The "best fit" group is determined through a series of calculators that work on various criteria. Each calculator returns a value in the range of -2 to +2:
- Very Bad (-2)
- Bad (-1)
- Neutral (0)
- Good (+1)
- Very Good (+2)
These calculators cannot be changed, but you can modify the positive and negative multipliers by changing the default values defined in the DataGovernanceEdition.Service.exe.config file. The following set of multipliers are used by the self-service calculation system to modify the relative weights of the various suitability calculators.
Keep in mind that the multiplier values are only relative to one another. If you doubled all the multipliers, there would be no change in the resulting set of groups returned to the user. If you want your desired criteria to be considered more importance, set the multipliers on those calculators to be higher relative to the rest.
NTFS group membership calculation multipliers
Configuration settings:
<add key="SelfService.AccessInheritanceSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.AccessInheritanceSuitabilityProcessor.NegativeMultiplier" value="100"/>
Checks access inheritance: Groups whose rights to the targeted resource are explicit are favorable. Groups that have been delegated access to the targeted resource through inherited permissions are considered less favorable.
- If the permissions have been inherited from some resource higher in the hierarchy, then the requester may be given access to more resources than they've actually requested. (Bad)
- If nothing is gained through inherited access, don't change the suitability. (Neutral)
- If the explicitly held rights are a better match than neutral and there are no inherited rights, then that's good (Good)
<add key="SelfService.AccessSuitabilityProcessor.PositiveMultiplier" value="200"/>
<add key="SelfService.AccessSuitabilityProcessor.NegativeMultiplier" value="500"/>
Checks access rights:
- It is optimal if the access held by the group is exactly what the request requires. (Very good)
- If the group has slightly more access than is required, it may be suggested but considered less favorable. (Good).
- It is detrimental if the group has "dangerous" rights, such as Full Control, Take Ownership, or Change Permissions. (Very bad)
- If the group doesn't have sufficient access to meet the request, it is marked as ineligible for selection. (ineligible).
<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.NegativeMultiplier" value="200"/>
Checks Domain Local group membership:
- If a group contains any Global or Universal groups, then it's likely being used as a resource group. This means that the group should be less desirable for usage as an access provisioning group. (Bad)
- If a group does not contain any Global or Universal groups, then it is most likely used for direct access provisioning and not as a container group. (Very good)
<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.NegativeMultiplier" value="200"/>
Checks group membership rules:
- Global groups that exist in the same domain as the employee are favorable.
- If the group is Universal, the employee must exist in the same forest as the group.
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.
<add key="SelfService.GroupTypeSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.GroupTypeSuitabilityProcessor.NegativeMultiplier" value="200"/>
Checks group type: Based on Microsoft best practices, groups are favored in the following order:
- If the group is a Global group, it is marked as very good.
- If the group is a Universal group, it is marked as good.
- If the group is a Domain Local group, it is marked as bad.
- Domain built-in groups and non-security groups are never considered suitable selections and are marked as ineligible.
<add key="SelfService.OriginInformationSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.OriginInformationSuitabilityProcessor.NegativeMultiplier" value="100"/>
Check origin domain:
- Groups in the same domain as the requesting employee are considered favorable. (Very good)
- Groups from the resource's forest are considered less favorable. (Good)
- Groups from forests outside of the forest of the requesting employee are considered even less favorable. (Bad)
<add key="SelfService.ResourceDistanceSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.ResourceDistanceSuitabilityProcessor.NegativeMultiplier" value="100"/>
Checks distance from resource: The closer the group is to the resource, the better. The further away the groups gets from the ACL, the wore the score.
- Groups directly in the resources access control list are considered favorable.
- A group that is nested one or more steps away from the access control list is considered less favorable.
NOTE: This calculator never marks a group as very bad.
SharePoint group access calculation multipliers
Configuration settings:
<add key="SelfService.BestFitPermissionLevelSuitabilityProcessor.PositiveMultiplier" value="300"/>
<add key="SelfService.BestFitPermissionLevelSuitabilityProcessor.NegativeMultiplier" value="100"/>
Choose a group assigned a permission level that best fits the requested access. Not enough rights makes the group Ineligible. Granting any modification permissions when only Contribute permissions are requested makes the group ineligible.
<add key="SelfService.DelegationGrantingPermissionLevelSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.DelegationGrantingPermissionLevelSuitabilityProcessor.NegativeMultiplier" value="100"/>
Groups that contain permission levels that grant a user not only the requested rights, but also give the ability to delegate permissions to others will be marked as ineligible.
<add key="SelfService.FarmAdminAvoidSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.FarmAdminAvoidSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that grant farm administrative rights. Farm Admin groups are marked as ineligible, otherwise the group is marked as neutral.
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.
<add key="SelfService.JoinOptionsSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.JoinOptionsSuitabilityProcessor.NegativeMultiplier" value="100"/>
Checks a group's access properties:
- If the group is not a SharePoint group, it is marked as neutral.
- If the auto-accept members flag is set, the group is assumed to be extremely safe and it is marked as very good.
- If a workflow exists for granting access, or current members of the group are able to add others, the group is marked as good.
- If the property that specifies only group members may view the membership is set, the group is assumed to be fairly locked down; therefore, the group is marked as bad.
<add key="SelfService.PermissionsAgreeSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.PermissionsAgreeSuitabilityProcessor.NegativeMultiplier" value="100"/>
Many Windows groups that may be viable through Windows Domain Trusts do not always work in granting SharePoint access because of limitations in SharePoint security checking. This calculator checks to see if SharePoint itself considers the group valid for the requested access. If the effective permissions meet the requirements of the requested permissions, that is very good. Otherwise, it is marked as neutral.
Note: Since this calculator only marks a group as very good or neutral, changing a multiplier will not change the results.
<add key="SelfService.NestingSuitabilityProcessor.PositiveMultiplier" value="200"/>
<add key="SelfService.NestingSuitabilityProcessor.NegativeMultiplier" value="100"/>
If the target group is an Active Directory group that is also a member of a SharePoint group, it is marked as very good. Otherwise, it is marked as neutral.
Note: Since this calculator only marks a group as very good or neutral, changing a multiplier will not change the results.
<add key="SelfService.PreferActiveDirectoryGroupTypeSuitabilityProcessor.PositiveMultiplier" value="50"/>
<add key="SelfService.PreferActiveDirectoryGroupTypeSuitabilityProcessor.NegativeMultiplier" value="100"/>
Checks the type of group:
- If the group is a SharePoint group, it is marked as neutral.
- If the group is a security-enabled Active Directory group, it is marked as ineligible.
- If the group is a global Active Directory group, it is marked as very good.
- If the group is a universal Active Directory group, it is marked as good.
- If the group is a built-in domain group, it is marked as ineligible.
-
If the group is a local domain group, it is marked as bad.
Note: The default values when none of these are satisfied mark the group as ineligible.
<add key="SelfService.PreferSharePointGroupTypeSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.PreferSharePointGroupTypeSuitabilityProcessor.NegativeMultiplier" value="100"/>
Some organizations prefer to use groups that are SharePoint groups because they enhance SharePoint features and delegation within SharePoint itself, as well as allowing self service. This is a trade-off between SharePoint features vs. Active Directory group power in the enterprise. The use of Active Directory groups vs. SharePoint groups as a best practice is a debated topic.
If a group is a SharePoint group, mark it as very good, otherwise mark it as neutral. To avoid SharePoint groups, flip the positive “weight” to a negative number.
<add key="SelfService.SiteCollectionAvoidAdminSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.SiteCollectionAvoidAdminSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that grant Site Collection Administrative rights. These groups are marked as ineligible. Otherwise, the group is marked as neutral.
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.
<add key="SelfService.WebAppPolicyAvoidActAsSystemSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.WebAppPolicyAvoidActAsSystemSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that would cause the user to gain the Act As System right. These groups are marked as ineligible. Otherwise, the group is marked as neutral.
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.
<add key="SelfService.WebAppPolicyAvoidSiteCollectionRightsSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.WebAppPolicyAvoidSiteCollectionRightsSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that Web Application policies grant Site Collection Administrative rights to. These groups are marked as ineligible. Otherwise, the group is marked as neutral.
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.
<add key="SelfService.WebAppPolicyDenySuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.WebAppPolicyDenySuitabilityProcessor.NegativeMultiplier" value="100"/>
Some Farms may have policies denying most users from ever getting permissions that are too high.
- Any rights denied outside the requested permissions are considered neutral.
- A policy can make the group ineligible if it denies rights being requested.
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.
<add key="SelfService.WebAppPolicyGrantSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.WebAppPolicyGrantSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that get rights granted via a Web Application policy (in any zone). The more rights granted, the worse it is. These policies are usually used to grant service accounts, like the Search Service accounts rights, and are not generally good ways to obtain access to resources.
- If the group has MORE than the following permissions, then it is marked as ineligible:
- LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
- SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation, ApplyThemesAndBorders, ApplyStyleSheets
- PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts
- If the group has MORE than the following permissions, then it is marked as very bad:
- LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
- SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation
- PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts
- If the group has the EXACTLY the following permissions, then it is marked as bad:
- LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
- SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation
- PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts