Forum Discussion
Document Management with lots of specialized permissions
- Jul 08, 2020michaelkubala the first rule of thumb is to keep it as simple as you can. It can be annoying to open a library and see 6 documents when the person next to you can see 10. It can be equally annoying as an administrator to have to work through a complex permission structure, especially if it has been set up in association with multiple custom permission groups and/or unique permissions applied to folders or document sets (in addition to folders) and/or Member groups with read-only or Visitor groups with contribute permissions applied to them. My first suggestion is to create a basic security matrix - who in the team can edit or view the records. From this, you may then create a few (not too many) permission groups. Remember, the more complicated you make this, the harder is to to work out who has what access. Consider if you can group access controls and documents by libraries. For example, a library where everyone has read access, another with an edit group and a read group. You mention Teams channels, but remember that every Team has a single SharePoint site linked with it (visible from the 'Files' tab); every channel creates a new folder in the default 'Documents' library on that linked SPO site. But you can open the SPO site and create new libraries with different permissions, and these libraries can be pinned to the menu bar in a Team (in addition to the default 'Files' tab that cannot be removed). Everyone in the Team will see the new tab (for a new library) but if they don't have access they won't see it. If they do, they will only be able to edit or read depending on the permissions on the library. Depending on how complex your requirement is, I'd suggest separate libraries with unique permission groups may be the easiest. The next would be the same library with unique permission groups applied to folders. Really really try to avoid unique permissions applied to documents. In so many cases, as a SPO admin, I simply restore the default inherited permissions to fix access issues. My point was often the same - just because people have edit rights, doesn't mean they will edit, and if you are really worried about it, put an alert on the library. 
michaelkubala the first rule of thumb is to keep it as simple as you can. It can be annoying to open a library and see 6 documents when the person next to you can see 10. It can be equally annoying as an administrator to have to work through a complex permission structure, especially if it has been set up in association with multiple custom permission groups and/or unique permissions applied to folders or document sets (in addition to folders) and/or Member groups with read-only or Visitor groups with contribute permissions applied to them.
My first suggestion is to create a basic security matrix - who in the team can edit or view the records. From this, you may then create a few (not too many) permission groups. Remember, the more complicated you make this, the harder is to to work out who has what access.
Consider if you can group access controls and documents by libraries. For example, a library where everyone has read access, another with an edit group and a read group.
You mention Teams channels, but remember that every Team has a single SharePoint site linked with it (visible from the 'Files' tab); every channel creates a new folder in the default 'Documents' library on that linked SPO site. But you can open the SPO site and create new libraries with different permissions, and these libraries can be pinned to the menu bar in a Team (in addition to the default 'Files' tab that cannot be removed). Everyone in the Team will see the new tab (for a new library) but if they don't have access they won't see it. If they do, they will only be able to edit or read depending on the permissions on the library.
Depending on how complex your requirement is, I'd suggest separate libraries with unique permission groups may be the easiest. The next would be the same library with unique permission groups applied to folders. Really really try to avoid unique permissions applied to documents.
In so many cases, as a SPO admin, I simply restore the default inherited permissions to fix access issues. My point was often the same - just because people have edit rights, doesn't mean they will edit, and if you are really worried about it, put an alert on the library.
AndrewWarland great answer. Thanks for the insight. It looks like my best bet is to try to simplify the permissions structure rather than build out some solution to encourage the current practice of using file level permissions.