By now it shouldn't be a secret that SharePoint can be a very powerful and useful tool for your organization or business. Its features are highly touted, and I'm definitely a big fan of them. Sometimes we're not aware of how powerful SharePoint can be until it's too late. So its important to remember that with great power comes great responsibility (if you're at all a fan of Spiderman you'll recognize that quote).
From time to time I'll be writing some posts with the prefix "With Great Power:" in the title. These posts will cover issues or functionality that you, as a responsible user, should try to keep in mind when using SharePoint. If you don't, it may come back to haunt you at a later date.
With that intro out of the way, let's talk about the great power of SharePoint's search engine. If you ever used a version of SharePoint prior to WSS v3 and MOSS 2007, you know that search is vastly improved in the current release. But even with WSS v2 and SPS 2003 you should be careful with search. Why? Because using a search engine to crawl and index your content and documents you are going to make those items very, very accessible to anyone with the permissions to view them.
The gotcha that I've seen all too often is around that permissions issue. It never fails. You configure MOSS to index a file share (you can't do that in WSS, I'll cover this later), and people are really happy because now they're able to easily find all kinds of documents without having to navigate away from the SharePoint site. And then someone finds a document that contains information that they're not supposed to be able to see, such as how much the management team makes. Probably isn't a good thing, right?
The thing to keep in mind is that this problem is not caused by SharePoint. It is caused by the permissions on the location where the document resides. If the document is in a folder that is publicly viewable, it will be publicly viewable in SharePoint's search results. The same goes for documents stored in a SharePoint document library. Prior to SharePoint crawling and indexing it, the payroll document was hidden from public view because it was not easily accessible unless you knew where to find it (Admins jokingly refer to this as "security through obscurity", because it means there is no security at all). The good news is that SharePoint search results will only show a user documents that they have access to. So if you lock a document down properly, you don't have to worry about it showing up to someone in their search results when they shouldn't be able to read it.
One of SharePoint's Great Powers is its ability to easily make documents throughout your organization immediately available to end users. Your Great Responsibility as the owner of a document or content area is to keep track of who should be able to view your documents and ensuring that only those people have access to them. Otherwise, you are at risk at telling people more than you really want.
ferringer