One of the biggest benefits of web applications is the ease with which one can share documents for other people to collaborate on or view. Unfortunately, this same ability is the source of a number of fears about online software privacy an security. An essential component of managing the online security for your small business is a clear and simple policy regarding the sharing of online documents. Unix-style file permissions, which have been used since the early days of shared computing, can provide some guidance to sharing policy.
Why you should have a sharing policy
Although real security breaches in which someone "hacks" into your online account or the server are technically possible, many online privacy issues stem from sharing a document with people you didn't mean to, or from someone else re-sharing a document when they weren't supposed to. These latter issues can best be addressed by a simple and clear policy in regards to the sharing of files within your company. A good sharing policy will help people understand what is fair game when sharing a document, and will ensure that those who view a shared document understand the limitations of re-sharing it.
Unix-style user/group/other permissions
Long before anyone was worried about sharing files in "the cloud," the concept of file permissions in shared computing environments was a relevant one. Probably the most prominent way of dealing with them was the user-group-world system still used in most Unix-like systems (such as Linux and Mac OS X). The basic idea behind Unix file permissions is that every user (such as yourself) is a member of one and only one group of users (such as your company). To share a file, you can either share it with everyone in your group, or everyone on your system (often the world), but those are your only choices.
Any modern online application is likely to have more flexible sharing options than the Unix-style options, but it may be worth limiting the number of options that your company uses to keep a simple sharing policy. There are a number of ways to define a sharing policy for a small business, even within the Unix-inspired system. As such, it's worth thinking about how the "groups" and "other" could be defined if coming up with your own, but there are two options that are worth mentioning.
- user/company/world - This setup means that every member of your company is in a single group. When sharing a document, a user can either share it with everyone else in the company, or they can share it with everyone in the world (equivalent to publishing the document online).
- user/department/company - This setup means that everyone in your company will be assigned to a single "department" (which may or may not be related to the existing organization in the company). The "other" group in this case is limited to other members of the company, and there is no explicit way to share outside of the company.
The Unix permissions system unquestionably has some restrictions, but if the majority of your document sharing can be handled by one of the above schemes, or a related one, it can be beneficial to have such a simple policy. Doing so limits the number of options one needs to consider when sharing a file, avoids the generation of multiple access lists on a per-file basis, and ensures that everyone understands the scope of a shared file (because they will know whether they are in the same group as the sharer).
There are obviously some cases where the above schemes can be too restrictive. An easy augmentation is to also permit pairs of users to share a document with each other. Pairs are easy to define when needed, and are unlikely to cause additional confusion. An additional case where one might run into problems is when sharing with a collaborator or client outside of the company. For such cases, it's probably worth defining a sharing policy with the other party to make sure that everyone is on the same page.
Overall, a user/group/other scheme may not be flexible enough for the sharing within your company, but I'd guess that in many cases, additional flexibility adds complexity without much benefit. As with many things, the simplest effective policy is probably the right choice. Regardless of the specifics, however, it's definitely worth developing and communicating a coherent sharing policy within your small business.