Sitecore Security - Common Errors

Security guidelines can be quite challenging, given that there are often unique scenarios where they may not fully apply. However, based on my experience, the following recommendation is undoubtedly advisable to follow:

Assigning access rights to roles rather than users

You can assign access rights to both users and roles. However, if you make your users members of roles and assign the access rights to the roles instead of the user, you simplify maintenance. In this way, you can assign and revoke access rights to multiple users by assigning or removing memberships to roles instead of having to do this for each individual user account.

...

By only assigning access rights to roles, you also make it easier to control a user's individual access rights when you have to. For example, if you want to ensure that a user has access to a particular item for a limited period, you do not have to study all the roles that the user belongs to, you just grant the relevant access rights to the user’s security account.

You can identify these cases using the following script (to be executed within the context of your site). It will reveal any cases where permissions have been assigned directly to individual users, rather than through roles, avoiding wasting a lot of time checking the items one by one:

 Get-ChildItem -recurse | `
  Where-Object { $_.__Security -match "au\|" } |  `
  Show-ListView -Property `
    @{Name="Item that assigns rights to users"; Expression={$_.ItemPath}}, `
    @{Name="Security setting"; Expression={$_.__Security}}