Security is a real issue when we are discussing SharePoint Management. You know that. No wonder one of the most common mistakes enterprises are facing when dealing with SharePoint is having end users with more access privileges to documents that they should.
Planning permissions is a crucial part of every document management system, not only because of the confidential factor of enterprise content but because inconsistent security plans can provide hard to overcome obstacles to the company document generation process.
You should plan them carefully especially in environments with lots of documents or items, or when content needs to be moved around constantly. With growing number of documents and libraries, you can easily lose track of permissions, get performance issues and compromise security.
Not only you may require securing differently the same document to distinct users, but also you may have to change its set of access permissions during its lifecycle. And this is what makes this scenario so challenging. I will go through both cases now:
Setting SharePoint Permissions according to Users
You will notice that SharePoint did a great job providing options to customize permissions, and in the most diverse aspects, making the process of building a document management system really unique to every enterprise.
The first aspect is that SharePoint not only allows the permissions to be set to individual users but also to a group of them (SharePoint Groups). Permissions granted to a group are valid for all the users included in it. The rule here is: Use groups to assign permissions, leaving user based permissions only to really specific cases.
Where to set permissions in SharePoint
The second point is that permissions can be set according to where the users should have access to: from a more broad access, with a root Site Collection level permission, to more precise ones, like Site level, List/Library, Folder and Item level. With the help of some 3rd party tools, you can even set Column level permissions.
SharePoint Permission Levels
The last point I want to mention, when granting access based on user profile, is the SharePoint Permission Levels. They are predefined sets of permissions that can be assigned to individual users, or SharePoint groups, based on the user’s functional requirements. SharePoint 2013 permission levels are defined at the Site Collection level, are inherited from the parent object by default, and could grant Full Control, Design, Edit, Read, or Limited Access capabilities. (source)
We work for your security