Sharepoint Document Security: Assigning SharePoint Permissions
In Sharepoint you can assign permissions (Sharepoint document access control) to secure sensitive documents at the folder level and the document level.
Folder permissions ensure that any document placed inside a ‘secure’ folder will automatically be protected with the permissions assigned to that folder.
However, this strategy relies on users putting documents in the correct folders and not copying them to other folders when collaborating with different users. If folder structures become too complex and users become unsure as to what files go where then they will abandon Sharepoint and copy documents to their desktop or other devices, or use folders they can work with that will most likely not be protected. And once sensitive documents are placed in folders that do not have the appropriate permissions, the SharePoint environment and the documents are no longer secure.
So Sharepoint folder security relies on an simple folder structure where users want to obey the rules – it only works as long as everyone always puts the files back in the right folder.
Unlike folder level permissions, document level permissions travel with documents regardless of where they are stored in a SharePoint environment.
Administrators can set up Sharepoint so documents are automatically classified based on the presence of sensitive information. Administrators can also create permissions that prevent documents from being printed, edited, or saved outside of the SharePoint environment. If that sounds too good to be true, then it is… To achieve document level security in Sharepoint requires administrators to define security policies against specific metadata, and SharePoint has limited metadata functionality. In addition, administrators can’t prevent people from accidentally or maliciously editing document metadata in ways that remove security (although this may seem academic as users can find ways around documents being tagged to begin with).
So the bottom line is Sharepoint was not built with security in mind. It was added later as an afterthought and is as effective as a fig leaf for securing your assets.