(Sometimes working in IT feels like doing investigating work, the kind you’d read in an Agatha Christie novel. Working with SharePoint, the nervous center of information storage and information access of many companies, it is highly likely there will come a time that the administrator’s investigating skills will be put to use.)
Late in the afternoon:
– Hello? Hello? Is anybody here?
– Good afternoon, sir. How may I be of assistance?
– Hi. I am George Brown, from Purchasing. I am sorry to disturb you so late in the afternoon. Since you are here at this time, this certainly means you are very busy; I was just wondering if you could help me with a problem I faced. I promise not to take too much of your time.
– No, please, Mr. Brown, do not worry about that. I have just finished for today. It will be my pleasure to help.
– Thank you so much. Say, aren’t you the new administrator they hired in IT? The young lady who is a great grandniece of Miss Marple, the famous investigator?
– Indeed, I am this new administrator, Mr. Brown. News travels fast, I see.
– So, what are your plans for the future, if you do not mind me asking?
– Of course I do not mind. Since I like detective work, I think I will stick with IT.
– You great grandaunt would have been very proud.
– Well, thank you. You are very kind. But please, have a seat… Here you are… So, please, do tell me what has been troubling you.
– Before I start, I should inform you that I have already reported my problem to John, John Peters, an hour… an hour an a half ago. He is your manager, right?
– That’s right. But Mr. Peters had to leave in a hurry, about an hour ago. His wife is in labor.
– Oh, dear! I do hope all goes well. Well then, I will not take any more of your time. Perhaps I will see John tomorrow and ask him about his wife, too.
– Before you go, would you like me to see if there is anything I can do?
– Certainly. Thank you so much.
– Ok, first let me see if I can find any information about the problem you mentioned. There might be an incident about it in Service Manager… Oh yes. That should be it. Mr. Peters filed it. And there is also an entry in the incident’s action log from Mr. Peters himself. It reads: “Why didn’t they ask Evans?” Do you know who Evans is?
– Evans? I have never heard of this name. Strange note, indeed.
– From I what I read from the incident, you were wondering why your department’s employees have been unable to retrieve purchase prices from SharePoint.
– Well, sort of. You see, I was gone all day and when I returned, everyone had gone home for the day. But the purchasing orders that were supposed to be finished by today were incomplete. So, I called John, and I was lucky to find that he was still in.
– But, unfortunately, he, too, had to leave after a while.
– That’s right, as I have just found out this from you. I explained to John that when the Purchasing department employees do not find a purchase price for a part, they consult Ann Smith. Ann Smith is the Purchasing manager who can access prices for satellite parts.
– Satellite parts? I thought we were manufacturing coffee-makers.
– Yes, but we use space-age components. Now, Ann has moved in a new office for a few days, but it shouldn’t have been any trouble consulting her; it is the normal workflow process.
– You think that the Purchasing employees did not follow the recommended workflow?
– Honestly, I do not know. All I know is that when I returned after hours today, I found that all purchase orders that included those special parts were incomplete, with the same note in each: “unable to retrieve prices”.
– Ok, let me check Service Manager for any incidents about that.
– Perhaps it would be best if you checked the helpdesk’s email. I have instructed my people to send email there about any problems they encounter.
– You are correct; but those emails are automatically inserted as incidents in Service Manager. Wait moment, please… As I see, your department has indeed filed such an incident today. They just wrote: “unable to retrieve prices”. This does not explain a lot.
– At least they filed a request about this problem. But why didn’t they follow the standard procedure? If Ann was absent today, I would have known. She could not have been absent. Why didn’t they consult her?
– Any other problems during the last few days? Is this something that occurred only today?
– We had no other problems during these last few days. The move from the file server to SharePoint was painless.
– At least for those not in IT.
– Yes, of course. But come to think of it, today was the only day that we had to include those special parts in our orders. Last time we did this was over a month ago. So today was the first time Purchasing tried to create such orders using SharePoint.
– This is interesting. I wonder if something went wrong.
– As I said, SharePoint has been working flawlessly during these last few days that we started using it. I doubt there is anything wrong with it. It is just that this process that we have is somewhat involved.
– What do you mean?
– Well, there was always a problem with these special prices. It is the company policy that employees in Purchasing should obtain them only on a need to know basis from a central authoritative person. This person is Ann Smith as I already told you.
– I understand.
– Not only that, there has always been the need for C-level executives to review these prices, so they are stored in a spreadsheet. In the past, only Ann had access to this and other material. At some point, it was decided that they should include C-level executives to the permissions for this spreadsheet.
– I know a little about that. I learned about these issues during the migration to SharePoint.
– Perhaps we will have more information tomorrow.
– Before we leave, I would like to check the spreadsheet’s permissions in SharePoint.
– Good idea.
– Wait a moment please… Is this the name of the spreadsheet that holds the special prices?
– Yes. That’s Ann’s spreadsheet. It’s for her eyes only.
– Well, there are no permissions in place that allow Ann to open the spreadsheet.
– I beg your pardon?
– The way things are now, Ann cannot view the spreadsheet.
– Oh! I think you might be reaching to the heart of the problem. So, Ann has no permissions? How come?
– I don’t know. I see that the C-level executives group has permissions to this file, but Ann is nowhere to be found in this file’s permission list.
– Was Ann removed accidentally from the permissions list?
– We have a change management process here. Let me look at the logs… No, I see no change in permissions. It appears that Ann was never granted access to this file.
– That’s strange!
– Well, let me check the permissions in the old file server. We have not decommissioned it yet. We wanted to keep it a while longer, just in case we needed to consult it.
– Well, good thinking. It is advantageous that we can look at the configuration that worked for so many years.
– It certainly is. So let me check the old shared file system… Well, here is the spreadsheet in the old file server. Let me check its permissions… Yes, here the permissions are correct. Both Ann and the C-level executives have access.
– So, things are as they supposed to be in the old file system.
– Exactly. Now the question is what happened to Ann’s permissions.
– What did happen to Ann’s permissions, indeed? I certainly appreciate the difficulty of your work, having to deal with investigative work like that.
– Let me try to combine the information we already have. We know that in the old system, in the file server, the permissions were correct and both Ann and C-level executives had access to the spreadsheet. In SharePoint, only C-level executives have access. Ann permissions are mysteriously missing.
– You mentioning the word “mysteriously” gave me goosebumps.
– And there is no change in SharePoint permissions, which can mean only one thing. Ann was never assigned permissions to the spreadsheet in SharePoint.
– I see. So, the most probable assumption would be to think that Ann never tried to access the spreadsheet in the few days that we have been using SharePoint.
– Yes. I think that today she tried for the first time, at the request of Purchasing. But she failed to open it, told that to Purchasing and they filed the incident that I just found.
– So there must have been a glitch when permissions were assigned in SharePoint.
– Seems like it. I wonder though, why did some permissions made it, whereas others did not? Why did some permissions mysteriously disappear?
– Yes, that’s it, right there. Goosebumps.
– No, that’s all right. May I ask a silly question? Is there any difference between the two sets of permissions? If you remember, I told you that the C-level executives were added later in. Does that have anything to do with it?
– I am not sure. But this is something definitely worth checking out… First of all, there is indeed a difference. In the file system, Ann’s permissions were inherited from the folder the spreadsheet was in, whereas the C-level group’s permissions were directly assigned.
– So this is what we should have had in SharePoint as well.
– No, and let me explain why. Permission inheritance in the file system hierarchy works differently than in the SharePoint hierarchy. In the file system an object may at the same time have inherited permissions from above the hierarchy and permissions directly assigned to it.
– So, that was the case with Ann’s spreadsheet in the old system. It had inherited permissions for Ann and directly assigned permissions for the C-level executives.
– Exactly. Now, in SharePoint, an object can have either inherited permissions or directly assigned ones, but not both.
– So this is the case with Ann’s spreadsheet in SharePoint now. It only has directly assigned permissions. The permissions of the C-level executives.
– Correct, again.
– But why did the directly assigned permissions won over the inherited ones? And isn’t it a problem that we have an either-or restriction between inherited and directly assigned permissions in SharePoint?
– No, this is not a problem. When we want to add unique permissions to a folder or file, we break the permission inheritance. We keep the permissions already assigned, if we wish and we add the new permissions. Thus, all permissions are converted to directly assigned, or uniquely assigned, in SharePoint parlance.
– Is it possible that there was an error in the procedure you followed when inheritance was broken?
– There are only a few cases like these in our file system hierarchy and we developed a script to handle them. Let me check the script we developed to break inheritance in SharePoint… Oh, dear, now I get it!
– What? Have you found the cause of the problem?
– Yes, indeed I have. Or rather, you did. And let me tell you sir, I am relieved, because the mistake is consistent and can certainly be fixed with a small effort. Phew. This is good news, considering.
– I am glad this did not turn out to be an administrative nightmare. So, what did you find in the script?
– When we broke the inheritance we used the BreakRoleInheritance method with an incorrect parameter. When this method is used to break inheritance for an item, it takes only one argument, which is either true or false. Unfortunately, I see here that this argument was set to false, where instead it should have been set to true.
– What does true and false mean in this context?
– “True” means “break inheritance and also keep existing permissions”. “False” means “break inheritance and do not keep existing permissions”.
– Then it is crystal clear. The problem was this incorrect parameter.
– I could have sworn that this parameter was set to true. I do not know what happened or who changed it. Perhaps we should establish some kind of version control for our scripts.
– It will certainly help you track all changes made to them, even if you are the only one making the changes.
– That’s right. Yes, I think version control is the way to go. The cost of hiring a good psychic may be prohibiting, anyway.
– So, since the cases that inheritance had to be broken were few, the problem did not appear right away.
– Exactly. Now, what we did for those cases was to read our company’s documentation and to break SharePoint inheritance and add the permissions that were stated in the documentation.
– Thus, In SharePoint, the spreadsheet should have directly assigned permissions for Ann and for the C-level executives. So, what is stopping us from adding Ann’s account to these directly assigned permissions?
– Nothing. Indeed that is what I am going to do. But I will do it in a consistent automated way for all the cases where we broke the inheritance. And before I do any corrections, I will discuss them with Mr. Peters.
– Great. Nice thinking.
– I would not have reached a conclusion without your help. Thank you so much.
– I am glad I help, even if just a little bit. I believe that this is something that all companies should be aware off: the difference in the permissions model between the file system and SharePoint and how it might affect a migration to SharePoint.
– If someone is careful, she certainly can do it without a third party tool and still face no problems. I sincerely regret our oversight, though.
– That’s all right. No one can anticipate everything. As they say: “the devil is in the details”.
– I have always said that an administrator is an unsung lone hero: she remains anonymous while fighting huge battles alone. Try to remember these words tomorrow.
– I will. I was wondering whether I should write an article about this in Windows IT Pro. Perhaps I should name it “The case of the missing SharePoint permissions after a migration”.
– Perhaps you should. But I don’t know if the title is appropriate. For one, such a title may lead one to think that there is a bug in SharePoint, although this was certainly not the case here. And also, this title reminds of Sherlock Holmes cases. Why don’t you use a title that reminds more of your great grandaunt?
– All right, I might think of something along these lines.
– One last question remains. We should find who Evans is. I will go to my office, open Outlook and search the Global Address List. This will tell us if such a person works at our company.
– No need to do that, that Mr. Brown. I will search Active Directory right now… Well, isn’t that something! I found her. Ann Smith Evans!
– Ann Smith Evans! So it was Ann all along.
– Yes, when you were asking why they did not follow the workflow, you were asking the same question Mr. Peters was asking: “Why didn’t they ask Evans”. Why didn’t they follow the procedure? Why didn’t they Ask Ann? Why didn’t they ask Evans? Those questions were exactly the same. And it seems that Purchasing did ask Evans, but she could not respond due to her missing permissions.
– Now I remember. Ann is married. And she is married to a very good friend of John. That’s why John used the surname Evans. It was more familiar to him, because of his friendship.
– So, we found the problem. I will get to work immediately, in order to prepare a report for Mr. Peters stating the problem and my proposed solution.
– I should leave you to it then. Thank you for this wonderful adventure.
– And thank you for your insight and support. I would have been clueless without you. Oh, hold on a moment. My cell phone rings. It’s Mr. Peters. Hello? Yes, this is she…Oh, sorry to hear that… Thank you. Good bye.
– Is something the matter? Is John’s wife ok?
– Oh, yes. His wife is in excellent condition. In fact this was her on phone. They just had a beautiful baby daughter that they wanted so much. Unfortunately, the whole birth incident was more than Mr. Peters could handle and he was in sock, so they have him sedated for now.
– Poor fellow. He seemed to be such a strong man. I cannot explain why that happened.
– Well, he did miss a few Lamaze classes when we were preparing the migration to SharePoint.
– Yes, that’s should be the reason. Your have a brilliant investigative mind indeed!
The next morning:
– Thank you, sweetie. Thank you so much. Everything’s fine now. I was just on the phone with Ann Smith and she told me that she can access her spreadsheet and retrieve the prices. We should be able to finish our pending orders in no time. As for Mr. George Brown, she has never heard of him either.
– But he told me that he is your manager.
– Ann Smith is our manager. She is the head of Purchasing.
– But, Mrs. Harris, surely…
– I can tell you with all certainty that we never had a person with the description you gave me. I have been in Purchasing ever since the company was founded. Ann and I were the first ones here. Perhaps he was someone from another department, although I am certain that no such person works in this company. I wouldn’t worry about it if I were you, though. I just want to make it clear to you that such a person does not exist.
– Yes, that’s it, right there. Goosebumps.
-What was that, sweetie?
– Nothing. Nothing. I was talking to myself.