The influence of Activating SharePoint Server Publishing Infrastructure on Security Trimmed Navigation

Security and Navigation, it’s something we need to be really careful with. it’s really frustrating seeing navigation items where you don’t have access to and it’s even more annoying to not see your navigation even though you have access to the library or to one of the items in it. According to the technet article http://technet.microsoft.com/en-us/library/dn169567.aspx giving access to an item is a SharePoint Library for a certain user will result in the assignment of Limited Access on the top levels to

“is to allow enough access to the object hierarchically above the uniquely permissioned item so that the Object Model (OM), master pages, and navigation can display when the user attempts to navigate to the item. Without the Limited Access permissions at the parent scopes, the user wouldn’t be able to successfully browse to or open the item that has unique permissions.”

This results in:

IIustrates object hierarchy for a document library, in which all objects but one inherit their scope from their parents.

or

IIustrates how the hierarchical depth of scopes can affect the amount of work required to add Limited Access users to parent scopes.

Let me transform this into a Real Case Scenario:

We have a Document Library Finance where only the CFO and his team have access to. In the current navigation (left side menu) only the CFO and his team will see the Document Library Finance. Every other employee will not see it since they don’t have access to the Library or to any document in that Library.

One document Expenses.xlsx must be editable for every user since they have to add their expenses in that spreadsheet. So the CFO assigns everyone with Contribute rights. As mentioned in the technet article everyone will receive Limited Access rights on the Library. In SharePoint 2013 limited access rights are not shown in the Permission Overview to avoid any confusion like we had in SharePoint 2010. So Far So Good, everyone can see the library Finance.

Since we want to incorporate some publishing features like Master Pages, Page Layouts, … we need to activate SharePoint Server Publishing Infrastructure. At that exact moment the library Finance disappears from the Current Navigation. It is only visible to the CFO and his team. The document Expenses.xlsx is only available through a direct link or when used by the WebPart/AppPart Finance. 

Deactivating the feature doesn’t rollback the damage. So Be Very Careful. Since it occurs in SP On Premises & Online I doubt it that it’s a bug but a change/feature/opportunity in the platform. In my humble opinion a bad one. I’m still hoping it’s a bug. I’m also hoping pigs can fly and hell freezes over, …

I’ve made a screen cast of a similar process which you can find on YouTube : http://youtu.be/6WCqqbOE53k ..

What is an HSM in Office 365’s Azure RMS?

Security is a big focus for Microsoft, especially with Office 365; their enterprise-class data centers are some of the most secure in the world.  Above and beyond data center security, Microsoft has implemented technologies that allow organizations to further secure their data, even from Microsoft themselves.  One way this is done is with Rights Management Services, or RMS.  The mile high explanation for RMS is that it “provides the ability to safeguard sensitive information created using Office applications and services such as email or other memos or correspondence that requires confidential treatment. Rights are assigned to content when it is published and the content is distributed in an encrypted form that provides persistent protection wherever the content travels. Rights that can be assigned include the ability to allow or deny viewing, printing, copying of messages or documents as needed using template-based assignment.” (http://technet.microsoft.com/en-us/library/jj585024.aspx)

“Well, that’s great – but if Microsoft is securing their own data, how does that prevent their own engineers from decrypting the data themselves,” you ask, long-windedly.  That is done by deploying a Thales Hardware Security Module, of course referred to as an HSM.  According to Thales, “Thales nShield HSMs create tight controls around the management and use of the keys used by Microsoft Rights Management Services (RMS)” and “Thales nShield HSMs ensure that your key is always under  your control and never visible to Microsoft. The capability neutralizes the  perception that sensitive data maintained in the cloud is vulnerable because  the cloud can only be a shared service with a shared security infrastructure.”  Thales provides a 3rd party security mechanism to encrypt RMS data, leaving even Microsoft in a position where they need to gain access to the security mechanism in order to decrypt the information – an action that can be logged, with logs that are visible to the tenant owner.

HSM-1

“Okay,” my skeptical reader thinks, “but if Thales is held in the data center, Microsoft can just access Thales to get the key.  Logged or not, they still have access to my data.” Microsoft and Thales are on top of that one, too, by allowing organizations the option of Bring Your Own Key or…you guessed it, BYOK.  Per Thales, “Organizations subscribing to Windows Azure RMS in the cloud can choose to generate and maintain custody of their own key independent of Microsoft”.  This means you have the option to revoke your key, rendering RMS-encrypted data unreadable.  Future capabilities even include the option “lend” your key to Microsoft for short periods of time, meaning that revocation would not need to be proactive; rather, permission would need to be persistent to keep functionality, maximizing security of the data.

HSM-BYOK

So, as you can see, organizations can secure their data, using Azure RMS, from even Microsoft themselves.  This functionality comes “out of the box” with Azure RMS, no added hardware or licensing purchases required.

The images used are from the Thales cloud security solution brief, which can be found/downloaded here: http://www.thales-esecurity.com/msrms/cloud