Sharepoint auditing - a few thoughts

Fri 19 April 2013

I have a colleague that's been updating a sharepoint permissions matrix lately. It's a good practice (I'd go as far as to say that it's a must) to maintain such a matrix, in a format that is understandable to non-technical folk. It's good for IT departments, who need to periodically check that people have access to the right information. It's good for auditors, who want to show that their clients are exercising due diligence in controlling their resources. And it's good for staff, who need to know which of their peers has access to the company's knowledge, information, and tools.

However, while prepping for her cross-checking work, she'd been lead to believe that there are no tools for collecting all of a user's  permissions on sites and lists. Since I've heard this discourse before, I thought I should debunk this myth and write about a tool that the Sharepoint integrator can add to his or her arsenal, Sushi.

It's a great little utility, which you can obtain and customize to your heart's content here if you know how to write code:

Basically, you download the binary (no need to even build the project from source! I understand that this is sometimes daunting to people) and, in a few clicks, you can get a report on what groups your users are a part of and what specific permissions were granted to the user. You can also list which sites or lists in a site collection do not inherit permissions, which helps you identify what you need to specifically audit.

The catch: if you're looking for a tool that does all your work for you, prepare to be disappointed. This does all the footwork for you, makes it such that you don't have to repeatedly go through every site and list in your instance and hit "list permissions" and "site permissions". It's up to you to provide a matrix that is comprehensible and readable by your non-technical audience.

Previously, I'd been messing with scripts to extract the data right from the source: the SQL database. I started massaging them into a few SSRS reports, but ran out of time and motivation. I still have the script around, somewhere. Frankly though, with a tool like Sushi out there, I'd be inclined to think that one is better off hacking a bit of code to allow admins to select multiple users and export the results as a XML file, JSON file, or even to an SQL database. Once that's done, the raw information can be easily formatted with a tool like Qlikview.