SUSHI Feature - Security Reports

SUSHI gives you the ability to display all the sites and lists a user has access to across an entire site collection. This is a fantstically useful feature. SUSHI also offers several other valuable security auditing reports which will help you get a clearer picture of what security rights a user has and how security is set up accross your SharePoint site collection.

full size screenshot

Report Notes:

  • Show Permissions Inheritance for Site Collection
Report Notes: This report shows all the SharePoint Sites and Lists that do not inherit permissions from their parent. Sites are displayed in blue, Lists are displayed in green. The server relative URL is used, so for example "/" is the root site. If a site is displayed in Gray it is simply a place holder, that site inherits permissions, but at least one of its child Lists does not. This report does not include hidden lists.
  • List Group Membership for user
Report Notes: This report shows the SharePoint groups that a user is a member of. It also indicates if a user is a site collection admin. It also displays the Active Directory groups that a user is in. It also shows if a web application policy has been set to grant rights to the user. (Web application policies can be viewed through central admin.) Note that to be able to see Active Directory groups, your login must have at least view rights to the Active Directory database. SUSHI uses a Directory Services LDAP query to determine AD membership.
  • All Permissions for a user
Report Notes: This report shows the permissions a user has for all Sites and Lists beneath the selected site. Sites are displayed in blue, and Lists in green. The user name or the SharePoint group is displayed in black, with the permissions in square brackets. Active Directory groups are displayed in navy blue.
To use this report, simply select the user from the dropdown and click "Find All Permissions". This report does not include hidden lists. By default the report will display only sites and lists that do not inherit permissions from their parent.

Overview of SharePoint Security

A user can gain access to SharePoint in one of four ways:
  • Given access directly through site settings-> permissions.
  • Sharepoint group membership.
  • Active Directory group membership.
  • Web application policy. This policy is controlled through central administration and is usually only used for the crawler account. (see screenshot below)

Last edited Apr 5, 2008 at 3:23 PM by josephflu, version 19


vgera Feb 16, 2012 at 6:19 PM 
I want to find the permissions for all users in a report. can I use this for that purpose??
or this tool just helps u find the permissions for one user at a time.

smoraneng Apr 22, 2010 at 4:48 PM 
It would be sweet if you could have it generate the security reports recursively. So, rather than having to manually choose each user from the security report and generate them, have it just go through all the users and generate the report for everyone.

stbernards Mar 1, 2010 at 1:24 PM 
I am also having problems retrieving AD group membership info. I am running Sushi on a Windows 2008 server running MOSS 2007 & I am logged in to the server as Domain Administrator & I have even tried "run as" adminstrator when I start Sushi. I have full AD access & still can't retrieve the information. Any ideas?

Stucifer Nov 23, 2009 at 1:38 PM 
Can I use this tool to create a list of all sub-sites, lists, etc. below a given site?

josephflu Mar 7, 2009 at 4:39 AM 
naiban, no you are not doing anything wrong. You need to have elevated AD priviledges in order to be able to retrieve Active Directory group membership information. Sorry about that.

naiban Feb 17, 2009 at 2:09 PM 
Great tool, this looks like it will be very handy. I am having trouble retrieving AD group membership info, am I doing something wrong?
Looking up Active Directory groups for user... Unable to find active directory groups for user: A referral was returned from the server.

0 Active Directory groups found.

Also when I get users I do not see users that have site access strictly because they are members of an AD group

Tenchuu Jan 23, 2009 at 10:17 AM 

it'd be great if you could implement an option for running reports on all sites of a site collection.
This way one mustn't select every site explicitly.

josephflu Apr 4, 2008 at 3:09 AM 
ok, excellent idea. Thanks.

bronskrat Mar 31, 2008 at 8:04 PM 
This is a great feature but it would be nice if there were a textbox entry besides the dropdown. This would allow for the search of users that are no longer in AD but still exist in sites within SharePoint. A "Purge this User" feature would also be nice but possibly dangerous ;-).