My company has thousands of employees organized thoroughly via Active Directory. I have confidence in the accuracy of the Department and Title information displayed in the user profiles.
I'm helping to put up a brand new SharePoint 2007 site, and I contacted IT about managing the site's permissions through AD Groups. The goal is to have the site automatically assign read/write/contribute/whatever permissions based on the information in AD.
For example, we could create an AD Group called "Managers" that would contain anyone with the "Manager" title in their AD user profile. I would have SharePoint tap into this AD Group to mass assign permissions if I knew all managers would need a certain level of access (read/write/contribute/whatever). Then if a manager joins the company or leaves it, the group is automatically updated (provided AD gets updated, of course).
My IT rep called back and said it couldn't be done. This seems like a pretty straightforward business requirement, and one of the huge benefits of having Active Directory, but maybe I'm mistaken.
Could anyone shed some light on this?
A) Is it possible to use dynamically-updated AD Groups when assigning permissions via SharePoint? (Does anyone know of a guide I could show my doubtful IT rep?)
B) Is there a "best practice" way to go about this? I've read some debate on whether SharePoint Groups or AD Groups are the way to go. My main concern is dynamic updating.
C) If this isn't available out of the box, can someone recommend third-party software that will provide the functionality I'm looking for?
A big thanks to anyone who can help me out!!
Best Answer
If you have a "Manager" AD Group set as a certain permission in SharePoint, then that permission level will populate for all the users that is in that group. Any managers that are added to the AD Group will propagate to the associated permissions effective almost immediately. The problem in there lies that you would like to seperate permissions based on data from AD other than that of the group itself.
AD Groups are the best way to go. They can be easily updated, easy to track in AD, and SharePoint doesnt have to track all the users. Just assign the AD group to the permission level of the site collection, site, list, folder, or document.