Forum Discussion
Organization Scoped Sharing Link, Discover and Check Permissions
MicrosoftHi Chad_V_Kealey,
Your initial impression is correct. While the link does work for anyone in the organization, it doesn't actually grant access to any user until they have either been sent the link (e.g. the send link option in the share dialog) or they click on it. If you create a link but don't send it to anyone, no one should be able to find it in Discover or Shared With Me. Hope that helps!
Stephen Rice
Senior Program Manager, OneDrive
Thanks, StephenRice, that does help a bit. I'm still puzzled by the "Discover" feature, though. It seems like it would be useful in a smaller and more peer-based organization, where it's easier to keep the "sensitive documents" under tighter control. However, in an academic environment with ~40,000 users, about ~5,000 of which (faculty and staff) have their own definition of "sensitive", it seems like it's a big problem just waiting to happen.
There's no clear documentation (that I've found, anyway) as to what shows up in Discover and how. It's all based on MS/Office Graph, but what does that really mean in practical terms. In this particular example, let's say that org-scoped sharing link was created and sent to one employee. That employee happens to be in regular correspondence with a particular student. The employee gets the email and opens the document. Does Graph see the situation and say (in simplified terms, obviously): "that student is conversing with that employee and that employee just opened a file that the student also has access to via that link...let's show that to the student since they may want to see it, too!"
To clarify, I'm taking the student at their word when they say "I found the document in the Discover section of the Outlook app" and trying to figure out how it ended up appearing there. I have not seen proof that the student saw it there, but I do have a record (from the audit log) that they accessed the file, so it's reasonable to assume they're being honest. What we don't seem to have is a way to determine to whom that org-scoped link was sent (except to ask the person who sent it). So, there are a few gaps in the audit trail, which makes it hard to know exactly what happened.
Chad_V_KealeyI have this issue all the time with Delve and customers not liking that it highlights content that users may not necessarily know they have access to, and in some cases shouldn't have access.
However, Delve is completely permission based, if a user does not have permission to the file they 100% will not see it. This is the basis that SharePoint is built on so we can be assured that this works.
For organisational wide links you can see which users have accessed the file by looking at the unique permissions on that file, whilst the link is created users do not have permissions to that file until they access the link and at that point they are added into the unique permissions on the file.
- StephenRice
Hi Chad_V_Kealey ,
Andrew Hodges is correct. I'd also check out this documentation for more info on Delve.
As for your specific use case, in order for the student to have found the document in Discover, someone must have sent it to them (either via e-mail or some other client and then they clicked on it). Unfortunately, if you don't see an audit even for someone sending it to them directly, then it must have happened outside of where we (the service) can track it.
Another possibility is that the file is on a site that is accessible by the student (a site shared with the entire organization maybe?) and that could also cause things to show up there. Hope that helps,
Stephen Rice
Senior Program Manager, OneDrive
