Forum Discussion

michaelkubala's avatar
michaelkubala
Brass Contributor
Jul 07, 2020
Solved

Document Management with lots of specialized permissions

I have a document management question. How do you handle the case where a team writes a lot of sensitive documents that need to be tightly controlled. Sometimes person A should see it. Sometimes pers...
admin
Document Library
files
Permissions
SharePoint Online
  • AndrewWarland's avatar
    AndrewWarland
    Jul 08, 2020

    michaelkubala the first rule of thumb is to keep it as simple as you can. It can be annoying to open a library and see 6 documents when the person next to you can see 10. It can be equally annoying as an administrator to have to work through a complex permission structure, especially if it has been set up in association with multiple custom permission groups and/or unique permissions applied to folders or document sets (in addition to folders) and/or Member groups with read-only or Visitor groups with contribute permissions applied to them. 

    My first suggestion is to create a basic security matrix - who in the team can edit or view the records. From this, you may then create a few (not too many) permission groups. Remember, the more complicated you make this, the harder is to to work out who has what access. 

    Consider if you can group access controls and documents by libraries. For example, a library where everyone has read access, another with an edit group and a read group. 

    You mention Teams channels, but remember that every Team has a single SharePoint site linked with it (visible from the 'Files' tab); every channel creates a new folder in the default 'Documents' library on that linked SPO site. But you can open the SPO site and create new libraries with different permissions, and these libraries can be pinned to the menu bar in a Team (in addition to the default 'Files' tab that cannot be removed). Everyone in the Team will see the new tab (for a new library) but if they don't have access they won't see it. If they do, they will only be able to edit or read depending on the permissions on the library. 

    Depending on how complex your requirement is, I'd suggest separate libraries with unique permission groups may be the easiest. The next would be the same library with unique permission groups applied to folders. Really really try to avoid unique permissions applied to documents.

    In so many cases, as a SPO admin, I simply restore the default inherited permissions to fix access issues. My point was often the same - just because people have edit rights, doesn't mean they will edit, and if you are really worried about it, put an alert on the library. 

     

ChrisWebbTech's avatar
ChrisWebbTech
MVP
Jul 08, 2020
I don’t know how broad your group of users would be but instead of Messing with permissions look into utilizing labels and data classification. Define that then you can specify who can open files with label x. Or these people can open documents labeled y. This way documents will maintain that label wherever it goes and permissions never have to be trimmed or broken to have sensitive documents secure.
  • michaelkubala's avatar
    michaelkubala
    Brass Contributor
    Jul 08, 2020

    ChrisWebbTech that's a very interesting idea. I'm going to look into that. Thanks!

Resources