Forum Discussion
Can we deny a Site Owner (not Site Col. Admin) access to a Document Library in his site?
We would like to set up a Document Library in a SharePoint Online site with different members, visitors and owners than the Site the Document Library will be created in. It works very well (we have different population for visitors [read] and "members" [edit]) but we can't prevent parent Site Owner's from having ~Full Control access to the Library even if they do not have explicit Full Control permission on (they are not owner of) the Library. Please note: These owners are NOT Sites Collection Administrators (which, we know, cannot be denied access to a library). Thanks, Pierre
- Is this a modern SPO Site with an Office 365 Group behind the scenes? If so, then the problem you have is that by default Group Onwers are site collection administrators
3 Replies
- Is this a modern SPO Site with an Office 365 Group behind the scenes? If so, then the problem you have is that by default Group Onwers are site collection administrators
We are indeed using Modern SharePoint Online and the interface to manage members of a site (so called "Team Site") is tricky [not sure about Office 365 groups but we have symptoms matching what you describe]... Referring to the two pictures below here is how it seems to work - As we can see on the right picture, users (members) existing or added, are assigned to "Member" or "Owner" role - but the behavior is quite surprising -
- When selecting "Member" the user is added to the group "<Site Name> - Members" and this can be seen doing a Permissions Check for that user and confirm it shows something like "Edit - Given through the "<Site Name> - Members" group. However, if you look at this Group itself and members, you won't see the user - the actual membership status and displayed membership status is different :-(
- When selecting "Owner", it is worse: it maybe adds the user to "<Site Name> - Owners" group but it also adds it to the "Site Collection Administrators" (or equivalent resulting in same permission / basically what you refer to as well). However, you can't see it as again, looking at the members of the Group "<Site Name> - Owners" won't show the users AND, also, looking at "Site Collection Administrators" you won't see the user there either.
The bottom line is, the user is indeed Site Collection Administrator, this is why the restriction on rights is failing (thanks therefore for your question/remark !).
Work around:- List explicitly the Site Collection Administrators in the permissions settings to avoid confusion with this special administration pane which is far from perfect at this stage
- Makes users "Members" and place them explicitely in the "<Site Name> - Owners" if you want them to be Site Owner without automatically being Site Collection Administrators as well !
It is not perfect, and more tests are required to fully understand what's happening behind the scene but these are the root causes of the issues and way to solve it.
- Yeah, that's just the way groups interact with SharePoint, since SharePoint has it's own permission set, and I wish other platforms like Teams etc. did as well, because the group model isn't very friendly for granularity. That was their vision thou was the Team can work as a team(group), but it's coming around to be difficult with requests such as private channels in Teams etc.
With SharePoint it's pretty much your an owner you get added on back end as site collection admin, and the members get added into the members group by adding the "Group object" into the members group so it just basically gives anyone a member access. As you've discovered you can manipulate what members can do on SharePoint but not owner :).
