DeliverPoint – Contextual Permissions Reporting and Management

-In this video, we learn how to discover permissions, view sharing links, use the permission summary report, and manage permissions within SharePoint sites contextually.

Discover Site Permissions

The Discover Site Permissions Report will show a list of users who have permissions to the site. The report will not include other objects within the site such as Lists, Libraries, Folders & Items. However, a complete permission report to include everything within the site is available (See Advanced Permission Reports).

The Discover Permissions report displays the users in order of the permissions that they receive. E.g. Full Control, Edit, and Read. However, you can change the Sort order on any column by clicking the downward arrow next to each column.

The User Name column displays the end user including guest users. The guest user name will be in italics. You can also hover over the users avatar to see the people card which will in turn display the account information for the user. The far right column (Permissions Via) shows how the permission was assigned. You can expand each row from the permissioned via column to see how the permission was assigned to the user. Note that this will include Direct Permissions, SharePoint Groups, Microsoft 365 Groups, and Active Directory Security Groups. It is possible that a user may have duplicate permissions since they may have been assigned permissions with multiple methods. E.g. via a SharePoint Group, and via an Active Directory Security Group.

The Permission Report can be exported using Actions -> Export Report.

Discover List Permissions

The Discover Permissions report can also be run against a SharePoint list  or Library from the command bar. When the Discover Permissions report is run at this scope, it will again show the users with permissions to the list/library, the permission level, and how the permissions were assigned.

In the far left column, you will see the name of the list or library. If the name is faded, it is an indication that the list or library inherits permissions from its parent e.g. The Site. If it is in full colour, then the list or library has Unique Permissions (Broken Permission Inheritance).

Discover Item & Folder Permissions

Within a SharePoint list or library, you can select multiple items and then click the elipses to access the discover permissions report.

The report will run with the scope of all selected items. Notice in the below screenshot that the ‘Management Accounts’ folder is faded, whereas the ‘Financial Planning’ folder is in full colour. This indicates that Financial Planning contains unique permissions.

Sharing Links Reporting within Sites, Lists, and Items

The Sharing links report can be run at Site Scope, List or Library Scope, and also Item(s) scope by selecting multiple items. The report will show all lists or items within the scope that have Sharing Links. You can see who shared the link, when the link was shared, the type of sharing link, the permission granted, and the members who have access to the link. You can then select a Sharing link to remove it if required. Note that removing a Sharing Link, will remove that link for all users who have access to it.

Permissions Summary

The Permissions Summary report can be accessed at SharePoint Site level using the DeliverPoint menu in the top right-hand corner of your SharePoint Site.

Note: If you don’t see the DeliverPoint menu, it is likely that you do not have Full Control permissions to the current site.

The Permissions Summary report is an ideal report to get an overall understanding of the permissions within the SharePoint Site. From the Permissions Summary report, you can drill into some of the other reports such as Sharing Links, and Discover Permissions.

Once you click the Permissions Summary menu item, you will have the opportunity to refine the settings of the report before it runs. The options that you can select include:

  • Show Unique Objects Count – Includes the number of ‘Objects’ (Subsites, Lists, and Items with broken permission inheritance)
  • Show Top Scopes With Most Unique Objects – The scope is a container of other objects. E.g. A Site is a container of lists, and a list is a container of items. This option will display the scope (container) with the most contained objects with broken permission inheritance.
  • Show Sharing Links Count – The number of Sharing links within the Site.
  • Show Top Scopes With Most Sharing Links – The scope is a container of other objects. E.g. A Site is a container of lists, and a list is a container of items. This option will include within the report, the scope with the most amount of Sharing Links.
  • Show Objects With Empty Role Assignments – This option includes objects such as Subsites, lists, and items that do not have any permissions configured. This could be the case if the last remaining person, or group with permissions was removed.
  • Show Top Scopes With Most Unused Sites/Files – This option shows the top scopes such as a Site or a List that contains the most objects that have not been accessed/visited.

Once you have clicked Generate, the report will run as shown below:

The arrow icon next to each reported item will open the associated report. Below is a list of reports that will open for each summary item:

  • Total Unique Sites – The link will display the Sites with unique permissions
  • Total Unique Lists – The link will display the Lists with unique permissions
  • Total Unique Items – The link will display the items with unique permissions.
  • Total Sharing Links – Will display the sharing links for each list or item with sharing links.

The below example, shows the Sharing Link opened as a new tab from clicking the icon next to the Total Sharing Links.

Exporting Permission Reports

Each of the permission reports within DeliverPoint can be exported as a CSV file, and opened within Microsoft Excel. Exporting the permission reports is useful if you would like an offline copy for further analysis, or to share as a audit report with other permission auditors.

You may export the report by clicking Actions -> Export Report from within any of the DeliverPoint reports.

Contextual Permissions Management

DeliverPoint provides multiple actions that you can use to manage permissions within a SharePoint Site or across multiple sites, and across multiple lists, folders, and items. Everyday occurrences such as new people joining your team, users leaving the organization, users requiring temporary escalated permissions, or users covering each others roles, can be frustrating to manage using native SharePoint. With DeliverPoint, you can perform actions such as Copy Permissions, Transfer Permissions, Delete Permissions, Grant Permissions, and Revoke Permissions. Each of these actions are described briefly below:

  • Copy Permissions – Copy the permissions of one user to another within the scope of a SharePoint Site, List, or Item. The Source user retains their permissions, but the target user gains the permissions that the source user was assigned.
  • Transfer Permissions – Transfer the permissions from one user to another within the scope of a SharePoint Site, List, or Item. The Source user loses their permissions, but the target user gains the permissions that the source user was assigned.
  • Delete Permissions – Deletes all permissions for the selected scope from the user.
  • Grant Permissions – Grants permissions either directly or through group membership on the selected scope.
  • Revoke Permissions – Remove a specific permissions level from a specific user.

The Permissions Management Actions can be performed from the reports such as Discover Permissions by selecting a row containing the user that you wish to perform the action upon. The scope that the action will perform against is also taken from the context of the selected item.

After selecting the row within a report and choosing the desired action, the Action options page will be displayed where you can refine the options prior to running the job. The options are explained below:

  • Process Subsites – When you perform a permission change, you can select whether you would like any subsites with unique permissions to also be affected by the changes.
  • Process Lists – When you perform a permission change, you can select whether you would like any list with unique permissions to also be affected by the changes.
  • Process List/Folder Items – When you perform a permission change, you can select whether you would like any list items, documents, and folders with unique permissions to also be affected by the changes.
  • Force Break Permissions – If the source account contains permissions on a Site or other object that inherits permissions, DeliverPoint can break the permission inheritance in order to carry out the permission change. This option should be used with caution.
  • Support Rollback – When you are performing an Action such as Transfer Permissions or Copy Permissions, you may want to make sure that you can reverse the job. Checking the ‘Support Rollback’ will record the actions taken so that they can be reversed in the Jobs view. This feature is useful as a ‘safety net’ but also could be used if you need to make temporary permission changes, such as when a user is on vacation.
  • Modify SharePoint Groups – Checking ‘Modify SharePoint Groups’ will change the SharePoint Group membership if the Source account is a member of a specific SharePoint Group that is in scope for the action, and the target account isn’t a member of the same group. If Copy Permissions is the action, then the target account will become a member of the SharePoint Group, and the source account will remain a member of the same group. If the action is a Transfer Permissions action, the source account will be removed from the SharePoint Group, and the target account will be added as a member.
  • Modify Microsoft 365 Groups – Checking ‘Modify Microsoft 365 Groups’ will change the Microsoft 365 Group membership if the Source account is a member of a specific Microsoft 365 Group that is in scope for the action, and the target account isn’t a member of the same group. If Copy Permissions is the action, then the target account will become a member of the Microsoft 365 Group, and the source account will remain a member of the same group. If the action is a Transfer Permissions action, the source account will be removed from the Microsoft 365 Group, and the target account will be added as a member.
  • Stop After Error – There are several circumstances that could lead to an error when permission changes are occurring over large scopes. The logged in user may not have permission themselves to make changes to some of the objects in scope, an object may be corrupt, or may have been delete after the action was triggered. The ‘Stop After Error’ check box will instruct DeliverPoint to continue processing ignoring the object that caused the error.

Copy Permissions

The Copy Permissions is an action that can be triggered directly from within a Discover Permissions report, and is very useful when you have recruited a new member for your team. If there is an existing person with the permissions that are needed for the new member, you can copy permissions from that existing user to the new user.

An ideal way to do this is at the Discover Site Permissions report. Select the account that you wish to copy permissions from, and then choose Actions -> Copy Permissions as shown below. You will then have the opportunity to set the refinements as described on the previous page.

Tip: Checking ‘Process Subsites’, ‘Process Lists’, and ‘Process List/Folder Items’ will copy permissions on everything from this site down from the source account to the target account. Including ‘Modify SharePoint Groups’ and ‘Modify Microsoft 365 Groups’ will ensure that the new user has the required group membership. Checking ‘Support Rollback’ will allow you to reverse the Copy Permissions if you need to.

Transfer Permissions

The Transfer Permissions is an action that can be triggered directly from within a Discover Permissions report, and is very useful if you have someone leaving your team, and that persons role  is being replaced by a new user.

An ideal way to do this is at the Discover Site Permissions report. Select the account that you wish to transfer permissions from, and then choose Actions -> Transfer Permissions as shown below. You will then have the opportunity to set the refinements as described on the previous page.

Tip: Checking ‘Process Subsites’, ‘Process Lists’, and ‘Process List/Folder Items’ will Transfer permissions on everything from this site down from the source account to the target account. Including ‘Modify SharePoint Groups’ and ‘Modify Microsoft 365 Groups’ will ensure that the new user has the required group membership. Checking ‘Support Rollback’ will allow you to reverse the Copy Permissions if you need to.

Delete Permissions

The ‘Delete Permissions’ operation will delete all permissions for the selected user account. Depending on the options that you select, this action can delete direct permissions, SharePoint Group memberships, and Microsoft 365 Group memberships. It is important to note that the action will not remove a user from any Active Directory Security Groups.

Below are some typical scenarios to consider when deleting permissions:

Scenario: The user has left the department and should no longer have any permissions to anything within the site.

The users role will be replaced: If the users role is being replaced, use Transfer Permissions and optionally check ‘Process Subsites’, ‘Process Lists’, ‘Process List Folder Items’, ‘Support Rollback’, ‘Modify SharePoint Groups’, ‘Modify Microsoft 365 Groups’ to remove permissions from the current site and everything beneath the current site in the hierarchy. Then Refresh or Re-Run the Discover Permisisons to see if any permissions remain through Active Directory Group membership. If so, your Active Directory Administrator can remove the user from the Active Directory Groups.

The users role will not be replaced: Run Delete Permissions, and optionally check ‘Process Subsites’, ‘Process Lists’, ‘Process List Folder Items’, ‘Support Rollback’, ‘Modify SharePoint Groups’, ‘Modify Microsoft 365 Groups’ to remove permissions from the current site and everything beneath the current site in the hierarchy. Then Refresh or Re-Run the Discover Permisisons to see if any permissions remain through Active Directory Group membership. If so, your Active Directory Administrator can remove the user from the Active Directory Groups.

Scenario: The user has many direct permissions (permissions assigned directly and not through groups) and I wish to clean up these direct permissions.

Run the Delete Permissions action, and check ‘Process Subsites’, ‘Process Lists’, ‘Process List Folder Items’, and ‘Support Rollback’. Do not check ‘Modify SharePoint Groups’, or ‘Modify Microsoft 365 Groups’.

Scenario: The user has multiple permission levels assigned to them. They should only have Edit or Read, but I’ve noticed they have other permissions such as Design, Full Control which they don’t need.

Use Revoke Permissions, and specify the permission levels that you wish to remove. See the Revoke Permissions section.

Grant Permissions

DeliverPoint provides you with the ablity to Grant Permissions at Site, List/Library, or Folder/Item level using the Grant Permissions Action. An advantage to using DeliverPoint to grant permissions is that you can grant permissions to multiple Folders, Items, in one action. You may also grant permissions to subsites, lists, libraries, and items that have unique permissions within the scope of the current site by setting the refinements to include Process Subsites, Process Lists, and Process List/Folder Items.

When you are granting permissions, you can either grant permission levels to a User Account or Group Account directly, or grant permissions by making a User Account or Microsoft 365 Group Account a member of a SharePoint Group.

The preference is usually to make a user a member of a group, and for the group to be assigned the permission level. However, if you need to grant permissions to a user directly to a Site, List or Item, you can using the Grant Permissions Action.

To Grant Permissions to a user account with direct permissions:

  1. Select the desired user account from the ‘Grant Permissions To’ field.
  2. Select the Permission Level from the Roles field.
  3. Optionally set your refinements such as Process Subsites, Process Lists, Process List/Folder Items.
  4. As a good practice, check the option to Support Rollback.

To Grant Permissions to a Microsoft 365 Group:

  1. Select the desired Microsoft 365 Group  account from the ‘Grant Permissions To’ field.
  2. Select the Permission Level from the Roles field.
  3. Optionally set your refinements such as Process Subsites, Process Lists, Process List/Folder Items.
  4. As a good practice, check the option to Support Rollback.

To Grant Permissions to a user account via a Group account:

  1. Select the desired user account from the ‘Grant Permissions To’ field.
  2. Search and select the desired group from the Groups field.
  3. Optionally set your refinements such as Process Subsites, Process Lists, Process List/Folder Items.
  4. As a good practice, check the option to Support Rollback.

Revoke Permissions

Unlike the ‘Delete Permissions’ Action, you can use the ‘Revoke Permissions’ Action to remove just some of the permissions assigned to a user or group, whereas the ‘Delete Permissions’ Action will remove all permissions.

In the below screenshot, you can see that Demo User7 has been granted Full Control, Design, and Edit permissions. We only want Demo User7 to have the Edit permissions role. Therefore, we can use Revoke to remove Full Control and Design, and leave the user with Edit permissions only.

To remove the Full Control and Design permissions:

  1. Choose Revoke Permissions
  2. Select Demo User7 in the Revoke Permissions From field.
  3. Select the permissions that you wish to remove using the Roles field.
  4. Click Run.

After successfully running this action, the Demo User7 will be left with Edit permissions only.

Breaking & Inheriting Permissions

When you run a ‘Discover Permissions’ report against a SharePoint Site, SharePoint List, Folders or Items, you will see the name of the object on the far left hand side of the report. If the name appears dimmed, the object inherits permissions and therefore you would not be able to make any permission changes on that object without breaking the permission inheritance first. If the object name is in full colour, the object will have unique permissions.

When using DeliverPoint, you may see some objects that have unique permissions when they shouldn’t. Using DeliverPoint, you can select these objects, and then choose to Re-Inherit the permissions from the parent object.

Alternatively, you may wish to grant permissions specifically to one object, but that object inherits permissions. Therefore, your can also break the permission inheritance using DeliverPoint.

After selecting any row for that given object in the Discover Permissions report, choose Actions -> Permissions Management -> Break Permissions/Inherit Permissions. Before commiting to the Action, you will be able to choose whether you process List/Folder Items that may appear as sub items, or just this specific object. Additionally, you will be able to Support Rollback to undo this Action should you need to.

Related Posts
Clear Filters
DeliverPoint – Site Collection Scoped Reports

Within this video, we take a look at Site Collection scoped reporting such as Dead Accounts, Unlicensed Users, and External…

DeliverPoint – User Centric Reports

In this video, we explore how to report on permissions from the perspective of a specific user. This include Unique…

Add Comment