Forum Discussion
Delve showing documents users do not have access to
I stumbled upon this article while investigating a related issue. You may want to check out the section titled "My private document is "trending around" another person - how is that possible?" from this link: https://support.office.com/en-ie/article/who-can-see-my-documents-f5f409a2-37ed-4452-8f61-681e5e1836f3
Up until now, my understanding too was that users should not even see documents thay dont have access to so this is a big red flag for me. Could this be what's happening for your user as well? Were you able to open a support ticket and did that help at all?
That's an interesting point, I had to read that section a few times but as I understand it, it's not saying that, following the example mentioned in the article, the manager will see the document at all, they would only be shown it if the document was shared with them. It is saying that you might see the document mentioned when browsing the manger's people page, it's just an indication that Delve thinks the document would be relevant to them based on what it knows.
The manager won't see this document, in their Delve page and won't be able to access it, Delve won't override permissions and inadvertently give access to something that someone wouldn't normally be able to see otherwise.
Cian Allnerwe have had to turn off Delve in our Office 365 education tenancy. We had multiple confidentiality issues where all staff recent documents were not only visible but could be opened by any other staff member. Non-membership of a group did not prevent users from seeing Group documents.
For instance, our HR team has 2 members and holds confidential files on all staff. But any staff member could see and read these confidential documents from the Delve dashboard by first typing in the staff members' name in the search Window. This behaviour, according to the Delve security guide should not happen.
Cian Allner: You are right - I misread the article (they did seem to make that part a little confusing though IMHO). So then I have no clue why I am seeing the exact same behavior in my client's tenant as you have reported in this issue. I am investigating at my end as well but i there's any information you can share once you find it out will be helpful. Thanks again!
Cian Allner I also posted this on #sphelp: https://twitter.com/mahajang/status/1097912015383904256
One thing I did notice though in my client's environment is that they were sharing links to documents, which apparently has security implications too: https://derekgusoff.wordpress.com/2018/08/14/copy-link-in-modern-sharepoint-non-obvious-security-implications-you-should-know-about/
I am now wondering if the 2 issues are related. They unfortunately turned off Office Graph in their environment and did not maintain screenshots of the document in question so there's no easy way for me to check now. You may want to check in your tenant though if the document in question was being shared through a link. Sorry for the multiple posts but I am actively researching this since it has such a major security implication for a lot of organizations.
Thanks!
That sounds plausible, while I would expect the Share option to add additional permissions for the specified user, who is being given access to the document, Copy link isn't so obvious. Reading the article and https://www.linkedin.com/pulse/share-copy-link-breaks-document-permissions-sharepoint-milan-gross, Copy link will share by default the document with the whole organization, breaking inheritance, that could result in unexpected over-sharing. This then could be reflected in Delve.
Using this option instead would improve matters:
"People with existing access returns a link that can be used by people who already have access to the document or folder. It does not change the permissions on the item. Use this if you just want to send a link to somebody who already has access."
As part of the overall governance, it would be important to configure global sharing options appropriately and change settings on sites for when different requirements are required like mentioned in the article you posted. User education plays its part as well, in setting expectations and how things should work.
