Disposition Review and SharePoint Permissions

Reading Time: 4 minutes

This post is written based on questions from the field…

The ability to trigger a disposition review at the end of a retention period is an option available while configuring a retention label in the Records Management feature of Microsoft 365’s Compliance Center. A disposition reviewer has the ability to take action on an item based on their knowledge of the content and the compliance requirements surrounding it. This is an important role.

As you can imagine, disposition reviewers require special permission to view pending dispositions assigned to them as well as preview the document from within the review panel. These permissions are so special, in fact, that even global administrators do not have them by default.

With the introduction of the multi-stage disposition review process, records managers must be familiar with what this means for assigning permissions to any user they wish to be part of a disposition review stage.

Refer to this link from Microsoft for details: Permissions for disposition

There are 3 questions I repeatedly hear from Records Managers relating to disposition permissions specifically for SharePoint… this post will answer them.


Question 1 | Records Manager Access

Many records managers (RMs) I work with place their RM group at the first stage and/or last stage of the disposition review process. Understanding what they have access to when given the required disposition review permissions prompts this question…

Question: “As a Records Manager, when I’ve been assigned the required permissions to access the Dispositions tab and view the item in the preview pane (I’m a member of the Records Management and Content Explorer Content Viewer role groups), will this also grant me permission to the source location (SharePoint site) where the item exists?”

Answer: No. A Records Manager will NOT automatically have access to the SharePoint site where the item exists and will not be able to preview the document within the disposition review tool before making a disposition decision. Access to the SharePoint site must be granted independently.

Records managers without SharePoint site access will be able to view the list of pending dispositions and take disposition action on the item (approve disposal, relabel, extend, add reviewers); however only if they have (at least) read access to the SharePoint site will they be able to view the document from within the Disposition Review preview pane. Without this access, they will NOT be able to preview the contents of the document and will instead receive the below message in the preview pane:

With no access to the SharePoint site, even if they were to navigate to the second tab of the preview pane, Details, and click the direct Location link to the document on that page, they would receive a You need permission to access this item message (an easy way for an RM to request access by the way).

Takeaway: in addition to the permissions required to do a disposition, grant Records Managers at least read permission to SharePoint sites where they will be reviewing content for disposition in order for them to be able to view the document content within the preview pane of the Disposition Review tool.


Question 2 | Business Owners Access

With the introduction of the multi-stage disposition review process, many records managers are wanting to include content business owners in stages within the disposition review process. Understanding what, if any, additional permissions are required for the content’s business owner prompts this question…

Question: “If I add a user or mail-enabled security group to a disposition stage, will this also grant the required permissions to do the disposition?”

Answer: No. You must assign the required permissions in the Compliance Center.

Question: “If you grant a business owner the Disposition Management role to access the Dispositions tab, but don’t add them to the Content Explorer Content Viewer role group, will they be able to see the item(s) in the disposition list view screen since they already have access to the SharePoint site where the content resides?”

Answer: Partly. Without being a member of the Content Explorer Content Viewer role group, a user will certainly see the items assigned to them listed in the disposition review Pending dispositions tab, but will not be able to view the document in the preview pane even if they have access to the SharePoint site where the item resides.

To view the file content, the reviewer could navigate to the second tab, Details, and click the direct Location link on that page (image). Alternatively, add their username to the Content Explorer Content Viewer role group so they can view it in the preview pane from the Source tab.

Takeaway: for the smoothest experience in the disposition review tool, I recommend these permissions for Business Owner reviewers:

  1. Disposition Management role (can be part of a custom role group, Contoso Disposition Reviewers)
  2. Member of the Content Explorer Content Viewer role groups (optional, but nice to have)
  3. At least read permission to the SharePoint site where the item exists

**I haven’t tested Exchange or OneDrive – when I have, I’ll update this post


The TL;DR Summary

Microsoft link: Permissions for disposition

To access the Disposition tab from within the Records Management feature, the user must be granted the Disposition Management role. Ensure all users included in a disposition review stage, including business owners, have at least this role assigned to them.

If you also want to allow the business owner to be able to view the item from within the disposition review preview pane rather than having to navigate directly to the SharePoint site to view it, ensure they’re added as members to the Content Explorer Content Viewer role group as well.

Note: Business owners presumably already have access to the SharePoint source location where the item resides; however this access is not required to be able to perform a disposition.

If you also want Records Managers to be able to preview documents from SharePoint sites, ensure they’ve been added to the SharePoint site with at least read permission. Records Managers, by default, will not have this permission.


Share this with your Records Management team so they understand the permission model for disposition review.

Thanks for reading.

-JCK

8 comments

  1. Thanks Joanne, great article! We are a very large organization with several hundred business owner reviewers, and for several reasons, including security concerns, we cannot give them all the required roles in the compliance center. Our temporary solution is to export the list of items due for disposition for a given label and send it by email to the relevant approvers. Obviously, this is a very manual process that has many other challenges, including the fact that we can only export 50K records at a time, whereas for some of our labels have several hundred thousand items due to disposition and the fact that we cannot reimport the disposition decisions back into the compliance center automatically. As an additional challenge, Microsoft has imposed a limit that only 500 items can be destroyed at a time. This is an extremely low threshold since we already have several million records that need to be destroyed. Our feeling is that the disposition module has not been developed to accommodate large record volumes. Have you ever come across with these issues with your clients? Are there any known workarounds for these limitations? Thank you

    1. Hi Paloma, great question. The only issue I have come across with my customers to date is not being able to destroy more than 500 items at a time. I’ll ask on some internal channels about the different points you bring up, but before I do I need to confirm your first point about the compliance roles not being sufficient for your needs. Do you mean if you were to configure a custom role group and ONLY include the ‘Disposition Management’ role, that still doesn’t suit your security needs? That would ensure they only had permission for disposition reviews.
      Once you’ve confirmed this, then I’ll ask 3 questions on an internal channel: 1)is there a way to export more than 50K items at a time and 2) can we action more than 500 items at a time and 3) is there an API for actioning a disposition review

      Thanks,
      Joanne

  2. Thanks Joanne! Those three questions seem exactly what we are looking to answer.
    – In terms of security the main concern is that we have labels that are published across different sites and departments and the disposition reviewers will be able to view items (with sensitive titles) from the Disposition module even though they don’t have explicit access in all sites.
    – We also require the setup of special accounts to access the Compliance Center and it would be a huge administrative effort to set those up for so many approvers.
    – Finally, we chose not to provide access via a custom group and the disposition management role, as disposition reviewers are usually Managers and we wanted to avoid the receipt of multiple notifications and reviewing one document at a time, as we have more than 100k per label in some instances. We know that we have the possibility to filter by location, but that would require an extensive change management and training effort.

  3. Thank you. I’ll see what I can find out. I’m not promising a fast turnaround on this, but it is a valid question for large tenants implementing RM. Appreciate your feedback!

  4. Hi Joanne (and Paloma).
    Where have you seen the threshold of only being able to dispose of a maximum of 500 items at any one time published? Is this recent guidance from Microsoft? And do you know if that is per week (based on when the disposal timer job runs in M365)? And if it is, would that be a maximum of 500 items per retention label per week or a maximum of 500 items in total? Any confirmed guidance on this would maybe explain why we are seeing items not always being deleted by the disposal timer job. We also struggle with the disposal functionality being able to be used at scale. Thanks, Kieran

    1. Hi Kieran, 500 is the maximum number you can select from the pending disposition tab at one time to do a bulk action on. You can do this multiple times though if you have more than 500 items in the pending disposition tab for a given retention label.
      Hope that provides more clarity.
      -Joanne

  5. Ah yes, thanks Joanne (and for a very swift response!). I thought you were referring to a disposal timer job limit. Thanks for clearing that up! Kieran

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.