Forum Discussion
Seeking best practices for anonymous access configuration
I'm looking for suggestions on how best to structure the permissions on an external access site that I'm setting up.
The purpose of the site will be to share photos and video to local media, when requested through our Communications department.
Some points to note:
- Anonymous access is enabled with links expiring after 2 days.
- We want people to be able to browse the content and download files as needed.
- I intend to roll content up to the main page using highlighted content web part and would prefer they not have the ability to view all site contents.
Thanks in advance for any advice.
Can you clarify some things? I perceive your needs to be a bit conflicting--are you looking to let people in to your site so they can look around AND have the ability to create expiring anonymous links for anyone that doesn't have rights to view your site?
Taking each of your notes into consideration:
- Anonymous access links can be set to expire after 2 days, but this is assuming you're manually creating anonymous access links for each document coming in.
- This seems to conflict with your third note and maybe your first--what else is in this site that you don't want your external users accessing? Who is "people," your organization or the media? Do you mean (1) that you have certain libraries/lists that only some people should see, or (2) that you want people's ability to view a document in a document library they have access rights to to expire? If the first, just make different groups, but if the second, I don't think there's a way to give people temporary access to specific documents in a library they already have rights to. The only way to achieve that is to make a page or list full of anonymous access links to browse (which is terribly inefficient, the maintenance that would take would be burdensome).
- If you intend for a Highlighted Content webpart to be the only means of serving content to your authorized viewers, the best that strategy can deliver to you is security by obscurity--you can strip your site of any mention of document libraries in the Quick Launch menu, but if a user knows they can go to Site Contents or simply trim the URL of any document they're viewing, the same rights you'd need to grant for people to see anything that webpart is going to let them go anywhere they have rights to.
Matt, thanks for taking the time to respond so thoroughly.
The site will be used by our Communications Team. The'll be providing anonymous sharing links to local media outlets. The site won't contain any content that's sensitive in nature, I just wanted to simplify the presentation of it, which is why I want to limit what they can see and access.
My preference for sharing any content externally is to share with authenticated users only, but I've been directed to change the tenant settings to allow for anonymous access, so the 2 day limit is my way of maintaining some control and security over such links. All other site collections in our tenant have anonymous access disabled.
**EDIT** After some additional testing and thought, I think I'm going about this the wrong way. I think it's going to be easier for our media department to grant anonymous access via OneDrive, rather than a site. Unless I'm missing something, I can share files within a library anonymously, but not the entire library. For that, I'd have to put the user into a security group. That's far too cumbersome, so I think I'll explore the OneDrive option.
