SharePoint Permission Tips for Site Owners

SharePoint Permission TipsIf you grant SharePoint users the Full Control permission level in a SharePoint site this gives them the ability to administer their own site, including permissions. You will likely find yourself needing to facilitate a “SharePoint Permissions 101” training session at some point. I’ve given a few of these sessions and there are some common questions I consistently hear from site owners; this post will list these questions and my answer for each.

Note: This applies to standard SharePoint sites and NOT a SharePoint site provisioned with an Office 365 Group. In an Office 365 Group site, permission administration is accomplished using different methods.

“Who can edit SharePoint group membership?”

4OptionsYou determine this by clicking Site permissions under the Users and Permissions group in Site settings of any site. You will see a list of all SharePoint groups defined for the current site. If you click into any one of the SharePoint groups and then select the Group Settings ribbon option shown beside the blue star you can see who has the ability to edit that SharePoint group’s membership.

The important settings to know about are the Owner and Group Settings.

Group settings

Important SharePoint Group settings

  1. Owner – this can be a single user or another SharePoint group. The owner can change anything about the group. Whoever provisioned the site’s name will be automatically inserted as the Groups’ owner so make sure this is changed to the appropriate person or group to whom should be responsible for administering the Group’s membership. I recommend using a group here rather than an individual user since if they leave no one will be able to administer the group’s membership
  2. Group Settings – this determines who can view and change membership of the group. Whether you select the Group Owner or Group Members group, it is important to train the people in the group so they know how to administer permissions.

“Can I edit a SharePoint Group’s membership for just one subsite?”

No. This trips up some users. A SharePoint group’s membership is defined at the site collection level. You cannot edit the members in a subsite that requires unique permission if you only want the change to be effective for the subsite. Changing the group’s membership changes it everywhere in the site collection. You only make that mistake once. 😉

“How do I check a user’s permission?”

You can check the permissions for a user, Active Directory security group or SharePoint group at any point in the hierarchy by navigating to the point you want to check permissions at, clicking the ‘Check Permissions’ ribbon option and entering the user’s name. This is often my first step in troubleshooting permission issues for a specific user and object.

“What does ‘Limited Access’ mean?”

Limited Access is a SharePoint permission level. You can’t explicitly grant it, but rather it is automatically granted to users at the site level when the user is assigned permissions to a child object where permission inheritance is broken. This allows a user, for example, to navigate via the site if they have only been granted permission to an object within the site such as a library or folder.

You will see a lot of ‘Limited Access’ users in an environment where end-user’s are sharing files to other user’s as behind-the-scenes this is how SharePoint grants the appropriate permission.

“Can I copy one user’s permission to another?”

In a word? No. This is often the way a request is worded when an end-user is requesting permission… “Give Bob the same access Susan has.”

It’s just not possible using SharePoint out-of-the-box. You have to use a 3rd party tool to allow this type of functionality.

A beneficial approach is to use Active Directory security groups for access. In our example above, if Susan and Bob are in the same Active Directory security groups and you’ve used Active Directory security groups to assign permission in SharePoint, you’re likely half-way there to having Bob set up the same as Susan. Of course, if Susan has been granted unique permissions elsewhere across your farm/tenant, there is no easy out-of-the-box way of knowing where that is and assigning the same to Bob.

“I want everyone to have access but these 5 people. Can I do that?”

In 2 words? It depends. 😉 Similar to the previous question, this is often how a request is worded when an end-user wants to prevent certain people from seeing things in SharePoint. It’s usually not that simple – you will need to ask more questions before proceeding.

In our example, are the 5 people listed as individual users for the object and not in a SharePoint group? If so, you can break inheritance by stopping permission inheritance and removing the 5 users. Are the 5 people part of a SharePoint group? If so, you can’t remove them out of the group without affecting everywhere else that SharePoint group is used (refer back to the previous question, “Can I edit a SharePoint Group’s membership for just one subsite?” where I discuss this). Are the 5 people part of a larger Active Directory group that’s been added into the SharePoint group? If so, then you will no longer be able to use that AD security group to assign permission. You will either have to find an AD group where the 5 people are not included or update the AD security group to remove them. (which will have other implications if that security group is being used elsewhere in your environment)

Generally speaking SharePoint permissions are done using a ‘grant’ model rather than a ‘revoke’ model. You cannot explicitly specify users you don’t want to have access.

Exception to this is in an on-premises environment you can specify a user as ‘deny all’ or ‘deny write’ at the web application level, but this is not a granular setting you can control.

Closing thoughts…

Permission administration is a classic example of “a little knowledge is a dangerous thing” in SharePoint. If you have enabled users to administer their own, make sure you’ve armed them with the knowledge to set them up for success.

Thanks for reading.


Simple Office 365 Setup Tips for an SMB

Getting a Small Business Organized with Office 365Blog post: 2 minute read.

[Update: April 14, 2017 – Social Media added]

I’m a small business owner with a mighty staff of one. 🙂 I’m also an O365 consultant with an Office 365 Business Essentials tenant. This gives me the opportunity to eat some of my own cooking when it comes to O365 adoption and setting up my tenant to work effectively for me and my business. In this post I’ll share some simple tips for SMBs when setting up their own O365 tenants to help streamline some typical processes.

I’ll cover these things:

  • Provision those Office 365 Groups!
  • Stay on task with Planner Hub
  • Staying organized for speaking and travel
  • Keeping track of receipts
  • Social media [New]

Have an idea for your own tenant that would work for an SMB? Let me know! I’d love to hear your ideas…

Continue reading “Simple Office 365 Setup Tips for an SMB”

SharePoint Fest Denver 2017

DenverCityI’m thrilled to announce I will be giving 2 presentations in Denver at the SP Fest conference that runs from May 30 thru June 2, 2017 in the Colorado Convention Center. This will be my first visit to Colorado and I’m so excited to go!

I’m doing 2 sessions while in Denver. Details are below…

Information Management and Governance in O365

What does Information Management and Governance mean within the context of O365? What are the tools that allow us to manage it? In this session we’ll talk about the traditional ways we’ve approached this discipline and how the new collaboration world is disrupting this.

Organizations need to empower employees to reap the benefits of new collaboration tools in the digital workplace, but they can’t compromise the security, compliance and protection of corporate assets while doing it.

Capabilities are being rolled out to help organizations keep both managed and unmanaged content secure and compliant throughout O365. We’ll talk about setting organizations up for success on all fronts from an Information Management perspective.

How to Build a SharePoint Search-Driven Website

What does it mean to build a search-driven website in SharePoint and why is this better than the traditional approach of site design? In this session you will learn the value-add of this design architecture and how to build search-driven sites in SharePoint using cross-site publishing and author-in-place features. This approach not only improves the experience for content authors but also provides dynamic, tailored pages for content consumers, all done by leveraging SharePoint search and managed metadata as the underlying mechanism.

I’ll walk thru an end-to-end example of designing, authoring and publishing content as well as customizing search webparts to demonstrate how you can use this technique to keep your site dynamic and personalized. This is a no-code session!

Features demonstrated: Cross-site publishing, Author-in-place, Managed Metadata, Search, Content Search webpart.

Curious about either of my sessions? Well sign up and join me!

For more information about the event and to register, click HERE.