Forum Discussion
Limit access to guest members
I have O365 groups/teams and the connected SP sites. We have a team for each customer, at the moment team members are only internal members but they are asking me a way to collaborate with some repre...
I have had the same challenge (that is, if I understand your problem correctly), and the solution was to control the permissions on folder level in Team sites.
As far as I remember, I did something like this:
You operate with two levels of permissions: Members and (let’s call it) Advanced Members. Advanced Members will be able to see everything, Members only what you allow them to see.
So, in your SharePoint Team site (under Site contents) you do the following:
Create your Document libraries – normal Document Libraries visible for everyone and Restricted Libraries visible only for chosen members. Don’t place your libraries under the default Document Library, that won’t work.
Your “internal only” documents should be placed in the restricted libraries.
In Office 365 create a group (“Advanced members”) that gives permissions to the Restricted Libraries. Add the advanced users to this group (be aware: Outlook will default send a Welcome message to new group members).
In the Restricted Libraries:
- In Library Settings / Permissions for this document library you choose “Stop Inheriting Permissions”.
- Remove the SharePoint Group “Members” (and perhaps, in your case, also “Visitors”?).
- Now add (“Grant permissions”) the SharePoint Group “Advanced members” to the Library.
Now only members of the “Advanced members” group have access to this restricted library.
In the public libraries:
Well, you really don’t have to do anything, just be sure, that the members of the “Advanced members” group are also members of the sites “Member” group. Everybody will have access to these Document Libraries.
All so, if you display content from the restricted libraries in a web part on your Team site, the webpart/the content will not be visible for non “Advanced members”.
In Teams you can show your document libraries, and again, only “Advanced members” will be able to se content from the restricted libraries.
This works for me, hope it will for you to 😊
CartenS the scenario is exactly the one you described, I have already followed that approach because I have a bunch of sites in which a unique set of users should access a "private" library, and it was pretty easy because the "advanced group" was the same in all the groups so I had to break inheritance, remove all permissions and grant permissions only to this group (and I did it programmatically). In this new challenge, inheritance on default objects (like the default Documents library) should be broken to use security groups and the default O365 group membership becomes useless.... since the default permission level for objects in a site will not be "Group A Members" but "Security Group A members" that is an object that needs to be populated manually. Think of replicating this on dozens of sites and understand the complexity added - in a topic, SP permission, where best practices say to change the less possible. I know this is a potentially working solution, I asked to understand if I was missing something and a easier solution could exist...
