For 2 years, I lead the design of several premium security and compliance features for SharePoint that are used by more than 200 million users worldwide. Some of these features were document library labels, information barrier and sensitivity label insights. One of the main projects that I worked on during this time has been Data Access Governance. I worked with the team to build the feature ground up from 0-1, pushed for key improvements, laid the north star vision and also worked towards integrating copilot features. 

BACKGROUND

Product design, UX design

TEAM

Solo designer, 1 PM, 1 Content designer, 1 UX researcher, 15+ engg

TIMELINE

Jun '20 - Dec '22

B A C K G R O U N D

SharePoint is your company’s intranet. Organizations have up to tens of thousands of SharePoint sites that are used to share news, files, data and resources by around 200 million users worldwide (as of 2020). 

While organizations use SharePoint heavily for collaboration, admins need to ensure that appropriate security settings are applied at various levels. Even as admins can apply security settings, they have 0 visibility on how these settings are protecting their sites, whether they are sufficiently protected and identify those sites that may be at risk. 

While admins can apply security settings they have 0 visibility on how it is protecting their sites. Data Access Governance aims to be the one-stop place for admins to monitor the security and compliance health of their sites in SharePoint.

To understand user requirements we did a comphrehensive user study that helped us carve the scope of the product. This is what we learnt — 

I worked on DAG for 3 years from it's very inception, during this time, the feature went through several changes. I have attempted to capture this product journey through different chapters and enlisted my contributions along the way. 

Our first goal to unblock users was to give them something to get started with as part of our MVP. However, combining different data sources within a legacy old products to show even simple insights was hard, very hard.

Our golden vision was to show a comprehensive dahboard upfront followed by an ability to drill down to detailed reports. We soon realized that showing even a few rows of data had high COGs cost, visualizations or high level insights were out of the question. After many negotiations and creative thinking between engineering, PM and design, this is how we solved for the issue —

T H E    G O L D E N   V I S I O N

T R I M M E D   D O W N    M V P  

C O N T R I B U T I O N S

After we shipped the first MVP, we now wanted to scale DAG as a platform. Below is a glimpse of the strategy we formed as part of it. We defined that DAG as a platform should help users discover content at risk, mitigate immediate dangers and mitigate them from occuring in the future. Within this, DAG could either scale breadth wise, by adding more security reports for instance, or scale in depth by enriching the report itself, by showing more data within reports, adding suggestions etc.

DAG as a platform

S O M E   U P D A T E S   T O   D A G

1. Addition of new reports - Extending onto the role of DAG as a platform, new reports were added to it offering more security and compliance oversight. 

2. Auto-run reports - Based on the MVP feedback, we learnt that users want to use DAG reports for monthly or quaterly audits. Considering this we porposed scheduling monthly auto run of the reports instead of having to manually run them and wait for 3-4 hours every time. This gave some relief to users while also not hurting COGs. 

3. Report improvments - We also strived to enrich current reports. We added filters to drill through the report, add some new columns as per user asks and also added a action to allow admins to restrict site access to quickly mitigate any risky site. 

C O N T R I B U T I O N S

We always knew that governance is a shared responsibility. While SharePoint admins look at the health of the overall tenant, they do not have enough visibility and knowledge of individual sites and are unable to make judgements on it. They want to delegate that accountability to site admins. After clear repeated customer asks, we finally built Site access reviews that let them do just that.

S I T E   A C C E S S   R E V I E W S   W I T H    A   L I T T LE   H E L P   F R O M   C O P I L O T

This was also the point where Copilot was launched and we were exploring the role of copilot in security and compliance space. We identified many use cases, one of them stood out strongly in the site access review journey. Below is an E2E flow of the same.

C O N T R I B U T I O N S

After a good 3 years, engineering team built new data lakes for DAG. This meant that all the data would reside in an all new database rather than being scored from different sources and combined in real time. As a result, we are now able to show complete data, richer insights and all without the notorious delays. So we summoned our past vision along with our learnings through the years and come up with a new direction for DAG —

R E L E A S E   &   R E C E P T I O N 

Post the feature release, we tracked large org usage and report generation as a metric to measure feature adoption. Apart from this, we also conducted multiple user studies and surveys to gauge user perception around the feature.