UPDATE 01/28/08: This codeplex project addresses this issue: http://www.codeplex.com/AccessChecker. I have not used it, but it looks promising if this is an issue you need to address in your environment.
UPDATE 11/13/08: Joel Oleson wrote up a very good post on the larger security management issue here: http://www.sharepointjoel.com/Lists/Posts/Post.aspx?List=0cd1a63d%2D183c%2D4fc2%2D8320%2Dba5369008acb&ID=113. It links to a number of other useful resources.
Forum users and clients often ask a question along these lines: "How do I generate a list of all users with access to a site" or "How can I automatically alert all users with access to list about changes made to the list?"
There is no out of the box solution for this. If you think about it for a moment, it’s not hard to understand why.
SharePoint security is very flexible. There are at least four major categories of users:
- Anonymous users.
- SharePoint Users and Groups.
- Active Directory users.
- Forms Based Authentication (FBA) users.
The flexibility means that from a security perspective, any given SharePoint site will be dramatically different from another. In order to generate an access list report, one needs to ascertain how the site is secured, query multiple different user profile repositories and then present it in a useful fashion. That’s a hard problem to solve generically.
How are organizations dealing with this? I’d love to hear from you in comments or email.