Forum Discussion
How to delegate admin to employee without access to sensitive data
You can grant him permissions on the Site collections in question only, either as primary/secondary SC admin.
HI VasilMichev
Yes, you can provide them permission for a specific site only instead of Sharepoint Admin. External users will only be available to modify a given site as you delegate.
binodmaharjan_2020 , VasilMichev : This would only help slightly. The tasks that this "semi-admin" would perform is much more than only maintaining security on a few site collections. Of the examples I mentioned, only the second task would be possible using your proposal:
* Adding and removing employees, configuring permissions, etc
* Creating external SharePoint sites for customer collaboration
* Adding and removing guest accounts (for customer collaboration)
* Etc
I am more looking for a way to grant permissions to a person enough to do more or less everything except a few things, such as the managers' email, some document libraries/sites etc.
This must be something that all companies of significant size must struggle with? I don't believe that the CEO of many companies handle all Office 365 management tasks - so how do they solve it?
- As per my knowledge, Roles are assigned for those people to whom you delegate tasks. In your case, you want to delegate admin to your employee but also afraid of having access data. There are only two solutions I have seen: 1. Either you provide permission manually to specific sites or else. They will have access only that you assigned. If they require additional permissions they will ask for it. 2. You can assign them as SharePoint Administrator (If Internal Employee). Even SP Admin cannot access any site until they themself become the members/owner of any site. You can keep Notification alerts and search/Investigate Audit logs if any misused.
There's nothing built-in in O365 for that, you'll have to look into third-party tools that do a "portal replacement" type of products.
