Does anyone know if a site admin can programmatically set permissions on documents in a SharePoint Library so that site collection administrators would have to take ownership before accessing the file? I’m one of the Site Collection administrators and a user wants to store InfoPath forms containing sensitive Information in our site and I’m looking for a way to assure them it would not be accessed, even by system administrators.
5 Answers
I've come across this question before in relation to non-SP content, and I believe it's more of a customer relations management question than a technical question. What it boils down to is that if users can't trust their admins they're already screwed anyway, and this kind of thing is the least of their problems.
OK, I can understand the user perspective here; something like pay rates, performance reviews and/or HR reports can be fairly dicey to deal with at the best of times, and it can seem attractive to an admin to lock themselves out from an ass-coverage point of view. But at the end of the day, there are plenty of situations where doing so can actually be for the worst.
Specific examples would include - how do you now backup and restore the data? Who looks after assigning permissions to new users? Who looks after troubleshooting issues with the library? What's going to happen in 5 years time when the data needs to be migrated to a new server? What happens if an admin just changes a users password and accesses the data that way? What's to stop an admin from just giving themselves (or a dummy user account) the required access rights? These (and more) are all questions that need to be asked and answered before you can even start to think about going down this route.
I'm sorry this is not an answer, but the reality is that with any system somebody has to be the admin, and being the admin means having both privilege and responsibility, and it also means that the users have to not only trust, but believe in their bones that they can trust the admin, and that the admin has to respect and show they deserve that level of trust.
- 8,937
- 1
- 22
- 36
-
At my job, I went through another, more extensive background check to become the Site Collection Admin. Then I signed additional paperwork that I would not use my powers to view content I should not see. – MrChrister Oct 16 '09 at 21:10
By the way, for a technical answer, I would be more in favour of enabling access logging on the sensitive data and arranging for the logs to be made available to the relevant manager on a daily, weekly, or whatever is required basis (or even let the relevant manager view the logs directly as and when they wish, so as to remove any possibility for suspicion of someone else tampering with them).
- 8,937
- 1
- 22
- 36
Encryption is the only way to secure data from someone with physical access. However, as mh says, if you cannot trust your admins, you have far bigger problems.
- 3,672
- 23
- 19
-
We all trust each other here, yet some people still want to latch the bathroom stall door. Go figure. – cyfred Oct 16 '09 at 17:07
-
And that latch is the equivalent of removing read/write access to the file. You can count on that being secure, but then, it's easy to break through a toilet door. You analogy actually works, as it's easy to bypass, so is a token measure, as is changing the permissions. – Dentrasi Oct 16 '09 at 17:59
The only answer I can come up with is to create a new site collection for the sites that require the security. Your new problem is who will be the admin for those sites, which at best is something that is granted and taken away as needed, and at worst is done by someone unqualified for the position.
Besides site collection admins, how to you keep the farm admins out? Then you are back to the answers already provided about the level of trust you must put in your admins.
- 325
- 3
- 14
Basically I agree with most responses in seeing this as representing a rather odd scenario. If the admin isn't trusted then why is a document in this area. However it can in fact be done through code. If you create a document library using code, break inheritance of permissions and set the permissions manually, only those manual permissions will apply and even a subsequent granting of full control of the site won't change that. The sole exception to this will be the original creator of the site (whether using the web pages or the person in whose id the code was run) who will retain full access.