Forum Discussion
Best Practices for Permissions on an O365 Group SharePoint Site
So it seems that you can break permissions of individual lists/libraries/items, but you can't actually set permissions on the site as a whole? Am I missing something when looking at configuring general permissions of a SharePoint Site
Is there general guidance on best practices for doing complex permissions on an O365 Group SharePoint Site?
- I found this helpful:
When working with Team sites (that have an associated Office 365 Group), there are some options to grant site access.
Start by selecting the gear icon in the upper right hand corner and select Site Permissions from the drop down menu
Select Invite People:
Add Members to Group: this option not only grants access to the site but adds the account to the Office 365 group. When an account is added via this method, the number of members at the top right of the page is updated. Note, that when using this selection only Owner and Memberpermission settings can be granted. Read access cannot be granted utilizing this method.
Share Site Only: this option adds the user to the appropriate site group. This does NOT add them to the Office 365 group. When added using this selection, the account can be granted Owner, Full Control, Edit or Read access. However, this does not update the members number on the home page of the screen and does not allow the account to participate in conversations (in a private group). This is the equivalent to selecting Advanced permission settings and adding the account that way.
Bottom line: Even though the Advanced permission settings can be utilized to grant permission to ‘Modern’ team sites, but isn’t necessary. Don’t be afraid of the Invite People selection. Just be aware that the Add Members to Group will add the user account to the Office 365 Group and can only be used to gran Owner or Member permissions. Share Site Only will grant access to the team site only and will add the account to the appropriate site group (and this is the only option for read access).
<https://newsignature.com/articles/sharepoint-modern-team-site-permissions/>- Yeah, it’s important to differentiate between office 365 group membership and good ol sharepoint permissions :)
Hi Brent,
in regards to the improved permission management for Office 365 groups (https://techcommunity.microsoft.com/t5/SharePoint/UPDATE-Create-Office-365-Groups-with-team-sites-from-SharePoint/m-p/48277#M4601) there are some more options to handle advanced permissions - I wouldn't call this complex. However, this already helps a lot for several user scenarios.
Moreover, I'd recommend as best practices first to set each new Group as private so that not everybody in the tenant can access it. Second, only certain users in the regarding security group should be allowed to create groups. And third, consider the invitation to external users (guests): permit this generally or only allow for certain groups.
Unfortunately, at the moment this has to be done manually after a group's creation. This also applies to more granular permissions, which are still possible to modify in the SharePoint site. However, I'd wish to have a better permission management or other governance options during groups creation process in order to enforce policies. At the moment this is only possible with 3rd party solutions. For now I can just say, use PowerShell and the manual permission management in the SharePoint sites to achieve your complex group permissions.
Hope this helps.
Rob
at the moment I'm leaning towards not touching groups team sites permissions. My main concern is user experience. Even though you could assign permission to nonmember of this group, the end user would not see the group in the left navigation compared to when he/she is a direct member in that group.
Also I've seen a new Site Permissions UI (right side pane) coming up, amd rumors about a view only permission set.
Hi all,
Is it correct that when creating a group the default permissions for members is "Edit" and not "Contribute" correct?
Is it possible to change(e.g. to contribute) this when provisioning? Is it wrong to think that the default permissions for members is a bit much? I mean they have the potential to mess up things just because they can.
Cheers
- That is accurate. And I whole-heartedly agree with bumping it down to contribute. We do that manually right now.
Nobody has really answered the question here, and I too have similar questions in terms of best practice. For instance, what if you want to open your Group site up to a wider audience without adding group members?
You can access the traditional SP permissions page including the Visitors group using this URL. That would be a way to make the group visible to additional people who aren't necessarily members of the group.
"https://<tenant>.sharepoint.com/sites/<group>/_layouts/15/user.aspx"
Anyway, if you feel adventurous, you can try "https://<tenant>.sharepoint.com/sites/<group>/_layouts/15/user.aspx".
Be careful! :smileywink:
- Of course,
You can always use "Old" URLs :-) directly in the browser
I think that Site Permissions are determined by the Group membership/ownership.
- I agree with Salvatore...behind the scenes a Site Group has the regular SharePoint Groups: Owners, Members and Contributors. By default, the Group itself is added to the Site Members Group...you can check this typing directly in the browser the people page: _layouts/15/people.aspx
Juan, do you know, BTW, why the Group itself is added to the Site Members?
