10 View Permissions Inheritance Access via > Site Settings -> Site Permissions -> Show these items
11 Three Levels of Admin Rights In descending order of power Primary/Secondary Site Collection Administrators Can only be changed by Farm Administrators Highest level of admin rights for a site collection Receive system s for site collection Has admin rights to everything in site collectionSite Collection Administrators Can be added/removed by other Site Collection Admins Receive system s for site collection Cannot remove Primary/Secondary SCAs Has admin rights to everything in site collectionUsers with Full Control Rights Cannot added/remove SCAs Can control permissions of other users Do not receive system s for site collection Can delete objects they have full control on This includes the entire site collection if they have rights at the root!
12 Enable AuditingAccess via > Site Settings -> Configure Audit Settings
13 Best Practices Keep permissions Safe for Work, no naked IDs Use the default groups whenever possibleCreate new groups for specific security needsCreate new groups at the root of your site collection with read permission, then elevateDocument in the group’s description what it provides access toPlace more public information at the upper levels of your sitePlace more secure information at the lower levels of your siteLimit the number of users with admin rightsIf needed, enable auditing
14 Fixing Permissions Role Based or Hierarchy Based Plan a new group where ever a specific, discrete permission requirement existsMake the group names as descriptive as possible, and/or write out a detailed, plain English narrative of the group’s purpose in the Description fieldCreate all groups at the root of your site collection with Read permissionsElevate these permissions as needed within the sitePlace users into groups as required
15 Fixing PermissionsCommunicate out to your users the date & time you will be switching over to a new permissions management schemeEnsure your users know they should contact you directly if they lose access to anythingOn the date and time agreed upon, remove all individually assigned users permissions on your siteAll that should be left are groups on your permissions screens