Suposse I have a doc lib and I want that files in my library could only seen by me.
No access to farm admin
No access by web services
Any ideas?
Good questions Lucas [and a good discussion],
User Leaves Company: In that particular product, documents are not owned by users they are owned by organizational groups (e.g. “Sales Team”. So no document is tied to a single user. Hence documents never get ‘orphaned’. You can see via the GUI is there are no users in a group
E-Discovery: In that case the person conducting the E-Discovery for a subpoena would speak with the relevant business area, explain their need to know and have their user account placed into the relevant groups by the group owner. They can then perform the e-Discovery.
Auditing: I typically call audit a passive capability. It lets you know what someone did but they can still do damage. (e.g. Bradley Manning did what he did, it’s just they found out afterwards). Compartmentalizing information is an active defense in that it prevents people without a bona-fide need to know accessing information. The other factor with auditing is that audit information should be exported in real time to a server that the SharePoint admin has no access to [so you can’t go and edit the audit log] – but that’s another conversation in itself 🙂
In an ideal world we’d be able to trust admins, but unfortunately people like Ed Snowden [Someone with a Top Secret + Polygraph clearance!] have ruined it for all of us in IT. Plus if you tell your CEO you can see all his documents [many aren’t aware] you’ll probably find he’s none to impressed. It’s not spoken about too openly but I’m aware of an example where a mining company paid millions of dollars on exploration and had the intellectual property stolen from their collaboration platform and passed onto an overseas competitor. With these things happening information security governance frameworks are starting to include “Prevent anyone having total access where possible” as a default.
What I can say from personal experience is this methodology has been applied to a deployment with upwards of 40,000 quite successfully.
Interesting perspective from you guys.
I concur with Lucas, if you can’t trust your farm administrator, then why are they your farm administrator? I do also want to reiterate, the farm admin has no explicit access to any site collection, except as a site collection admin or as a user of the site collection; that said, there is nothing preventing him from gaining access. I am not sure what kind of farms a third of the world has, but when I used to perform the role, there wasn’t a lot of free time for snooping and I really had no reason to.
There are technical scenarios that necessarily rely on having an administrative user with access to all content. I can potentially see cutting off a Site Collection owner, but if you throw the Farm Admin on the pile, there are going to be problems. What happens when the owner(s) of this highly classified document leaves the company, or when you want to migrate to a new platform, or when you want to implement fine grained backups? How about E-discovery and audits? If an organization is worried that their system admins can’t keep their fingers out of the cookie jar they should probably fire their untrustworthy sys admins, time-limit access to privileged accounts and turn up auditing before they go behind the scenes and start breaking inheritance of admin level permissions.
How so Lucas? If a system administrator needs to see content they can do so with a normal user account. With over 1/3rd of system administrators admitting in a SharePoint survey to ‘taking a peek’ at documents they aren’t supposed to the ‘Insider Threat’ is a real risk that organizations are trying to mitigate.
This sounds like how migration and administration nightmares are born.
