audience by location and the organization has 1000 locations. You will need to create 1000 audiences and add a new one whenever the organization adds a location. Not very practical.
What if we also had dynamic security rules that match profile properties?
Let’s dream a new SharePoint security feature.
- Say we can define a rule at the level of a group. So we can assign rights to the rule rather than the group.
- The rule will be constructed as a logical function that compares a property value the user has to a column value the item has.
- The compare should be flexible. (Equal, not, in (…), contains (), begins with etc…)
- If the rule evaluates to true, the assigned rights will be respected.
- The end result is basically SharePoint performing CAML query tailor-made to the current user.
As developers, we do similar things when we customize SharePoint for our organization, but our reach is limited to what we create.
Take the location example from before. If we have a content type with a location column (even multi value), we can now filter a web part to show the user only items whose location column contains the user’s location. But we can’t prevent an item from showing in unrelated search by a user of a location other than the item has.
If we had rule based security on the list or even the content type, (yet another security idea) we would not have to wary about search showing the user what he should not see without creating groups for each location.
Microsoft! Please give us rule based security in the next version of SharePoint!