Assigning permissions the right way in SharePoint 2010

This week I'm attending a course on SharePoint administration and today we talked about permissions. I was very surprised when trainer did not mention the method I've been using for a while to "force" power users to assign permissions the right way. When I mentioned to him that I have a method he told me that in 13 years working with SharePoint this is the first time he heard about this method so I thought maybe I should blog about it and maybe other people will find it useful.

When assigning permissions in SharePoint arguably best way to doit is via SharePoint groups. The problem arises when you have to delegate the permission so "power" users (not administrators) start managing permissions and start dishing out explicit permissions and do a mix and match on site, library, folder and item level.

My method is really simple:

• You create all SharePoint groups you need in specific site
• You then set the person to manage permission as SharePoint group owner. This gives that user permission to add/remove users from that group and therefore assigning permissions in their site.
• If more than person is managing permissions, create a SharePoint group and add all "power" users to this group, let's call Access Administrators. 
• You can then set SharePoint group Access Administrators to be owner of SharePoint group they use for giving other users to their site
• Note you might need to give or publish a direct link to SharePoint users as typically power users will not have access to Site Action therefore will not be able to navigate to Security Settings to open groups they own. 

Example

Site: Finance

SharePoint Groups: 

Finance Access Administrators (FAA), owner SharePoint Administrator, Contribute 

Finance Visitors, owner FAA, Read

Finance Members, owner FAA, Contribute