Written by Sheila ffolliott and Ken Glover. Moved from our old blog.
When setting up security in a SharePoint site, we recommend that people be added to security groups rather than as individuals in the site. This way, security settings can be applied to the entire group. If the security settings change, it is easier to update the group rather than each person one at a time. As people come and go, they can be added to or removed from the security group.
SharePoint allows the site administrator to create security groups within SharePoint and add individuals to these groups. However, Active Directory groups can be added instead of individuals or in addition to a list of individuals.
Active Directory groups are extensively used on campus to group people with similar roles. The AD groups are then used to grant the people in the group access to specific services. For example, there are AD groups for:
All registered students
All students in each college/department
All staff in a college/department
Staff who are allowed to access Unifi
and lots of other groups
We recommend that SharePoint site administrators use AD groups for access to their sites, especially for large groups that change frequently. The AD groups are already maintained by the people in charge of each group, so SharePoint site administrators do not have to worry about keeping the group up to date.
The University of Saskatchewan has automated tools for managing AD groups that can also be used. Groups of people can be identified out of information from the About-Us (HR) system or the SiRIUS (student) system. In cases where it is not possible to automatically identify people, a web front end provides for group management in an auditable fashion, and the person maintaining the group does not have to be a site administrator in SharePoint. You can view the documentation on group membership management if you want to get a better idea of how it works, or ask for a demo.
If you would like to discuss the use of AD groups for SharePoint security, please contact Ken Glover (phone 5294 or e-mail firstname.lastname@example.org). He will be able to advise you on already existing AD groups or setting up new managed groups.
Written by Sheila ffolliott and Ken Glover
Thanks for reading