Home

Best Practices for Permissions on an O365 Group SharePoint Site

Highlighted
Brent Ellis
Valued Contributor

Best Practices for Permissions on an O365 Group SharePoint Site

So it seems that you can break permissions of individual lists/libraries/items, but you can't actually set permissions on the site as a whole?  Am I missing something when looking at configuring general permissions of a SharePoint Site

 

Is there general guidance on best practices for doing complex permissions on an O365 Group SharePoint Site?

  • Office 365 Groups
  • SharePoint
29 Replies

Re: Best Practices for Permissions on an O365 Group SharePoint Site

I think that Site Permissions are determined by the Group membership/ownership.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

I agree with Salvatore...behind the scenes a Site Group has the regular SharePoint Groups: Owners, Members and Contributors. By default, the Group itself is added to the Site Members Group...you can check this typing directly in the browser the people page: _layouts/15/people.aspx

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Juan, do you know, BTW, why the Group itself is added to the Site Members?

Re: Best Practices for Permissions on an O365 Group SharePoint Site

@Brent Ellis

Anyway, if you feel adventurous, you can try "https://<tenant>.sharepoint.com/sites/<group>/_layouts/15/user.aspx".

Be careful! :smileywink:

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Of course,
You can always use "Old" URLs :-) directly in the browser

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Nobody has really answered the question here, and I too have similar questions in terms of best practice.  For instance, what if you want to open your Group site up to a wider audience without adding group members?

Re: Best Practices for Permissions on an O365 Group SharePoint Site

at the moment I'm leaning towards not touching groups team sites permissions. My main concern is user experience. Even though you could assign permission to nonmember of this group, the end user would not see the group in the left navigation compared to when he/she is a direct member in that group.  

Also I've seen a new Site Permissions UI (right side pane) coming up, amd rumors about a view only permission set. 

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Hi all,

 

Is it correct that when creating a group the default permissions for members is "Edit" and not "Contribute" correct?

 

Is it possible to change(e.g. to contribute) this when provisioning? Is it wrong to think that the default permissions for members is a bit much? I mean they have the potential to mess up things just because they can.

 

Cheers

Re: Best Practices for Permissions on an O365 Group SharePoint Site

That is accurate. And I whole-heartedly agree with bumping it down to contribute. We do that manually right now.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

You can access the traditional SP permissions page including the Visitors group using this URL. That would be a way to make the group visible to additional people who aren't necessarily members of the group.

 

"https://<tenant>.sharepoint.com/sites/<group>/_layouts/15/user.aspx"

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Hi @Brent Ellis, When you say manually do you mean you set the default when you provision the Group e.g. via powershell? Would love to know :)

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Nah, straight up manually, navigate to user.aspx and click change permission

It is ironic though, with all the user interface changes "taking away" capabilities from site admins, why not load down the regular members with more than they need

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Thanks! Good to know I can change it even manually :/ hope they address this in the future.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

So......I can now no longer change the default Group membership permissions

It appears that Group Members, Group Owners, and Group Visitors is totally locked down, and can't modify permissions at all.

Guess it was just a matter of time....neutering the sharepoint sites continues

Re: Best Practices for Permissions on an O365 Group SharePoint Site

I'm with you in this perception....also trying to look for workarounds seems not be the right thing to do. But I'm still missing what are the plans of Microsoft in regards of what can be done and can't be done when defining the security to access to a modern team site or a Group site

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Also discovered the same...might be the fact that that default permission of "edit" for members may tie in closley with the other services so changing it might cause implications.

 

I hope they address this soon as it will become difficult to manage. 

 

Another question, is it possible to turn external sharing on or off for individual site collections which were created as part of a group? Since the collection does not appear in the SP admin site collections possible via Powershell maybe?

 

Cheers

 

 

Re: Best Practices for Permissions on an O365 Group SharePoint Site


Damien Flood wrote:

Another question, is it possible to turn external sharing on or off for individual site collections which were created as part of a group? Since the collection does not appear in the SP admin site collections possible via Powershell maybe?


Yes, it is.

See "Manage external sharing for Office 365 Group site collections" in https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environm...

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Thanks!

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Damian, check this thread out of you haven't already. Good explanation of roadmap and contribute permissions in Groups. Pls they just have ability to change group membership a different way. And groups now included in PowerShell to get sites

https://techcommunity.microsoft.com/t5/SharePoint/UPDATE-Create-Office-365-Groups-with-team-sites-fr...

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Hi Brent,

 

in regards to the improved permission management for Office 365 groups (https://techcommunity.microsoft.com/t5/SharePoint/UPDATE-Create-Office-365-Groups-with-team-sites-fr...) there are some more options to handle advanced permissions - I wouldn't call this complex. However, this already helps a lot for several user scenarios.

 

Moreover, I'd recommend as best practices first to set each new Group as private so that not everybody in the tenant can access it. Second, only certain users in the regarding security group should be allowed to create groups. And third, consider the invitation to external users (guests): permit this generally or only allow for certain groups.

 

Unfortunately, at the moment this has to be done manually after a group's creation. This also applies to more granular permissions, which are still possible to modify in the SharePoint site. However, I'd wish to have a better permission management or other governance options during groups creation process in order to enforce policies. At the moment this is only possible with 3rd party solutions. For now I can just say, use PowerShell and the manual permission management in the SharePoint sites to achieve your complex group permissions.

 

Hope this helps.

Rob

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Can somebody please shed some light here -

 

When an Office 365 group is created, the Owners group in the Sharepoint team site has no user added to it !

Now, when we reduce the permissions of the Members group to contribute, there is no user in the site, who can then manage the permissions on the site !!

Its strange, why isn't the user who created the Office 365 group added as an Owner in the site. Or am I missing something here ?

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Hi @Vipul Kelkar,

 

I guess, this is a GUI issue, because I have the same problem. I cannot see the users in the regarding groups. However, when I check the permissions, I can see that regarding users should have permission due to the membership of regarding permission group.

group-permission.png

 

Microsoft would say, this is by Design, although it's actually a GUI bug. ;-) Hope, this will be fixed.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

In the current Groups UI, site permissions are managed in the new pane accessible from the cog menu:

 

2017-03-07 15_11_51-TestPrivateGroup01 - Home.jpg

And, as clearly stated, owners and members should be managed only by OWA.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Hi @Salvatore Biscari,

 

you are right, it's recommended to manage permissions with the end user interface. However, every PowerUser is aware how to use the native permissions from previous normal site collections. Very often companies have complex permission requirements, which will definitely not be covered by only three groups (Owners, Members, Visitiors). Therefore we want to conifgure additional permissions directly on the site. It's deifnitely confusing, when users are granted permission to this site, but there is actually nobody in the regarding groups.

 

Doesn't matter, which UI I use, it should be deifnitely consistent to avoid ambiguities. That's my opinion. Happy to hear your opinion. :-)

Re: Best Practices for Permissions on an O365 Group SharePoint Site

I agree with you: the various UIs should be consistent.

Nevertheless, Groups have definitely a non-standard implementation wrt their parts (team sites, shared mailbox etc.): I think we should accept it.

Also, in classic team sites, upon creation, the three groups (Owners, in particular, but also Members and Visitors, of course) are empty.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

You think that's fun, try creating a subsite in a Group team site, the permissions there are all wonky too. The same restrictions are applied to "sub-site Members" (can't edit default "Edit" permissions). It tries to act like a "Group", but its not, "site information" doesn't load because it is not a Group. No way to get back up a level unless you hard code in a "go back" link or inherit menu, which may or may not work depending on the day.

This is a mess.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

Ah ! well thanks for that. So the user IS an owner in the site.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

I am not sure why but I don't see the note "To view or change the group members..." as you have indicated in your screenshot. But that apart, the outlook interface will only allow us to add members to the group which are directly added to the AD group.

Now that we have a full team site, people are going to want to manage permissions directly in team site on the list, libraries etc or for that matter provide access to the users to only READ the content. I was trying something similar and was baffled to see the owners group empty.

Re: Best Practices for Permissions on an O365 Group SharePoint Site

  1. For managing permissions, you can use (with care!) the hidden page https://tenant.sharepoint.com/sites/group/_layouts/15/user.aspx. But, while there, leave alone the standard groups!
  2. In the "Site permissions" pane, under the cog menu in the connected team site, you can safely change the default permissions for the standard groups.
  3. In the OWA UI, you can safely manage the standard groups membership: add members, remove members, promote members to owners, demote owners to members etc. The same can be done in the "Group membership" pane in the connected team site. And the same can be done also by PowerShell.

 

 

 

Related Conversations