This post is written based on questions from the field…
The ability to trigger a disposition review at the end of a retention period is an option available while configuring a retention label in the Records Management feature of Microsoft 365’s Compliance Center. A disposition reviewer has the ability to take action on an item based on their knowledge of the content and the compliance requirements surrounding it. This is an important role.
As you can imagine, disposition reviewers require special permission to view pending dispositions assigned to them as well as preview the document from within the review panel. These permissions are so special, in fact, that even global administrators do not have them by default.
With the introduction of the multi-stage disposition review process, records managers must be familiar with what this means for assigning permissions to any user they wish to be part of a disposition review stage.
Refer to this link from Microsoft for details: Permissions for disposition
There are 3 questions I repeatedly hear from Records Managers relating to disposition permissions specifically for SharePoint… this post will answer them.
Question 1 | Records Manager Access
Many records managers (RMs) I work with place their RM group at the first stage and/or last stage of the disposition review process. Understanding what they have access to when given the required disposition review permissions prompts this question…
Question: “As a Records Manager, when I’ve been assigned the required permissions to access the Dispositions tab and view the item in the preview pane (I’m a member of the Records Management and Content Explorer Content Viewer role groups), will this also grant me permission to the source location (SharePoint site) where the item exists?”
Answer: No. A Records Manager will NOT automatically have access to the SharePoint site where the item exists and will not be able to preview the document within the disposition review tool before making a disposition decision. Access to the SharePoint site must be granted independently.
Records managers without SharePoint site access will be able to view the list of pending dispositions and take disposition action on the item (approve disposal, relabel, extend, add reviewers); however only if they have (at least) read access to the SharePoint site will they be able to view the document from within the Disposition Review preview pane. Without this access, they will NOT be able to preview the contents of the document and will instead receive the below message in the preview pane:
With no access to the SharePoint site, even if they were to navigate to the second tab of the preview pane, Details, and click the direct Location link to the document on that page, they would receive a You need permission to access this item message (an easy way for an RM to request access by the way).
Takeaway: in addition to the permissions required to do a disposition, grant Records Managers at least read permission to SharePoint sites where they will be reviewing content for disposition in order for them to be able to view the document content within the preview pane of the Disposition Review tool.
Question 2 | Business Owners Access
With the introduction of the multi-stage disposition review process, many records managers are wanting to include content business owners in stages within the disposition review process. Understanding what, if any, additional permissions are required for the content’s business owner prompts this question…
Question: “If I add a user or mail-enabled security group to a disposition stage, will this also grant the required permissions to do the disposition?”
Answer: No. You must assign the required permissions in the Compliance Center.
Question: “If you grant a business owner the Disposition Management role to access the Dispositions tab, but don’t add them to the Content Explorer Content Viewer role group, will they be able to see the item(s) in the disposition list view screen since they already have access to the SharePoint site where the content resides?”
Answer: Partly. Without being a member of the Content Explorer Content Viewer role group, a user will certainly see the items assigned to them listed in the disposition review Pending dispositions tab, but will not be able to view the document in the preview pane even if they have access to the SharePoint site where the item resides.
To view the file content, the reviewer could navigate to the second tab, Details, and click the direct Location link on that page (image). Alternatively, add their username to the Content Explorer Content Viewer role group so they can view it in the preview pane from the Source tab.
Takeaway: for the smoothest experience in the disposition review tool, I recommend these permissions for Business Owner reviewers:
- Disposition Management role (can be part of a custom role group, Contoso Disposition Reviewers)
- Member of the Content Explorer Content Viewer role groups (optional, but nice to have)
- At least read permission to the SharePoint site where the item exists
**I haven’t tested Exchange or OneDrive – when I have, I’ll update this post
The TL;DR Summary
Microsoft link: Permissions for disposition
To access the Disposition tab from within the Records Management feature, the user must be granted the Disposition Management role. Ensure all users included in a disposition review stage, including business owners, have at least this role assigned to them.
If you also want to allow the business owner to be able to view the item from within the disposition review preview pane rather than having to navigate directly to the SharePoint site to view it, ensure they’re added as members to the Content Explorer Content Viewer role group as well.
Note: Business owners presumably already have access to the SharePoint source location where the item resides; however this access is not required to be able to perform a disposition.
If you also want Records Managers to be able to preview documents from SharePoint sites, ensure they’ve been added to the SharePoint site with at least read permission. Records Managers, by default, will not have this permission.
Share this with your Records Management team so they understand the permission model for disposition review.
Thanks for reading.