In a previous post (Part 1), we identified three common SharePoint security concerns and how to address them using externalized authorization and attribute based access control. In this post we will review how we can use NextLabs Entitlement Manager for SharePoint to easily create a policy to address the example use case:
“As an example, a corporate security policy may state that only users located at offices in the United States can access documents in SharePoint with a classification of top secret. To accomplish this in SharePoint today would be a very manual process. You would have to create an Active Directory group for United States users, and then locate each document and ensure that only this group of users has access with a requirement that this level of security is maintained when any permissions are changed.
With externalized authorization and attribute based access control, this would be as simple as defining a policy that states only users with a country attribute of United States can access documents in SharePoint classified as top secret.”
The following screenshots show a file uploaded to a SharePoint document library that has been tagged with a top secret classification. The file has been shared with Everyone which is a security issue.
Instead of manually changing permissions for each document, we can easily create a NextLabs policy to automatically control access to the file based on our requirement that only users in the US can access top secret documents.
NextLabs policies are natural language policies which are easy to write and understand. Policies are written in 3 steps:
- Specify whether the policy should be an allow or deny policy (Deny)
- Specify the users that the policy applies to (not US Users)
- Specify the resource that the policy applies to (SharePoint Top Secret Documents)
When defining the SharePoint resource, we specify any object properties that we want the policy to apply to. In this case we are looking at any SharePoint URL and any document where a classification column is set to top secret.
When defining the users that the policy should apply to, we specify any user attributes that we want the policy to apply to. In this case we are looking for any user where their country attribute is United States. We can also look for security groups and specific user names.
The following user in Active Directory has a country attribute of United States. When the user tries to access the top secret document in SharePoint, they are automatically denied access based on the NextLabs policy. The SharePoint access denied message specifies why the user is denied access.
In this example, a NextLabs policy was able to easily address a SharePoint security requirement that would have taken manual effort to resolve and to prevent from happening in the future. Any changes to security requirements can be enforced via policies instead of complex audits and permission management.