Forum Discussion

RossChevalier's avatar
RossChevalier
Brass Contributor
Nov 04, 2019

Restrict acces to Admins to some sites / libraries

I asked this in the regular community, my mistake.   We are a smaller company committed to Teams on the front end with Sharepoint on the back end.  We have three people set up as Admins for Office ...
admin
SharePoint Online
Trevor Seward's avatar
Trevor Seward
MVP
Nov 04, 2019
It is not possible and this has always been true of IT since the concept of systems administration was a thing decades ago. Systems administrators can grant themselves access or otherwise gain access to underlying data because they're administrators of the system.

Imagine if you had a bad actor and the administrator couldn't take control of that resource...

This is an HR problem, not an IT one. You can look at the Unified Audit Log (or an administrator can/delegated user can) to see if an admin has granted themselves access to a particular resource but you can't prevent it from occurring.
RossChevalier's avatar
RossChevalier
Brass Contributor
Nov 04, 2019

I'm going to respectfully disagree  Trevor Seward 

 

Having spent more than 40 years in Information and Communication Tech, you don't need to tell me how to boil water.  Stratified administration rights are not unusual and have existed in other systems for decades.  

 

I now understand that while Sharepoint does offer multiple levels of admin, there is no clarity in the documentation about who can do what with the data.  That's a missing element and bad design.

 

Checking the audit logs works.  It is identical to the old concept of locking the barn door after the horse is gone.  And thus, of dubious and limited value.

  • Trevor Seward's avatar
    Trevor Seward
    MVP
    Nov 04, 2019
    When we look at Microsoft/UN*X systems design, this is a universal truth that the sysadmin/root has full control over the system and all data over it. Global Admins are the equivalent (with SharePoint Admin role being scoped to ODfB/SPO).
    • RossChevalier's avatar
      RossChevalier
      Brass Contributor
      Nov 04, 2019

      You are correct Trevor Seward   There are however, proven systems that did not have this issue, although they have passed from memory.  It is possible that the less powerful admin types in Sharepoint could help, if only their documentation specified what control they have over document libraries, which none of the Microsoft docs that I have found, do.

       

      I make no assertion that I have found them all.  For example, can a Teams Admin, read the contents of a Sharepoint Document Library if that person is not a Global Admin?  I fear yes, because Teams is built to leverage Sharepoint.  What I am looking for specifically is an admin role that allows for admin and support without open access to document libraries.

      • Trevor Seward's avatar
        Trevor Seward
        MVP
        Nov 04, 2019
        Such a role does not exist. The closest thing you can do is password protect files from within their own application, then upload said files. If the admin doesn't know the password, they can't open them. You lose out on some other platform features, though, such as search.