A Sense of Insecurity

Scott Jamison posted a blog follow-up to a session I recently presented at SPTechCon in Boston. I explained how you can drop a document into a document library, at which point the content organizer takes over and moves the document to new location in that library, that site, or even in another site collection.

During the session, someone asked if the person uploading the document needs to have permission to place that document in the new location. I said ‘I don’t think so, but I’m not sure’. In Scott’s post, he verifies that ‘no’ is the right answer, but that raised a new question from Greg Clark: The ability to work around the security model is undesirable, no?

I can see some useful benefits of the content organizer being able to move a document into a location that one normally doesn’t have write access to, but it does cause some unsettling thoughts:

What if the destination doesn’t have versioning turned on. You could overwrite an important document and ‘invisibly’ change it to say whatever you want. Also, you could be putting unverified information into a location that normally has fairly strong governance about what gets exposed at that location.

You can mitigate the issue of stealth upload by requiring approval before a document becomes visible to a wider audience. However, the one saving grace of this ‘hole’ is that name of the uploading user is recorded in ‘Modified by’. So, while this could happen due to some user accidentally or unwittingly breaking the rules, it will not be anonymous: Everyone will know who-done-it.

There may be other ways to deal with this, and I’d be happy to hear ideas from anyone who has more details.

About Ruven Gotz

Ruven Gotz is a Director with Avanade, Microsoft’s Global Partner. As a Microsoft SharePoint MVP with over 20 years of IT industry experience, Ruven has spent the past nine years delivering award-winning SharePoint solutions for a wide range of clients. Working as a Business Analyst and Information Architect, Ruven is able to apply his eclectic education and varied experience in Psychology, Computer Science, Economics, Software Development and Training to get to the heart of complex problems. Ruven is a great communicator who is able to discuss technology concepts in language that is relevant to his audience, whether they are from IT or business. He has become a leader in the use of visual tools to help his clients and team members achieve shared understanding of problems and goals and shared commitment towards implementing a successful solution. Ruven recently authored “Practical SharePoint 2010 Information Architecture” (Apress) Ruven lives in Toronto, Canada. On Tuesday nights in the summer, you’ll find him racing his 24’ sailboat ‘In the Groove’ (NOTE: Ideas and opinions on this blog are my own: I am not representing my employer.)
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to A Sense of Insecurity

  1. Pingback: Twitter Trackbacks for Ruven’s SharePoint Blog » Blog Archive » A Sense of Insecurity [spinsiders.com] on Topsy.com

  2. Pingback: CleverWorkarounds » It’s email integration captain, but not as we know it (problems with incoming email handling on SharePoint 2010)

  3. James Lee says:

    “What if the destination doesn’t have versioning turned on. You could overwrite an important document and ‘invisibly’ change it to say whatever you want.”

    This won’t happen since in the Organizer settings you have to choose to use versioning or append unique numbers when dealing with duplicate submission.

Leave a Reply

Your email address will not be published. Required fields are marked *