Forum Discussion
Restrict Owners
There will always need to someone who has enough permissions to help fix things if things go south. The best practice is the use of named admin accounts, this way you can give de admin permissions to the named admin account and not your personal account.
On your personal account you will just see the data that you are allowed to see but on the named admin account you could see everything and help where needed.
The reason you still see the library after removing the owner permissions is because you are set as the site collection administrator which is a higher permission then the owner group.
You can break the inheritance of the permissions to give unique permissions to a document library or a folder. For a folder you need to follow these steps:
- Select the folder
- Click on the three dots
- Go to Manage access
- Click on Advanced
- Stop inheriting permissions
This will break the inheritance of the permissions from the document library and gives you the possibility to give unique rights.
If you want to do this on a document library you will have to go to the library settings and navigate to “Permissions for this document library” to get to the screen where you can manage the permissions.
There will always need to someone who has enough permissions to help fix things if things go south. The best practice is the use of named admin accounts, this way you can give de admin permissions to the named admin account and not your personal account.
On your personal account you will just see the data that you are allowed to see but on the named admin account you could see everything and help where needed.
The reason you still see the library after removing the owner permissions is because you are set as the site collection administrator which is a higher permission then the owner group.
- Yeah... the problem is our IT admin not local within the company most of the SharePoint talent is not IT (aka the admin). Therefore thinking passwords on specific files may be the best and that is if they feel it is absolutely necessary and to think of it.... most of them may already have passwords as IT has access to the servers now, so what is stopping them from going in? Trust and Professionalism! Greatly appreciate the bounce of ideas tho! Really did make me stop and think!
- As mentioned earlier in this thread, you really don't want to lock away areas of a site from owners as it is a supportability issue, and again as has been said, there is always a role that will have access to everything in the site (known as the Site Collection Administrator).
If you have Business Premium or E3 licences, the best approach is to configure Sensitivity Labels within the Compliance Centre of Microsoft 365 Admin. You can define the label, configure it as requiring encryption and control who can access the content, assigning it to specific departments via security or M365 groups. Once you have created the label, deploy it to the users that you want to be able to use it via a Label Policy. The advantage of this approach is that even if the content is downloaded and shared either internally or outside the organisation, the protection will still be applied and doesn't rely on having to set (and remember) passwords
