Suposse I have a doc lib and I want that files in my library could only seen by me.
No access to farm admin
No access by web services
Any ideas?
Good questions Lucas [and a good discussion],
User Leaves Company: In that particular product, documents are not owned by users they are owned by organizational groups (e.g. “Sales Team”. So no document is tied to a single user. Hence documents never get ‘orphaned’. You can see via the GUI is there are no users in a group
E-Discovery:Â In that case the person conducting the E-Discovery for a subpoena would speak with the relevant business area, explain their need to know and have their user account placed into the relevant groups by the group owner. They can then perform the e-Discovery.
Auditing: I typically call audit a passive capability. It lets you know what someone did but they can still do damage. (e.g. Bradley Manning did what he did, it’s just they found out afterwards). Compartmentalizing information is an active defense in that it prevents people without a bona-fide need to know accessing information. The other factor with auditing is that audit information should be exported in real time to a server that the SharePoint admin has no access to [so you can’t go and edit the audit log] – but that’s another conversation in itself 🙂
In an ideal world we’d be able to trust admins, but unfortunately people like Ed Snowden [Someone with a Top Secret + Polygraph clearance!] have ruined it for all of us in IT. Plus if you tell your CEO you can see all his documents [many aren’t aware] you’ll probably find he’s none to impressed. It’s not spoken about too openly but I’m aware of an example where a mining company paid millions of dollars on exploration and had the intellectual property stolen from their collaboration platform and passed onto an overseas competitor. With these things happening information security governance frameworks are starting to include “Prevent anyone having total access where possible” as a default.
What I can say from personal experience is this methodology has been applied to a deployment with upwards of 40,000 quite successfully.
Interesting perspective from you guys.
