It has been a while since I've played with Active Directory and SharePoint permissions. I wanted to get some clarity on this topic please. If our company have AD security groups such as: Accounting, Sales, and MIS what then are the best options for managing permissions in SharePoint?
If I were to do an import of users into SharePoint, they sync process would grab the individual users from their AD security groups, but not, however, grab the actual AD security group name, right? So I would then need to create a series of SharePoint groups and then manually move these users into the SharePoint groups, still correct? Please correct me if this is flawed. The SharePoint groups are based off functional business process flow and not the rigid Org.Chart. Here is an example of the nested SharePoint grouping I am thinking of:
- Accounting (group)
- Accounting Managers (child group)
- Accounting Supervisor (child group)
- Accounting User (child group)
- Finance (child group)
- Finance Managers (childOfChild group)
- Finance Supervisor (childOfChild group)
- Finance User (childOfChild group)
- AP (child group)
- AP Managers (childOfChild group)
- AP Supervisor (childOfChild group)
- AP User (childOfChild group)
So now all the management of the user's rights on the network are managed by Active Directory, but all the permissions are managed inside of SharePoint. If a user is terminated then they would be automatically removed from the sync, but if they are promoted then a manual process to move the individual user from one SharePoint group to another would need to be performed.
Is this considered a practical method of working with AD groups and SharePoint groups? Or is my thinking flawed?
Thanks,
Alex