Views Instead of Permissions?

Recently, a former Site Collection Administrator tried to convince me to use views instead of permissions. Why would anyone want to do this? Their thinking was to allow for easy document placement on different pages (one site collection) using views and filters. There are times when using views or audience targeting to solve what an audience can see is effective, just remember this is not always the case. Adding site pages can add an additional layer of security by requiring permissions to view the page first, and then the content on the page. Can we discuss the 2 kinds of users who can still find the content not meant to be seen? The first group of users are the ones who aren’t familiar with SharePoint or who aren’t “tech savvy” and just click around and find content by mistake. The second group of users are the more advanced users who will look at URL structures and navigate curiously through them.

Using views, a person can limit what information is seen by the naked eye. Those list items or documents are not secure by any means, just hidden from plain sight. Let’s never forget the basics of SharePoint. One of the main advantages of using different document libraries or lists are the fact that each one can be locked down with unique permissions. Segregating the data can make it more secure but also makes it challenging to present it to the intended audience in the exact way that is envisioned.

In SharePoint, there are always multiple ways to accomplish the same goal. Don’t skimp on security in place of functionality. Security is about risk & risk mitigation. In dealing with government networks and corporations, the stakes of security is extremely high. Content ranges from trade secrets to classified information. Even small and medium sized business have internal documents that only warrant certain eyes.

Security must always be a priority when designing SharePoint sites and content. Views can hide content from certain users, but security through obscurity can only be used when the content isn’t sensitive. First secure the content appropriately, and then figure out how to deliver it to those who need access.