Forum Discussion
Users unable to determine who has access to document library due to security groups
Greetings,
Maybe I went about this the wrong way. Looking for advice on either the proper way we should be moving forward on this or any other comments or insight we should be considering.
This is for SharePoint online via Microsoft 365 Business license.
Scenario:
1. SharePoint Document Library per department (Each Document Library exists in its own SharePoint site), essentially being used as a company drive.
2. Some users should only officially have access to specific folders in some of the document library.
3. If say a person in accounting has access to some specific folders, and either they are replaced or a new accounting user comes in.... should be able to reference the access the existing person has in order to give the same access to the new user.
4. Common Request: Give UserB the same folder access as UserA.
5. Some users should have access to the entire document libraries while other users only have access to specific subfolders.
Current Implementation:
1. In Entra, created Security Groups that tied to specific folders.
-- For Example for the accounting folder, only management has access to the entire folder but the accounting staff only have access to specific folders. So like there is a FiscalYear2024 folder, so I created a security group called sec-Accounting-FiscalYear2024 and assigned the members that should only have access to that folder and not the rest of the library.
-- My thought behind this was if a new user was replacing the existing user or joining the department, I can just reference the existing user security group membership and copy it to the new user.
2. In the SharePoint document Library, I create a shareLink that is assigned to the security group I made for that access. Then I give that link to the users I assigned the membership to.
Current Issue:
1. Aside from the official document sharing/access that is being done from the security groups above. There are occasions where users of a sharepoint need to share specific files or folders to other users.
2. However, they are all panicking and confused because aside from themselves they are unsure who has access to the existing folders/files in the document library.
3. When going to manage permissions of a file/folder, it only shows the group assigned to it but not the members of the group.
4. So since users can't see the members of the group assigned to a folder, they have no idea who has access to that folder and are getting confused.
If this was an NTFS drive, it would be super easy for users to see who has access and etc by looking at the properties but I'm stuck behind some limitations of sharepoint I didn't realize existed until I tried to implement certain workflows.
Any advice here would be greatly appreciated, as my implementation has turned into a point of frustration for end users.
Thank you in advance!
1 Reply
Hi,
A good practice is to grant the minimum permissions required to get the work done and to assign permissions at the highest possible level, as well as to separate content with distinct permissions into separate libraries/site collections… that’s the theory.
In practice, as you wrote, situations vary: there are power users, exceptions, and temporary needs. It seems to me that a lot depends on the policy you define—for example, exceptions are managed only by IT, which, based on a request, maintains a register and grants additional permissions according to its own scheme (who, where, for how long, etc.).
If you are more focused on users managing these permissions themselves, then appointing site owners and training them to use SharePoint groups instead of Security Groups, as far as I remember, provides greater transparency for users in terms of who belongs to which group, and so on. Entra ID groups offer better performance (related to indexing, as I recall) and centralized management, but they require permissions outside of SharePoint to manage them. Additionally, from an IT perspective, it is worth conducting periodic audits of sharing links and exceptional permissions to identify and remove outdated or excessive access as staffing and project structures change. The sites themselves should also be covered by top-level policies defining access rules, etc.
I hope this helps you somehow in finding the solution that works best for you.
