Who Should Have Access to What? Governance, Permissions, and Accountability in SharePoint
A Lagos manufacturing company’s financial controller discovered mid-level operations staff accessing quarterly financial projections. The CFO was furious. IT pointed to SharePoint permissions. The Operations Head said his team needed visibility to plan properly. No one could explain when access was granted, who approved it, or whether it should be revoked.
This wasn’t about SharePoint settings. It was about SharePoint access control and organizational accountability.
Who decides who sees what? What happens when access expectations clash with data protection requirements? How do you say no to a director who believes seniority equals access rights?
Most organizations treat access control like a configuration task. Set groups. Set inheritance. Move on. Then they discover the real challenge isn’t SharePoint. Its authority: who has the power to make access decisions and who takes responsibility when those decisions go wrong.
This article examines SharePoint access control as a governance and accountability issue. You’ll see why it fails in Nigerian organizations, how to audit your current state honestly, and what defensible governance actually requires.
We’re focusing on Pillar 2 (Access Control) and Pillar 4 (Roles & Responsibilities) from the broader document management governance framework. If you haven’t read about information architecture yet, start there. You can’t secure what you can’t organize.
This isn’t a guide to SharePoint permission settings. It’s a guide to making access decisions defensible.
Why SharePoint Access Control Fails: Common Patterns
Permission Creep
Someone needs temporary project access. It’s granted. The project ends. Access stays. Six months later, they’re still accessing documents they shouldn’t see.
Multiply this across 50 staff over three years. Nobody tracks it. Nobody reviews it. Permissions accumulate like sediment.
Seniority-Based Access Expectations
“I’m the Head of Department. I should see everything in my division.”
This sounds reasonable until you realize the division handles HR disciplinary files, and access should be role-based, not rank-based. In Nigerian business culture, denying senior staff access can feel disrespectful. But NDPA compliance doesn’t care about organizational hierarchy.
Trust-Based Access
“He’s been with us for 10 years; he’s trustworthy.”
Trust doesn’t equal business need. When that trusted person leaves for a competitor, trust turns into risk.
The “Just in Case” Principle
Granting access in case someone might need it creates exposure without accountability. You can’t demonstrate compliance when your justification is “maybe someone will need this someday.”
Ad Hoc WhatsApp Requests
Theory: Access requests go through formal approval.
Reality: Someone WhatsApps IT asking for access. IT grants it to avoid being the bottleneck. No documentation. No justification. No accountability.
The Nigerian Context That Amplifies These Patterns
Cultural hierarchy expectations mean seniority often translates directly to information access. A director requests access during an executive meeting and expects immediate compliance, despite documented approval processes.
Relationship-driven access creates challenges in family businesses and relationship-heavy industries. “We’re like family here” works until someone leaves, is terminated, or there’s a commercial dispute.
External sharing complexity stems from the regular sharing of documents with auditors, lawyers, consultants, and regulatory bodies. Each external share creates a risk you now need to defend, but client deadlines often override security protocols.
Limited IT oversight means access decisions get made by busy people who don’t understand risk implications. “Just add him to the group abeg” becomes the default, with no consideration for what that group actually has access to.
What Failure Actually Costs
The costs fall into three categories:
Internal damage: Confidential salary data accessed by unauthorized staff creates morale crises and privacy violations.
Competitive risk: Strategic plans leaked to competitors through careless external sharing damage your market position.
Regulatory and audit risk: Uncontrolled access to personal data could trigger NDPC scrutiny. Audit failures happen because you can’t demonstrate who had access to what and why.
These failures share a common root: nobody owns the decision to grant access.
The Diagnostic Framework: Auditing Your Access Governance
The Two-Minute Accountability Test
Can you answer these questions right now?
- Who currently has access to your financial forecasts?
- Who approved that access and when?
- What was the business justification?
- Who reviews this access and how often?
- What happens to access when someone changes roles?
If you hesitated on any question, you have an access governance problem.
Business justification means: what job outcome requires this access, why the current role needs it, and what risk you accept by granting it. Without documented justification, access decisions become arbitrary.
The Three-Layer Access Audit
Layer 1: Technical Permissions (What SharePoint Shows)
Run permission reports for sensitive libraries covering HR, Finance, Legal, and Strategic Planning. Document who has Read, Edit, and Full Control. Identify permission inheritance breaks. Map external sharing links. Identify orphaned access from people who left or changed roles.
Common findings include dozens with Full Control who shouldn’t have it, external sharing links that never expire, department heads with access because they asked, and former employees still in permission groups.
Layer 2: Business Justification (Why Access Exists)
For each person with access to sensitive content: What’s their role? Why do they need this access? Who approved it? Is it temporary or permanent? When was it reviewed?
Common findings reveal access granted based on seniority rather than business need, no documented justification, temporary access that became permanent, and “we’ve always done it this way” as the only explanation.
Layer 3: Organizational Accountability (Who Decides)
Who grants access to financial documents? Who approves external sharing? Who reviews access quarterly? What happens with exception requests? Who owns content security in each department?
Common findings include IT making business decisions about access, no one able to name who’s accountable for governance, approval processes constantly bypassed, and exceptions becoming the rule.
The Scoring Matrix
Green (Good Governance): All three layers have clear answers. Access aligns with documented business needs. Regular reviews happen, not just talked about. Clear accountability for access decisions. Action: Maintain, monitor, and review on schedule.
Yellow (Significant Gaps): Technical permissions are mostly documented. Business justification is spotty or assumed. Accountability is unclear or inconsistent. Action: Fix within 90 days, starting with restricted content.
Red (Critical Failure): Can’t reliably document who has access. No business justification for most permissions. No one is accountable for access governance. Access granted to whoever asked the loudest. Action: Freeze new access changes, audit the most sensitive libraries first.
Real-World Test: The Regulatory Request
Scenario: NDPC enforcement officer requests documentation of who has access to customer personal data and the legal basis for that access.
Can you produce this with confidence in 24 hours? If not, you have defensibility problems during an investigation.
The Governance Question: Who Should Decide Access?
Access Is a Business Decision, Not an IT Decision
IT can configure SharePoint permissions. IT cannot decide who should see financial forecasts, HR disciplinary files, or strategic acquisition plans. That’s business judgment requiring business context.
The Responsibility Framework
Content Owners (usually department heads) operate at the business decision layer. They decide who needs access, define sensitivity levels, approve requests, review access quarterly, and take responsibility when access is misused.
The Information Security and Compliance function serves as the risk advisory layer. They set policy, advise on risk, monitor violations, escalate issues, and provide regulatory guidance.
IT and System Administrators handle technical implementation. They configure permissions, generate reports for content owners, handle provisioning, and cannot override business decisions.
Executive Sponsors provide the authority layer. They provide organizational authority, resolve disputes, support enforcement, and fund governance infrastructure. Without executive backing, the first denied access request to a director is where most governance efforts break.
What This Looks Like in Practice
Scenario: Sales Director requests access to all HR files.
Wrong approach: IT grants it because he’s a director.
Right approach: IT refers to the HR Director (content owner). HR evaluates business need. Legitimate need, like commission review? HR grants limited access to specific files. No business need? HR declines with executive support. Decision gets documented.
The Cultural Challenge in Nigerian Organizations
In many Nigerian businesses, saying no to a director feels culturally inappropriate.
This requires executive buy-in on governance principles before implementing access controls. If leadership hasn’t agreed that access follows business need rather than rank, your framework will collapse at the first challenge.
What “Need to Access” Actually Means
Does this person’s role require this information to do their job? Is this access temporary or permanent? What’s the risk if this information is misused? What’s our justification if challenged? Can we provide limited access instead of full access?
Visibility is not the same as access. You can share summaries without opening entire folders. This addresses “we need visibility” requests without creating unnecessary exposure.
The Executive Access Problem
Managing Directors and CEOs often expect access to everything. Sometimes appropriate (Board materials, strategic planning). Often not (HR disciplinary files, attorney-client privileged documents).
You need an executive agreement on access principles before designing permission structures. If leadership hasn’t agreed that access should be role-based rather than rank-based, technical implementation becomes a political battle you’ll lose.
Practical SharePoint Access Control: What Works in Nigerian Organizations
Starting Point: Risk Classification
Not all information carries the same risk. Classification drives access decisions.
Common categories include Public (marketing materials, published reports that anyone can access), Internal (general business documents accessible to any staff member), Confidential (department-specific competitive data requiring role-based access), Restricted (HR records, financial data, legal files requiring explicit authorization), and Highly Restricted (Board materials, M&A documents, regulatory filings limited to named individuals).
Each level has different access requirements, approval processes, external sharing rules, and review frequency.
Role-Based Access Control (RBAC) Principles
RBAC is a core SharePoint access control principle: access tied to job function, not individual identity.
When someone joins Finance, they get Finance Analyst access. When they leave or change roles, access is automatically adjusted. No special requests, no permission creep.
This requires clearly defined roles, documented access entitlements, exception processes, and regular reviews to catch drift.
RBAC works well in structured organizations with stable role definitions. It’s harder where roles are fluid, and people wear multiple hats.
The Hybrid Approach That Works
Most Nigerian SMEs succeed with: role-based access for core functions (Finance, HR, Legal), function-based access for operations, individual approvals for highly restricted content, and quarterly reviews.
External Sharing Governance
Every SharePoint external sharing link is a governance decision.
Your policy must address who can create sharing links, what approval is required, whether external users can edit or only view, when links expire, how you track what’s shared, and what content can never be shared externally.
You’re sharing with external auditors, consultants, lawyers, bank relationship managers, and regulatory bodies. Each has a different risk profile.
Example approach: External auditors get time-limited, view-only access to specific libraries. Legal counsel uses a secure document exchange. Consultants get project-specific access with defined end dates. Regulatory bodies use secure submission portals, not general SharePoint sharing.
The Approval Workflow Reality
Theory says access requests go through documented workflows. Reality shows workflows get bypassed when they create too much friction.
Workflows work when executives enforce them, approvals happen within 24-48 hours, clear escalation exists for urgent needs, and IT doesn’t have the discretion to override business decisions.
Access Review Cadence
Required reviews happen immediately when someone leaves or changes roles. Highly restricted content requires quarterly reviews. Confidential content needs semi-annual reviews. Internal content requires annual reviews.
Content owners review, not IT. IT provides the reports, but the business signs off on the decision. Signing off means taking ownership of the decision if it’s questioned later. They certify current business needs. Misaligned access gets corrected, not just documented.
Documenting SharePoint Access Control Decisions
Defensible access governance requires documentation. Not technical logs. Governance artifacts.
When you grant access, especially to sensitive content, document five things:
- What content is being accessed?
- Who is requesting access?
- Why do they need it? (specific job outcome)
- Who approved it and when?
- When is this access reviewed, or does it expire?
This isn’t bureaucracy. It’s accountability. When someone challenges an access decision (auditor, regulator, executive), you have documented justification. When someone leaves and their access needs review, you know what decisions were made and why.
In mature environments, this becomes an access register. In smaller teams, a simple shared log works. The format matters less than the habit.
Most organizations skip this step. Then they can’t answer basic questions during audits or security reviews. The Access Decision Record makes governance real.
Minimum Viable Governance for Nigerian SMEs
If you’re starting from chaos, don’t try to fix everything at once. Start here:
Pick your three most sensitive libraries (typically HR, Finance, Legal). Assign clear content owners to each. Freeze external sharing by default (require approval for any external access). Start quarterly access reviews for these three areas only.
Get this working first. Build organizational muscle. Then expand to other content areas. Perfect governance that nobody follows is worth less than simple governance that actually happens.
Common Mistakes That Undermine Access Governance
These implementation mistakes directly mirror the failure patterns from earlier. Recognizing the connection helps you avoid repeating them.
Treating Access as an IT Problem (mirrors all patterns)
IT makes all access decisions based on technical factors. This fails because IT can’t know the business justification for access. Either everything is locked down, and users revolt, or everything is open, and there’s no security. This is why every failure pattern exists.
No Regular Reviews (creates Permission Creep)
Access granted but never revisited means permission creep is inevitable. Within 18 months, access becomes meaningless chaos. This is the Permission Creep pattern playing out systematically.
Policy Without Enforcement (enables Seniority-Based Access)
Beautiful access-control policies that exist only on paper fail when executives bypass them with impunity. Policies become suggestions. Everyone ignores governance. This is exactly how Seniority-Based Access Expectations override governance frameworks.
Permission Groups Without Governance (enables WhatsApp Requests)
Creating SharePoint groups like Finance_Read and HR_Edit without defining who manages membership makes them dumping grounds. Anyone can add anyone. This directly enables the Ad Hoc WhatsApp Requests pattern because there’s no accountability for group membership.
Over-Engineering Early (creates new failure modes)
Trying to implement perfect RBAC from day one with 50 defined roles creates complexity that prevents adoption. Users work around it. You get expensive failure and return to email attachments. This creates all the failure patterns at once because governance becomes too difficult to follow.
The pattern they share: All treat access control as a technical project rather than an organizational accountability challenge.
Connection to Broader Governance Framework
SharePoint access control doesn’t exist in isolation. It’s Pillar 2 of comprehensive document management governance.
Access control requires information architecture (Pillar 1). You can’t secure what you can’t organize. If your structure is chaotic, access control becomes guess-based. When files are scattered across dozens of sites with no clear ownership, assigning proper permissions is impossible.
Access control enables lifecycle management (Pillar 3). Retention policies require knowing who’s responsible for content decisions. If access is unclear, retention becomes arbitrary.
Access control demands clear roles (Pillar 4). Without defined content owners who make access decisions, IT becomes the de facto decision-maker. That’s the wrong layer for business judgment.
Access control supports compliance (Pillar 5). NDPA requires demonstrating who has access to personal data and why. Audit readiness depends on defensible access governance.
Fix access control in isolation, and you’ll hit limits. But ignore access control while building other governance capabilities, and you’re building on sand.
When to Involve Professional Help
Complexity Indicators
You probably need expertise if you have conflicting departmental access needs, operate in regulated industries, manage complex external sharing, recently merged organizations, or face regulatory scrutiny.
Capacity Constraints
Professional help makes sense when IT is stretched thin, no one has security governance experience, you need implementation within specific timeframes, or DIY isn’t working.
Risk Profile
The business case is clear when you handle highly sensitive data; breach costs would be high, you need defensible governance for stakeholders, or leadership recognizes this is too important to get wrong.
What Professional Implementation Delivers
Partners with Nigerian SharePoint governance experience bring compliance-aligned frameworks, technical implementation that works with your structure, change management for cultural adoption, documentation that satisfies auditors, training for owners and users, and post-implementation support.
You’re buying governance expertise and implementation experience from organizations that have successfully done so in Nigerian contexts.
The Decision
Can you design and implement access governance yourself? Possibly, with the right expertise, capacity, and executive support.
Should you? Depends on your complexity, risk profile, and opportunity cost. Run the diagnostic audit in Section III. Assess your current state honestly. Then decide whether to fix this internally or engage expertise.
Conclusion
SharePoint access control fails when organizations treat it like configuration rather than governance.
Who decides who sees what? What happens when access expectations clash with data protection? How do you maintain governance as you grow?
These are business questions requiring business judgment. Technology implements those decisions.
Nigerian organizations face unique challenges: balancing cultural hierarchy with compliance requirements, managing external sharing in relationship-driven environments, and building governance with limited resources. And the pressure keeps mounting. NDPA compliance expectations are growing. Audit scrutiny is tightening.
What’s not debatable: You need clear accountability for access decisions. You need documented governance, not ad hoc WhatsApp requests. You need executive buy-in, or your framework will collapse.
Do something. Chaotic access permissions are a risk you can’t ignore.
Ready to establish defensible SharePoint access control? Contact PlanetWeb to discuss how we can help you build accountability into your access control framework.
