SOX, SharePoint and "SDLC"

Amanda OldhamI understand completely what they're asking for because it's what we did 5+ years ago when we formalized our SharePoint implementation. The problem we're running into now, is that those customized access levels don't translate to the modern O365 group-enabled environment. Basically, it's preventing us from moving forward into fully modern SharePoint because of this legacy set up. So now we have this weird hybrid where some stuff is classic and CAN'T be converted to modern without fully migrating the entire site to a new location.

I would start by asking Audit for a specific list of what rights they think a site owner should not have as part of "Full Control". That will let you go back to IT and have them tell you what is technologically possible or not. Having all access rights go through IT would be a mistake. We have that for a limited number of our sites and it's a train wreck, especially when you get sites with multiple permission groups. 

We do have an annual system set up for sites that contain highly restricted information where we ask the owners to certify access for each person on the site. Maybe that's something you can offer? But then you'd have to implement some kind of site classification process....