Forum Discussion

Frank Vandenheede's avatar
Frank Vandenheede
Copper Contributor
Oct 09, 2019

Site collection admin & confidentiality

Dear all, is there a possibility to prevent site collection admins from actually opening documents in the SharePoint libraries they manage? So they can do all the admin stuff they need to do, but wit...
Document Library
security
SharePoint Online
Andrew Hodges's avatar
Andrew Hodges
Bronze Contributor
Oct 09, 2019

HiFrank Vandenheede ,

 

The Site collection admin role overwrites all permissions on the site enabling the user to view/edit all data. There isn't a way to stop a site collection admin viewing data. 

 

Quite a few customers give 2 accounts to these users so that in their day to day work they are only seeing data as a user and not as a site collection admin. They are then governed by your policy when accessing sites as the Site collection Admin user. Audit logs can be looked at to see what a particular user has looked at on a site.

 

Hope that helps

 

Andy

 

  • Benbobje's avatar
    Benbobje
    Copper Contributor
    Oct 16, 2019

    Andrew HodgesHi Andy, thanks for your reply. We are thinking of using Azure Information Protection to keep admins from watching highly sensitive information. Would that be an option? Kind regards, Frank.

    • Rob Ellis's avatar
      Rob Ellis
      Bronze Contributor
      Oct 16, 2019
      I would ensure that admins only add themselves into Site Collection Admins when they need access - rather than having that access all of the time.

      Also, any action any user takes (e.g. read a file, access a site, delete a file, etc.) is logged in the Unified Audit Log as well, so whatever an admin does, will be logged.
  • jcgonzalezmartin's avatar
    jcgonzalezmartin
    MVP
    Oct 10, 2019
    There is not way now, but I expect this to be solved with the upcoming sensitivity labels integration in SPO Sites