Forum Discussion
When granting users "View Only" access to a document, the system generated email link is "Read"
I have a site owner who wants to limit certain users to "View Only" access to certain documents in their SharePoint site. I have tried this with both internal users (users in our directory) and external users (not in our directory) and in both cases the system generated email grants them more access than what we granted in the permissions on the site. Here are my steps:
- Create a document
- Select the document and open the "details pane"
- Under "has access" select "manage access"
- Choose "Advanced"
- When at the advanced permissions, I choose "Stop Inheriting Permissions"
- Then I added a new user and chose "View Only"
- I allowed the system to send them an email (or in the case of an external user, the email was required)
The users then received an email indicating that they had been granted access to the document. When they followed the link, they had access to "Download" and "Open in ..." which they shouldn't with view-only access. So I went back to the document and viewed, "Manage Access" and saw that there was now a link under the permissions that said "These users have access with this link" and the user that was supposed to be "View only" was listed there. When I removed that link, then the user had the access they should. The system generated email appears to be the culprit that granted them more access than I had intended.
- Definatley looks like their might be a bug here if you can reproduce it. The Copy link button is usually the cuplrit of opening up permissions from my experience, wish that link only copied a direct path to the file, but instead if you don't pick "Existing perimssion" option when using that button it acts like a Share.
Anyway, any reason why you are using the advanced permission instead of using the Share Button on the file in the library? Also was the file previously shared via link/copy link before making these changes because the link mechanic is separate than the SharePoint permissions and will ignore the SharePoint permissions.Anyway, any reason why you are using the advanced permission instead of using the Share Button on the file in the library?
Because the lowest level of access via the Share button is Read, the user wants view-only (which doesn't allow downloading). Advanced is the only way, that I know of, to access this level of granularity.
Was the file previously shared via link/copy link before making these changes because the link mechanic is separate than the SharePoint permissions and will ignore the SharePoint permissions.
No. I created a new site with new documents to test.
- Yeah, think that's only way to prevent download at a SharePoint level and seems like they have merged that capability in with the new share method vs. just adding in permissions like it used to be with the way the e-mail invites work.
However they do have mechanisms in place to prevent downloading data via DLP policies or conditional access but I'm not sure how granular it is since I think it might be at a site level where you can set conditional policies and all of that, but it probably requires AD Premium licensing and all that and is way more complex than it should be for your use case but I do know you can accomplish it with it :P.
