locked
Restrict system admin access to files? RRS feed

  • Question

  • Hello.  I am the local site owner/admin to my facility's 2007 Sharepoint Site.  New to all this so please bear with me.

    I want to create a document library wherein some of the files are only viewable to specific users.  We don't want the system admins to be able to see into these files.  Seeing that the file exists is OK, but they should not be able to open it.

    Our site is just one departmental site amongst the hundreds being created within our organization.  Our facility was a recent acquisition by our new parent company, but we have a fair amount of strictly confidential partner-related information that legally no one in the new parent company is allowed to see, period.

    In the individual file permission settings, I have removed all access except for 2 defined user groups (keyed off of our site's Active Directory listings).  Correct me if I am wrong, but this should restrict view of this file from all of the other collaborating site developers from other facilities.  My management's question is whether or not this specifically restricts system admin access to this file as well.  I've read conflicting answers on this site and others.

    I understand that if we cannot trust the system admins, we're basically screwed.  But in this case we're talking multi-million dollar lawsuits from our ex-partners should anyone other that our direct, authorized staff view these files.  And yet my management team wants this information up in the SharePoint site because that's the tool they want to utilize to manage the data.  

    Is there a solution to our problem or do I tell management that we should store our files elsewhere?

    Wednesday, May 18, 2011 5:13 PM

All replies

  • Like a file share where you are suing ACLs the Domain Admins can change the permissions or in Exchange and exchange Admin can read your email. In SharePoint the farm administrator or site collection owners will always be able to get access to libraries. The only way to totally restrict access is to use IRM but someone always has to be able to administrator of the IRM system.

    Developers should not have any special access to PRD or UAT and only be admins on DEV. If the solution has been developed correctly why do they need admin access on PRD? In most client companies I do not have access to touch UAT and I am a regular user on PRD.

     

    -Ivan

     


    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    Wednesday, May 18, 2011 5:30 PM
  • Thanks for the reply.  No devs involved, everything is on prd, or will be once these sites go live.  The data files in question are simply classified documents that no one but those authorized users in our facility are allowed to see.

     

    Ideally they want me, the local site admin, to manage IRM and disallow the hierarchically bigger admins from having access to these files.

     

    Hierarchically there are the site owners who have admin-lite access to the sites I am tasked with developing.  Above them is me, the admin and owner of the local site collection.  Above me, and not of our facility, is the departmental admin who is in charge of a collection of a collection of sites like mine, and above that person is yet another group of basically /root/ admins.

     

    My management team wants to lock everyone above my station out from having any access to particular files that live in more-or-less open libraries.

     

    Thanks for you time, hope this is a little clearer.

     

    Wednesday, May 18, 2011 10:00 PM