MANAGE SHAREPOINT PERMISSIONS IN SHAREPOINT ONLINE SITES
In SharePoint, site owners and site collection administrators are responsible for managing SharePoint permissions for their sites and the content within the lists and libraries such as folders or documents. There are a lot of considerations to be made when managing permissions, and it is vital to ensure that users only have access to authorized content.
For the purpose of this blog post, we’ll explore how as a Site Owner, you can manage SharePoint permissions using the out of the box reporting and sharing options.
How you manage SharePoint permissions will depend on how the SharePoint site was created as part of a Microsoft 365 Group, or as a subsite within a classic Site Collection.
In modern SharePoint sites, when a site is created, organizational users become members of a Microsoft 365 Group, which in turn is a member of a SharePoint Group, and the SharePoint Group is assigned a Permission Level which is made up of multiple permissions.
If we consider that we have a newly created Modern Team Site, when we create the site, we will be creating a Microsoft 365 Group. This group is named after the site and is checked for uniqueness at the point of creation. If the new site was called ‘Sales’, then the Microsoft 365 Group would be named ‘Sales’ and an email address for the group would be created e.g. email@example.com. The Microsoft 365 Group would have an owner, and also members. The SharePoint Site would also have three SharePoint Groups that are also named after the site such as: Sales Owners, Sales Members, and Sales Visitors. The Microsoft 365 Group would be a member of the Sitename Members Group. Therefore, each member of the Sales Microsoft 365 Group, would automatically be a member of the Sales Members SharePoint Group. Each SharePoint Group is also assigned a Permission Level. Sitename Owners is assigned Full Control, Sitename Members is assigned Edit, and Sitename Visitors is assigned Read.
It is however possible to bypass these groups in order to assign permissions to users. The easiest way to assign someone permissions to a site is to make them a member of the Microsoft 365 Group. However, doing so will also give them access to other group resources such as Planner, Calendar and Files. You could bypass that group if you want to assign permissions to the SharePoint site only by putting the user into a SharePoint Group directly such as the sitename members group. Or (and this is not good practice), you could grant the user a permission level directly to the site with a permission level such as Contribute. The reason that we don’t recommend the latter, is due to the resource requirement to check for such permissions should the user leave the organization or change roles. The below diagram illustrates how permissions can be assigned in a SharePoint Site.
If you are using a SharePoint Site such as a classic subsite, you won’t have the added complexity of a Microsoft 365 Group. Modern Communication Sites also don’t make use of Microsoft 365 Groups. Organizational users can be granted permissions either directly, through a SharePoint Group, or by granting an Active Directory Security Group permissions directly that the user is a member of, or by making the Active Directory Security Group a member of the SharePoint Groups.
If you consider this to be complex, keep in mind that the above describes the Site only. Everything within the site including the Lists, Libraries, Folders, and Files will inherit permissions from the Site by default. However, permission inheritance can be broken on lists and libraries, as well as on files and folders. This then becomes a great deal to think about and remain in control of.
Below, we will describe how to report and manage permissions within a SharePoint Site by using the out-of-the-box SharePoint permission reports.
Granting Direct Access vs Sharing Permissions
It’s also important to understand that so far we have discussed granting permissions. When granting permissions, you are able to grant permissions to users in your organization in many ways, but ultimately the user can receive any permission level including:
- Full Control
- View Only
If you are ‘Sharing’ Permissions, you can share with organizational users and external users, but may only grant Read or Edit permissions.
Microsoft 365 Groups
Using Microsoft 365 groups to assign permissions depends on the type of site in question. You can use Microsoft 365 groups for managing SharePoint permissions in team sites but not in communication sites as they are not connected to Microsoft 365 groups. For modern sites, it depends on the underlying type of site, as stated by Microsoft. If the site is a group-connected team site, you should manage permissions through the Microsoft 365 group. If it’s a communication site or classic subsite, you should manage permissions through the SharePoint groups.
A SharePoint team site is part of a Microsoft 365 group, and so when you add users to the Microsoft 365 group, you give them owner or member permissions as required. The Microsoft 365 group owners become site owners of the SharePoint site, and the Microsoft 365 group members become site members.
Active Directory Security Groups
Active Directory Security Groups are a common option for managing SharePoint permissions as all users or groups from Active Directory are available in SharePoint Online. The Site Owner or Site Collection Administrator can add an Active Directory group to a SharePoint site and give it an appropriate permission level, and users within the group will all have that permission level in the site. A peculiarity with managing SharePoint permissions with Active Directory groups is that you will not be able to view who the members of the Active Directory group are from within SharePoint. Another significant point is that compliance requires that SharePoint groups be used instead of Active Directory groups for some organizations.
SharePoint Groups are security groups at the SharePoint site level that manage how users access content within the site. There are three main SharePoint groups in a site – Owners, Members, and Visitors. Owners have Full Control access over the entire site. Members can add, delete and edit content, and Visitors have Read-Only access to site contents.
For site owners, an easy way for managing SharePoint permissions in sites would be to add users to the appropriate permission groups.
It is also possible to create your own SharePoint Group, and this is encouraged when using custom permission levels. Creating your own SharePoint Group is a great way to delegate responsibility of managing SharePoint permissions for your site to other users. For example, I could create a new SharePoint Group call ‘Regional Sales Members’. Another user could become the owner of the Regional Sales Group allowing them to manage the membership of the group. The Regional Sales Members group could be assigned a permission level such as Contribute. This allows permissions to be managed without giving non technical users Full Control to a SharePoint site.
While the Owners, Members and Visitors groups generally have Full Control, Edit and Read permissions, respectively, there are other granular permission levels to consider. Some permission levels to take note of when managing SharePoint permissions include:
- Full Control
- Limited Access
Below, you can see the out of the box permission levels. It is possible to add a custom permission level. A good practice would be to copy an existing permission level such as ‘Contribute’, and remove the individual permissions from it. An example would be creating “Contribute_NoDelete”. The Delete Items permission and Delete Versions could then be removed from the custom permission level. It would be bad practice to alter any of the permissions granted to the existing permission levels.
Each Permission Level is made up of individual permissions that affect the Site, Items, and Personal Permissions. These can be seen below:
The Limited Access permission is unique. It is a permission level automatically assigned to a user by SharePoint when the user is granted permissions directly to an object with broken permission inheritance.
For Limited Access, if a user is granted permissions to a list or library within a site but has not expressly been given permission to the site itself, they will receive Limited Access to the site automatically from SharePoint. This means that the user will only be able to use the site to access the list they have permissions on.
To report on SharePoint Site permissions using SharePoint natively, you can start by clicking the cog in the top right hand corner of your SharePoint Site, and choosing ‘Site permissions’.
From the Site Permissions Panel, you will be able to see the members of the sitename Owners, sitename Members, and sitename Visitors groups. What you won’t see is the members of any Active Directory Security Groups, or and users that have been granted direct permissions. To see the users with direct permissions, you will need to click the link to the Advanced Permissions Settings page at the bottom of the Site Permissions Panel. Even in the Advanced Permissions Settings page, you will not see the members of the Active Directory Security Groups.
From the Site Permissions panel, you will be able to Add members. Clicking ‘Add members gives you the option to add users to the Microsoft 365 Group or share the Site only which was described within the opening paragraphs of this post.
From within the Advanced Permissions Settings page, you will find the option to ‘Check Permissions’. Check Permissions will show all of the permissions granted to a specific user.
Note however, that if the permissions were granted through an Active Directory Security Group nested in a SharePoint Group, SharePoint will report that the permissions were granted through the SharePoint Group but won’t explain how. Additionally, if you have hundreds or thousands of users, you will need to test each user individually.
Permission Inheritance with Lists, Libraries, Folders and Files
SharePoint permissions are by default inherited at Subsite, List, Library, File and Folder level. However, sometimes you may need to grant permissions to a specific list or library, folder or sub folder, or even a file or list item. To achieve this, you must break the permission inheritance and grant the additional permission. Of course, you may also want to reduce the users who have permissions to a list, library, folder, sub folder or file which would also require breaking the permission inheritance and then removing users permissions. Permission inheritance is illustrated in the diagram below:
Sharing a List, File or Folder with a user who doesn’t already have permissions to the object in question will also result in unique (broken) permission inheritance.
Too many lists, files, and folders with unique permissions can not only become difficult to manage, but can also result in slower performance since additional security trimming is required when displaying a view of content. Broken permission inheritance can often be avoided by clever planning of your contents structure. e.g. Rather than breaking permission inheritance on 100 individual files that a customer requires access to, I could place all 100 files into a folder and share the folder. This will result in 1 broken permission inherited folder rather than 100 broken permission inherited files. Of course, it may not always be possible, but should at least be considered how to best structure your content.
Reporting on List, File, and Folder Permissions
Reporting on List Item, File, and Folder permissions can be extremely time consuming which is one reason why broken permission inheritance should be avoided if possible. One reason for this is that permissions reporting and permissions management is carried out on one file or folder at a time. If your list or library contains hundreds or thousands of files or folders, it would be a full time job staying on top of the permissions management without a third party permissions management tool such as DeliverPoint.
Once you have selected ‘Manage Access’, you will be able to see who already has access to the file or folder, and also have the ability to ‘Share’ using a ‘Sharing Link’ or by granting Direct Access.
Sharing Files or Folders
When sharing a folder or file, you can decide who to share it with and if the person can edit or view it only.
Sharing a File or Folder
Selecting the Sharing Type
Reporting on the Files and Folders that have been shared, is the same process as reporting on file and folder permissions using the Manage Access link.
There are many advantages to using DeliverPoint to report and manage permissions in SharePoint sites:
- SharePoint Site Reports include the members of Active Directory users giving you a clear understanding of everyone who is permissioned on your SharePoint site.
- Advanced Discover Permissions Reports can be used to report on everything within the site that has unique (broken) permission inheritance allowing for huge time saving when compared to checking permissions on a file or folder at a time.
- Sharing Links reports can be run at Site Level to display everything within the sites lists and libraries that contain a sharing link.
- Multiple Files and Folders can be selected and reported on for Sharing Links or Direct Access reports
- Permissions can be copied, transferred or deleted for users as they change roles, join, or leave your department or organization.
- Permissions Summary Reporting will include a high level view of the permissions in your site including the number of unique objects, external users, sharing links, and direct permissions.
You can download DeliverPoint, go through installation and product guides and install in your SharePoint and Teams environments. For sales enquiries, contact firstname.lastname@example.org, and for product support, contact email@example.com.
See more on DeliverPoint below: