Are Activity Streams Security Trimmed?
During my session at The Experts Conference (#TEC2010) in Los Angeles earlier this week, I was asked a question that I could not answer in full confidence: are activity streams in SharePoint 2010 security trimmed?
It was a great question. As we debated the answer, someone tweeted the question out to the SharePoint community, but unfortunately the answer did not come back right away. Following my session, I caught up with both Joel Oleson and Bill Baer in the hall and asked them the question. Joel thought that yes, they were security trimmed, but Bill answered no, they were not.
Turns out they were both right.
The topic came up again tonight as Joel, Erica Toelle, Owen Allen and I sat in the Nectar Lounge in Seattle’s Fremont neighborhood, the site of the upcoming SharePoint 2010 Community Launch party here in Seattle (#SPCLSEA) on May 12th. We discussed the Tweets flying around on the topic, and Susan Hanley’s article which mentions it.
So here is some clarification on the topic (your feedback and further refining of my answer is always welcome):
Activity streams are a feature of My Sites, not Team Sites (a gap in the product, we all agreed, and an opportunity for an enterprising web part developer). As such, they only capture tag, status, and document activities within the My Sites space, which are already security trimmed – you can control who has access to content on your site. And, of course, only authorized users can access the My Sites – which is why Joel answered the way he did: activity streams don’t show activities within Team Sites, the primary area requiring security trimming.
Tagging and user-generated keywords, on the other hand, appear in your activity stream no matter where you place them. If you tag an item or add a keyword within a Team Site, the tag or keyword does indeed show up in your activity stream. However, when another user clicks on that tag (as in the example above), they will not see any secure content. That’s where the security trimming kicks in. People can see your tag, but only the content they are supposed to see. As you can see in the image below, when clicking on the tag, you will not return any content you do not have permission to view. In this example of our TEC2010 tag, which is only associated with a single document, the result comes back empty.
Additionally, you can hide your tag by selecting the ‘private’ radio button within the My Tags window.
But to Bill’s point, there is no specific security trimming around activity streams – the security is around the Team Site content, which is enforced within the My Sites and activity streams. So technically, Bill was right, too. (There’s also a good chance that Bill misunderstood my question, as he is one of only a dozen SharePoint Masters, is wicked smart, and pretty much knows everything there is to know about SharePoint)
Leaving the get together tonight, we all agreed that there is still some testing to do, but for all intensive purposes, we agreed that yes, activity streams are security trimmed.
Don’t you think the answer is “sort of?” If the tag shows up to everyone even though you placed it on secure content, doesn’t that mean that users need to be trained to not use confidential terms (project code words, etc.) in their tags? The fact that only the associated content is really secure means that users need to understand that unless you secure the tag itself, social tags are just that – social. While you can control who sees your activity feed in general, you may also want to secure the tag itself (which you can do) if you are using it on highly confidential content. In that context, the “social” tag becomes a private bookmark – which is a concept that may require explanation to new users. It’s actually pretty cool that you can tag privately and publicly, but what I think this means is that you can’t tag “semi-privately.” I think this means that tags are either just for me or something I share with everyone – even if the content itself is totally secure.