thumbnail

Elevate your enterprise content with Microsoft SharePoint

Enterprise content management systems must be cost-effective, collaborative, intuitive and easy to use. These systems must also support more advanced features like: security, 3rd-party data integration, external sharing control, and automation.

Microsoft SharePoint offers all these capabilities in one place:

  • Content lifecycle management
  • Inbuilt editing capabilities: lists, libraries, web parts
  • Consistent web look and feel
  • Fast publishing and multiple sharing options
  • Localization support 

Secure and encrypt content or sensitive data

Sensitive content includes trade secrets, PII, classified documents and much more. SharePoint is integrated with many Microsoft ecosystems which enable encryption before usage. 

poster
Image source

Tags and AIP

If you have a Microsoft 365 enterprise subscription, you can use Azure Information Protection (or AIP) to tag content. You can filter the tagged content and: 

  • Encrypt it while working on your files locally 
  • Set up an expiration date for specific files your share 
  • Monitor the shared files 

Functions and DLP

Data Types and Data Risk are functions which enable you to label your content, its metadata, its location. You can filter such data, and apply policies that protect personal identifiable information (in compliance with GDPR) or trade secrets. Use the Data Loss Prevention tool provided by Microsoft to block access in agreement with company policies.

AIP and DLP

AIP is an enabler for the Data Loss Prevention (DLP) module where you can track whether your employees label sensitive data in agreement to your security and governance policies.

Organization keys

For even more advanced security, you can use your very own, organization-level encryption keys and manage them with your Microsoft 365 Azure Key Vault service. 

Expose and share content sensibly

poster
Image source

Enterprise content is sensitive. Therefore, it must be curated and managed sensibly.

When you expose your enterprise content via a site, you must decide who can create and who can see your content. Down the road, if you choose to expose this content externally, you must ensure that you give your external users access to what they are meant to see. Revealing too much may lead to legal or financial repercussions.

To implement sound governance principles and policies, you must understand: 

  • How external sharing must be handled     
  • How linking and sharing interact with one another      
  • How permissions and groups help you refine your sharing behavior 

External sharing via a site collection

When users share files or sites, a link for the file or site is automatically generated by the system. Users can copy the link and send it to their intended external audience.

So, how can we ensure that sharing links with external users is a secure process?

SharePoint administrators must perform several adjustments to make external sharing bullet proof: 

  1. Create a site collection for all the sites you want to share with an external audience. This helps you control access in a centralized manner, rather than controlling access per site.     
  2. Choose the overall sharing method and specify your choice further:
  • Share links with external users that already exist in the organization’s directory (Azure Active Directory)

This is secure, but not flexible enough. Users who are not part of the directory would be left out. 

  • Share links with external users who accept sharing invitations and sign in to authenticate

This is the most secure and most flexible way of sharing because it does not leave out new external users and it requires authentication. Moreover, this option enables you to further limit external sharing to specific domains. For this option, the new users who receive an invitation, will sign into their Microsoft account or enter a verification code. If they use a Microsoft account, they are added to your Azure Active Directory automatically. If they use a verification code, they will have to use a code each time they access the file and they will not be added to the directory.

  • With all external users via anonymous access links

This is the least safe option, because it gives anyone with the link the ability to view and edit the shared files. Moreover, you cannot predict how these files are further used and reshared. There are a few options for controlling resharing: you can set a link expiration date, and you can limit link permissions so that external users can only view files or folders, rather than being able to edit them. 

Irrespective of the method you choose (from the three detailed above), note that your external users can now share, reshare the content they were given access to and even share other content from the site.

Yet, these external users did not create this content and they do not own it.

How can you troubleshoot this?

There is an option which disallow such guests (external users) from sharing items they do not own. Select this option, and external users can no longer share documents they did not create. 

External sharing without a site collection

While using site collections works best to control how your external audience interacts with your sites, sometimes you may want to share only a folder or a couple of files from a site.

Maybe you did not create a site collections from the start.

Maybe you have just a couple of sites.

What can you do? 

1. Understand parent inheritance.

When you create a site, its parts and objects are subject to parent inheritance, which means that site-level permissions propagate to all children. 

2. Understand unique permissions.

What happens when you want to expose a subsite/a folder/a file only to some external users?

When you share a folder/file, a unique permission is automatically created for that folder/file. Handling a large number of unique permissions is error-prone and nerve-wrecking.

How can I manage unique permissions more easily?

The easy way out is to organize your folders/files in a list, a library, or a site. You can always delete a unique permission and restore parent inheritance, but you must remember which object you created a unique permissions for. 

 What does each unique permission mean? 

  • Unique permissions on a file library = The entire site content can be accessed except the file library. 
  • Unique permissions on a file = The entire site can be accessed except the specific files. This option should be used if there are only 1 or 2 files that require unique access from the rest of the site. 

Refinement via groups

When you build up a site, you can add users (invite them) directly on the site. Next, you give them roles and permissions. If you want to show some of your users a piece of content while restricting it from others, you start breaking parent inheritance by creating unique permissions. As mentioned earlier, this can quickly lead to chaos and mismanagement.

Is there a safety net?

Yes, there is. Instead of inviting users directly on a site, invite them in a group. Groups are safe ways of ensuring that the content you want to get across actually reaches the intended audience EVEN IF you break parent inheritance (that is even if you have unique permissions over some file/folder). Groups give their members access to all the levels of the site structure. If you add members in a group and that group is associated to a site/an object, members will have access to that site/object, even if you break the permission. 

Refinement via permissions

SharePoint provides default roles and permissions which can get you in trouble if you do not familiarize yourself with them.

Here are a couple of things to watch out for: 

  • Do not change the default permissions.

Create custom permissions and apply them.

  • Restrict the Edit permission.

Site members are given the Edit permission by default. An Edit permission gives members the right to edit and to delete a page, a web part or an entire site. If this is too risky, as members may unintentionally bring your entire site down, create a custom permission (e.g. SpecialEdit) which disallows page or site deletion.  

  • Decide between the Edit and the Contribute permission.

The Edit permission allows users to edit and delete all web parts from a site. The Contribute permission allows users to add/edit/delete only files. Therefore, if you want your users to work with site files rather than web parts, choose Contribute over Edit

Edit and deploy content smartly

poster
Image source

Content integration

SharePoint can tap into your Office content and can offer you inline editing.

What happens if your content or tabular data is on an external data source?

SharePoint enables you to connect to various data sources or repositories via the Business Data List Connectors: ODBC, OLEDB, XML/CSV/Excel files, SQL DB, Oracle DB, MySQL DB, IBM, Notes, Active Directory, SAP and many more. If your data/content is stored in an external repository, you can transfer it in SharePoint and integrate it in search, workflows, notifications or metadata.

Reuse and publishing

SharePoint comes with several out-of-the-box resources and defaults that make web editing straightforward and efficient. You can reuse these components within one site or across sites, which saves time, but ensures consistency. 

1. Web parts, list and libraries control what you publish.

Before you create a site, it always good to plan. Perhaps, you realize there are items which you want to reuse across your sites. If this is the case, create a site collection first and store all your reusable items at this level. All the elements stored here propagate as resources to any of the sites you include in your site collection.

Store the reusable elements in your site collection and use the given defaults in the following folders: 

    • Reusable Content = a list where you can store HTML content or text content 
    • Site Collection Documents and Site Collection Images = libraries where you store documents and images
    • Web Parts = a repository enabling you to insert video, forms, dynamic content, rich text on your site pages (e.g. Content Query, Summary Links, Table of Contents) 

2. Master pages and page layouts control the look and feel of what you publish.  

Master pages control generic elements such as navigation, search, and language preferences.  Master pages are shared across all page layouts, so all your layouts will be consistent. When you come down to your page layouts, populate them with the controls and web parts of your choice, and reuse the ones already stored. 

3. Content can be exported for localization purposes.

Before you can publish your site into several languages, you must export it as one or more page packages that get localized by a provider of your choice. SharePoint automates this process in several clicks. For a given page, enable translation via Language Settings, access Targeted Release, and then hit Translation. This sequence creates a copy of the page in the target languages of your choice. Send your copies as a localization package. 

4. Publishing can be scheduled.  

Use either Quick Deploy for ad-hoc publishing or the Schedule option to set a future publishing date and/or a retire date for your published content. 

5. Use version control for your content.

The version control mechanism enables you to quickly decide whether an update is ready to get published or not. Moreover, with version control, if you accidentally publish something incorrect or unfinished, you can always roll back your changes.

When you edit a page, use the prominent Check In/Check Out buttons to adjust your content and keep it salient. 

Automation

If you use Microsoft Flow, you can create approval workflows for your SharePoint sites. Approval workflows ensure no stakeholder is left out from the decision-making cycle.

How does it work?

You create an approval workflow and start it. Once you submit new content, it will need to be approved before it is published. 

Some caution is advised: 

  • Approval workflows expire after 30 days, so make sure approval can run its full cycle within this time limit. 
  • Make sure you keep a record of your existing approval workflows. Flow enables you to create as many approval workflows you want for a site or a page. However, Flow does not tell you whether there are conflicting approval workflows operating at the same time. 

Benefits

Using Microsoft SharePoint leads to better agility, reliable control, quick deploy and publishing, all in one place. Microsoft SharePoint offers you a good balance of content plasticity and data control by elevating your enterprise content in terms of: security and encryption, external exposure and sharing, and smart management of content operations.