Earlier this week, I met with a group of people in our company who are gearing up to build a very important site on SharePoint. This is one of those times when I can’t share a lot of specific details, but I can talk about general elements, concerns, goals and problems. Well, hopefully we won’t have any problems. This site will have two major sets of requirements: some dealing with the need to be transparent and some associated with the need to enforce broad aspects of governance. Two examples include: the need to have official documents, but not draft material be visible, and the desire to control what people do with sensitive documents.
Managing the visibility of drafts is easy in SharePoint, but it’s one of those pesky things where the end-user really has to understand how to make SharePoint work. Versioning is one of the most powerful features in SharePoint’s arsenal of document management tools, but in my experience, it is often viewed merely as a backup and recovery tool. Versioning gives document creators the ability to retain distinct drafts of documents, decide which version of a document is currently available for public consumption and control who can see the versions that are currently being written. The most we can do as administrators is to talk with the project manager up front and help him or her configure the library settings to match the level of control they want to establish – we can’t do the work for them. This is when information management is like driver training. You can talk about it forever, but sooner or later, you have to hand over the keys, put the person behind the wheel and hope they remember everything there is to know.
Before you even get to the point of establishing the versioning settings, you have to address a different aspect of governance; “who should have access to the library?” SharePoint includes robust and extremely granular permission capabilities, but to avoid having to drive as if you’re on a Formula-1 course, you really want to avoid regular use of some of them. For instance, document level permissions should only be used on an exception basis. If I need to see a document in a library where I do not have access, temporary access to that document can be granted. On the other hand, I would never use document level permissions to accommodate people who only have access to some of the documents in a library. That situation calls for two libraries, or at least a restricted folder. The reason is simple; people will forget what has to be done. If I grant you temporary access to a single document, I will either remember to revoke the permission later or little harm will be done when I forget. If you only have access to certain documents in a library, I may easily forget to block access as new documents are added, and that mistake could be harmful.
Regarding the second challenge, restricting the actions people can perform, I think might be dealing with one of those situations where even if SharePoint could do the job or be made to do the job, it might not be a good idea. I talked about the conflict between security and usability in my presentation at the AIIM Conference, as did many of the presenters in the sessions I attended. The idea that we can absolutely control behavior is a fleeting notion these days. Instead, I like the idea of making sure people understand the issues and then helping them to make good choices. For example, we discussed using conditional formatting to highlight documents that we don’t want people emailing off-site. I know there are add-ons for SharePoint that say they can prevent attaching a document to an email, but I also know that if someone is bound and determined to send a document, I’m hard pressed to really prevent them from doing just that. Similarly, they may not want people making copies of the documents in certain libraries. We can audit activity against that content, but I’m not sure I want to try to prevent the action. I think we can live with a model of “education, facilitation and monitoring – repeat as necessary” as opposed to lock it down and throw away the key. Transparency, from both the consumer and curator point of view seems like a better fit with something that is supposed to be a collaborative environment.