In this video, we learn how to report and manage SharePoint Permissions across multiple scopes. Permission reports include Discover Permissions, Sharing Links, and Advanced Discover Permission Reports.
Reporting Permissions Across Multiple Scopes
Within the previous sections, we focused on the Contextual Permission Reporting and Permission Management actions. Within this section, we will focus on reporting permissions centrally across multiple sites or site collection within your environment.
Despite DeliverPoint displaying the full treeview for your Microsoft 365 SharePoint environment, changes to permissions, and access to content is still determined by your (logged in users) permissions to each object.
To access DeliverPoint centrally, you can either navigate to DeliverPoint from any Site that you have Full Control to using the top right hand DeliverPoint menu, or you can add DeliverPoint as a web part on any SharePoint page.
Once you have accessed the main DeliverPoint page, you can click the ‘Show Treeview’ option which will allow you to select multiple scopes from the treeview.
Accessing DeliverPoint from the Shortcut Menu
- Navigate to a page that you have Full Control to.
- Click the DeliverPoint Menu in the top right corner of the page.
- Click DeliverPoint.
Adding DeliverPoint as a Web Part
- Create a new page within your SharePoint Site by clicking the cog icon in the top right corner of your SharePoint site, and choose ‘Add a Page’.
- Provide the Page a Title such as ‘My Permissions Reporting & Management Page’
- Click the + icon to add a web part.
- Select the DeliverPoint web part.
Adding DeliverPoint as a Personal App in Microsoft Teams
- Within Microsoft Teams, click the elipses on the left hand navigation bar.
- Type DeliverPoint
- Click on DeliverPoint.
Note: If DeliverPoint does not display for you, it maybe that the App has not been syned to Teams from the SharePoint App Catalog.
Regardless as to which method has been used to access DeliverPoint, the application will act the same from this point forwards.
Using the Treeview
When you enter DeliverPoint, the scope will automatically be set to the Site that you navigated from. All of the reports on the reports menu, and the actions under the actions menu will run against this scope unless the scope is changes using the Tree View.
By clicking ‘Show Tree View’, you will be able to see all of the Site Collections within the Microsoft 365 Tenant. Whatever you select from this tree view, will become the scope for the reports and actions.
The Tree View will default to Tenant View. The Tenant view will display all Site Collections in alphabetical order with the exception of the first site collection. The first site collection is the current Site Collection. The Tenant View will display all site collections include classic site collections, modern sites, Teams, and Microsoft 365 Groups. Each type of site collection is depicted by its icon which is also explained in the Legend.
Using the View menu, you can change your treeview to ‘Classic Sites View’, Hub Sites View, Teams View, or Accounts View.
- Tenant View – Displays all Site Collections regardless of type.
- Classic Site Collections – Displays classic site collections including root site and subsites.
- Hub Sites View – Displays each Hub and their Associated Sites within the hierarchy.
- Teams View – Displays all Teams and their Private Channels
- Accounts View – Enables you to search on a user for user centric reports.
To change the scope of you reports or actions, you can select site collections, sites, and lists or libraries. When performing a report or an action with these scopes selected, the reports and actions will run against the selected scope. Note that a scope includes sub sites, lists, and items beneath that site/site collection within the hierarchy.
When you expand the Site Collections within the treeview, you will see the sites, sub sites, lists, and libraries within the site collection. Some of the subsites, lists, and libraries will have a dimmed icon, whereas others will have a full colour icon. The sites or lists/libraries with a full colour icon have unique permissions, whilst those with a dimmed icon inherit permissions. In the below screenshot, you will see the highlighted objects that contain unique permissions.
Advanced Permission Reports
From within the main DeliverPoint page, you will be able to run Advanced permission reports such as Discover Permissions (Advanced), and Sharing Links (Advanced). The Advanced Reports enable you to run the report against multiple scopes, but also child objects of the selected scopes that contain either inherited or unique permissions.
Discover Permissions (Advanced)
The Discover Permissions (Advanced) will provide you with filter options prior to the report running, and also settings to refine the output of the report.
The following configuration will display a Discover Permissions report on the selected site, and everything as a child object that contains unique permissions, but won’t include people with Read permissions only within the report.
The report contains a section for Sites, Lists, and Items that can be expanded and collapsed.
A useful version of this report is to filter purely on external users.
Sharing Links (Advanced)
The Sharing Links report can also be prefiltered and run against multiple scopes. When running the Sharing Links (Advanced), you can optionally include Sub Sites, and Hide List Sharing Links or Item Sharing Links.
Filter options include the ability to filter on the Sharing Type, Who the Sharing Link was created by, whether Editing is allowed etc.
The Report will include any lists or items with a Sharing Link within the selected scopes.
By selecting each row, you can remove any Sharing Links.
The Unique Objects Report provides you with a list of Sites, Lists/Libraries, Folders/Items that have unique permissions within the selected scope. You can refine these options by including or excluding Subsites, Lists/Libraries, or Folders/Items from the report.
Once the report has run, you can select a row such as a Site or an Item that you wish to investigate. The Row that you selected becomes the new scope for new reports or actions such as the Discover Permissions report.
The Unique Permissions report is account centric, and allows you to focus on a user accounts assigned permissions and group memberships within a specific scope. The scope can either be ‘Current Site Collection’ and triggered from the Accounts View, or it can span multiple site collections from the other treeviews.
Included in the Unique Permissions Report is:
- Account Membership – Active Directory Security Groups, Microsoft 365 Groups, and SharePoint Groups that the selected user is a member of.
- Unique Site Permissions – The Sites that the user has been assigned permissions to, either directly, or through group membership.
- Unique List Permissions – The Lists that the user has been assigned permissions to, either directly, or through group membership.
- Unique Item Permissions – The Items that the user has been assigned permissions to, either directly, or through group membership.
It is possible to select a row within the unique permissions report, and to modify the permissions selected using actions such as Copy, Transfer, Delete, Revoke permissions. It is important to note, that we do not make changes to Active Directory Security Groups via DeliverPoint. Therefore, after removing permisisons, you may want to refresh the report to see what permissions remain through Active Directory Security Group membership. You can then request that the user be removed from such groups from your Active Directory Administrator.
Run the Unique Permissions Report from the Account Centric Treeview
- From the View Menu in DeliverPoint, select ‘Accounts View’
- Search for the user name that you wish to report against.
- Select the user account from the results
- Choose Reports -> Unique Permissions
- The report will run against the current site collection as the scope.
Run the Unique Permissions Report from the Tenant View, Classic Sites View, Hub Sites View, or Teams View.
- From a view other than Account Centric View.
- Select the Site Collections, or Sites that you wish to run a report against from the treeview.
- Choose Reports -> Unique Permissions
- Enter the name of the person that you wish to report against.
- Click Generate.
The report contains three columns:
- Group/Account – The Group or Account that was used to assign the permission. E.g. If the permission was assigned to an individual person directly, the Group/Account column will contain the persons name. If the permission was assigned to a group that the user is a member of, the Group/Account column will show the Group Name.
- Site Collection/Site/List/Item – The Url to the object in question.
- Permissions – The permission assigned for the person or group on the object.
To make changes from the report, select the row that you wish to change, and then choose Actions -> Account Management -> Desired Action.
My Owned Site Collections
The ‘My Owned Site Collections’ is a report that will show every Site Collection that you (Current User) are an owner of. To report or manage permissions on one or more of the site collections, select the row(s) by clicking in the left hand margin. You can now report on the site collection using the Reports menu and your desired report.
Discover Usage is a great report to run from the ‘My Owned Site Collections’ view, but can be run from any scope. The report demonstrates how many visits your Sites, and Files receive within a specified time span. This helps you determine how to get more engagement with your sites, and files, how to refine permissions to gain more visits, or highlights which sites you could retire.
After choosing Reports -> Discover Usage, you can optionally select the following:
- Include Sites – Includes all sites within the selected scope
- Include Files – Includes all files within the selected scope
- Include Usage by Users – Shows the unique visit count by user
- Start Date – Number of days or Date that you wish to start the report from. E.g. -182 is from 182 days ago.
- End Date – Number of days or Date to include up to within your report.
Once the report has generated, you will see the following (depending on the options you selected):
- Unused Objects – Sites or Files that have not been used in the given timeframe.
- Most Used Objects – The Sites or Files used the most in the given timeframe.
- Objects Used by Most Users – The Objects used by the most amount of unique users.
By selecting a row, you can produce a Permissions report on any of the objects.
The Dead account view can be run on a site collection(s) that you are a Site Collection Administrator for. The report will include all users that are assigned permissions somewhere in the Site Collection(s), but their Active Directory Account is either deleted or disabled. Such users do not pose a security threat since they cannot authenticate. However, the user will still be displayed as having permissions until the account is removed.
Note: Removing the account does not remove the history such as Last Modified or CreatedBy, but does remove permissions assigned to the selected user.
To remove an accounts permissions, select the row, and click ‘Remove Dead Accounts’
The unlicensed users report will show each site collection where a user without a SharePoint license is permissioned. The user may be unlicense as the user account is no longer in use.
Per site collection, you can select the user, and choose ‘Remove Unlicensed User’.
The External User report will show all external/guest users who are assigned permissions within the selected scope. Moving your mouse over the guest users avatar will display a people card allowing you to determine in more detail who the user is.
If you wish to remove the external user, select the row, and choose ‘Remove External User’.