Home

SharePoint permissions for intranet site

%3CLINGO-SUB%20id%3D%22lingo-sub-816902%22%20slang%3D%22en-US%22%3ESharePoint%20permissions%20for%20intranet%20site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816902%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20was%20wondering%20if%20someone%20could%20help%20me%20decide%20what%20is%20the%20best%20way%20of%20implementing%20SharePoint%20permissions%20for%20the%20site%20I%20am%20working%20on.%20I%20am%20using%20SharePoint%20classic%20on%20Office365.%20It%20is%20an%20intranet%20site%20with%20various%20departments%20which%20means%20we%20will%20have%20unique%20permissions%20at%20almost%20every%20level%20or%201st%20level%20sub-site%20at%20the%20least.%20A%20sample%20structure%20of%20the%20site%20with%20required%20permissions%20is%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%20border%3D%221%22%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CSTRONG%3ELEVEL%3C%2FSTRONG%3E%3C%2FTD%3E%3CTD%3E%3CSTRONG%3ESITE%2FSUBSITE%3C%2FSTRONG%3E%3C%2FTD%3E%3CTD%3E%3CSTRONG%3EUSERS%3C%2FSTRONG%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E0%3C%2FTD%3E%3CTD%3EHome%3C%2FTD%3E%3CTD%3EAdmins%20(AD%20Group)%3B%20All%20Employees%20(AD%20Group)%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E0%3C%2FTD%3E%3CTD%3EEmployees%3C%2FTD%3E%3CTD%3EAdmins%20(AD%20Group)%3B%20All%20Employees%20(AD%20Group)%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E2%3C%2FTD%3E%3CTD%3EHR%3C%2FTD%3E%3CTD%3EAdmins%20(AD%20Group)%3B%20HR%20Managers%20(AD%20Group)%3B%20HR%20Employees%20(AD%20Group)%3B%20%3CADHOCEMPLOYEE1%3E%3B%26nbsp%3B%3CUSERNAME1%3E%3C%2FUSERNAME1%3E%3C%2FADHOCEMPLOYEE1%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E3%3C%2FTD%3E%3CTD%3EHR%20Managers%3C%2FTD%3E%3CTD%3EAdmins%20(AD%20Group)%3B%20HR%20Managers%20(AD%20Group)%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E3%3C%2FTD%3E%3CTD%3EStaff%3C%2FTD%3E%3CTD%3EAdmins%20(AD%20Group)%3B%20HR%20Employees%20(AD%20Group)%3B%20All%20Employees%20(AD%20Group)%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E2%3C%2FTD%3E%3CTD%3EIT%3C%2FTD%3E%3CTD%3EAdmins%20(AD%20Group)%3B%20IT%20Team%20(AD%20Group)%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E1%3C%2FTD%3E%3CTD%3ENon-Employees%3C%2FTD%3E%3CTD%3EAdmins%20(AD%20Group)%3B%20All%20Employees%20(AD%20Group)%3B%20All%20Non-Employees%20(AD%20Group)%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhere%200%2C1%2C2%20and%203%20are%20the%20different%20levels%20of%20sites%2C%200%20being%20top%20level%20site%20and%203%20being%20the%203rd%20level%20sub-site.%20Since%20the%20main%20permissions%20we%20will%20be%20using%20are%20Read%2C%20Contribute%20and%20Full%20Control%2C%20I%20plan%20to%20have%203%20SharePoint%20Groups%20each%20for%20every%20sub-site.%20So%2C%203%20for%20Employees%2C%203%20for%20HR%20and%20so%20on.%20I%20am%20not%20sure%20if%20this%20is%20the%20right%20approach.%20Would%20it%20be%20better%20to%20have%20all%20users%2FAD%20groups%20individually%20assigned%20permissions%20rather%20than%20organizing%20them%20in%20groups%3F%20We%20will%20also%20have%20library%20level%20permissions%20assigned%20to%20users%2FAD%20Groups%20due%20to%20how%20they%20are%20accessed%20by%20the%20people%20in%20our%20organization%20which%20makes%20it%20a%20bit%20complicated%20and%20difficult%20to%20manage%20and%20adhoc%20requests%20that%20come%20in%20ever%20so%20often%20for%20access%20to%20certain%20sub-sites%2Flibraries.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20Approach%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHR%20sub-site%20permissions%20with%20SharePoint%20Groups%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%20border%3D%221%22%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CSTRONG%3EGROUP%20NAME%3C%2FSTRONG%3E%3C%2FTD%3E%3CTD%3E%3CSTRONG%3EPERMISSION%20LEVEL%3C%2FSTRONG%3E%3C%2FTD%3E%3CTD%3E%3CSTRONG%3EUSERS%3C%2FSTRONG%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EHR%20Admins%3C%2FTD%3E%3CTD%3EFull%20Control%3C%2FTD%3E%3CTD%3EAdmins%20(AD%20Group)%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EHR%20Readers%3C%2FTD%3E%3CTD%3ERead%3C%2FTD%3E%3CTD%3EHR%20Employees%20(AD%20Group)%3B%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EHR%20Contributors%3C%2FTD%3E%3CTD%3EContribute%3C%2FTD%3E%3CTD%3EHR%20Managers%20(AD%20Group)%3B%20%3CUSERNAME1%3E%3C%2FUSERNAME1%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%3CBR%20%2F%3EThe%20other%20approach%20which%20I%20am%20not%20inclined%20towards%20is%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%20border%3D%221%22%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CSTRONG%3EUSERS%3C%2FSTRONG%3E%3C%2FTD%3E%3CTD%3E%3CSTRONG%3EPERMISSION%20LEVEL%3C%2FSTRONG%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EHR%20Managers%20(AD%20Group)%3C%2FTD%3E%3CTD%3EContribute%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CUSERNAME1%3E%3C%2FUSERNAME1%3E%3C%2FTD%3E%3CTD%3ERead%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EHR%20Employees%20(AD%20Group)%3C%2FTD%3E%3CTD%3ERead%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EAdmins%20(AD%20Group)%3C%2FTD%3E%3CTD%3EFull%20Control%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CADHOCEMPLOYEE1%3E%3C%2FADHOCEMPLOYEE1%3E%3C%2FTD%3E%3CTD%3ERead%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHoping%20someone%20would%20be%20able%20to%20tell%20me%20which%20approach%20is%20more%20suitable%20for%20my%20scenario.%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-816902%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-818399%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20permissions%20for%20intranet%20site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-818399%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396592%22%20target%3D%22_blank%22%3E%40na0719%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStay%20away%20(as%20much%20as%20possible)%20from%20assigning%20individual%20permissions.%20If%20you%20have%201%20or%202%20users%20that%20%22might%22%20be%20OK%2C%20but%20still.%3C%2FP%3E%0A%3CP%3EAnd%20seeing%20that%20you%20will%20also%20break%20permissions%20inheritance%20on%20one%20or%20more%20libraries%2C%20this%20can%2Fwill%20get%20messy%20pretty%20quickly...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhy%20are%20you%20using%20a%20classic%20site%3F%20Can%20you%20not%20use%20a%20Communication%20site%20%26amp%3B%20hubsites%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fresources.techcommunity.microsoft.com%2Fresources%2Fbuild-modern-intranet-on-sharepoint-office-365%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBuild%20your%20Modern%20Intranet%20on%20SharePoint%20in%20Office%20365%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-819759%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20permissions%20for%20intranet%20site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-819759%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F34858%22%20target%3D%22_blank%22%3E%40Veronique%20Lengelle%3C%2FA%3E%26nbsp%3BI've%20recently%20migrated%20our%20existing%20intranet%20from%20SharePoint%202010%20to%20Office365.%20I%20am%20yet%20to%20understand%20why%20I%20should%20choose%20Modern%20site%20over%20classic.%20Apart%20from%20the%20benefit%20of%20viewing%20the%20site%20in%20mobile%20view%2C%20it%20seems%20to%20lack%20flexibility%2C%20and%20features%20that%20were%20otherwise%20available%20in%20the%20classic%20version%20are%20not%20available%20anymore.%20I%20would%20like%20to%20use%20announcements%20web%20part%2C%20have%20more%20than%203%20levels%20of%20menu%20items%20in%20the%20mega%20menu%2C%20attach%20images%20inline%20with%20text%2C%20and%20many%20others%2C%20which%20are%20not%20currently%20available%20on%20modern%20sites.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20go%20ahead%20with%20my%20approach%20in%20terms%20of%20permissions%20then%2C%20and%20see%20how%20that%20works%20out.%20Thank%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
na0719
Occasional Contributor

Hi,

I was wondering if someone could help me decide what is the best way of implementing SharePoint permissions for the site I am working on. I am using SharePoint classic on Office365. It is an intranet site with various departments which means we will have unique permissions at almost every level or 1st level sub-site at the least. A sample structure of the site with required permissions is as follows:

 

LEVELSITE/SUBSITEUSERS
0HomeAdmins (AD Group); All Employees (AD Group);
0EmployeesAdmins (AD Group); All Employees (AD Group);
2HRAdmins (AD Group); HR Managers (AD Group); HR Employees (AD Group); <adhocemployee1>; <username1>
3HR ManagersAdmins (AD Group); HR Managers (AD Group)
3StaffAdmins (AD Group); HR Employees (AD Group); All Employees (AD Group)
2ITAdmins (AD Group); IT Team (AD Group)
1Non-EmployeesAdmins (AD Group); All Employees (AD Group); All Non-Employees (AD Group)

 

where 0,1,2 and 3 are the different levels of sites, 0 being top level site and 3 being the 3rd level sub-site. Since the main permissions we will be using are Read, Contribute and Full Control, I plan to have 3 SharePoint Groups each for every sub-site. So, 3 for Employees, 3 for HR and so on. I am not sure if this is the right approach. Would it be better to have all users/AD groups individually assigned permissions rather than organizing them in groups? We will also have library level permissions assigned to users/AD Groups due to how they are accessed by the people in our organization which makes it a bit complicated and difficult to manage and adhoc requests that come in ever so often for access to certain sub-sites/libraries.

 

My Approach:

 

HR sub-site permissions with SharePoint Groups

 

GROUP NAMEPERMISSION LEVELUSERS
HR AdminsFull ControlAdmins (AD Group)
HR ReadersReadHR Employees (AD Group); 
HR ContributorsContributeHR Managers (AD Group); <username1>


The other approach which I am not inclined towards is as follows:

 

USERSPERMISSION LEVEL
HR Managers (AD Group)Contribute
<username1>Read
HR Employees (AD Group)Read
Admins (AD Group)Full Control
<adhocemployee1>Read

 

Hoping someone would be able to tell me which approach is more suitable for my scenario.

Thank you!

2 Replies

@na0719 

Stay away (as much as possible) from assigning individual permissions. If you have 1 or 2 users that "might" be OK, but still.

And seeing that you will also break permissions inheritance on one or more libraries, this can/will get messy pretty quickly...

 

Why are you using a classic site? Can you not use a Communication site & hubsites?

 

Build your Modern Intranet on SharePoint in Office 365

 

 

@Veronique Lengelle I've recently migrated our existing intranet from SharePoint 2010 to Office365. I am yet to understand why I should choose Modern site over classic. Apart from the benefit of viewing the site in mobile view, it seems to lack flexibility, and features that were otherwise available in the classic version are not available anymore. I would like to use announcements web part, have more than 3 levels of menu items in the mega menu, attach images inline with text, and many others, which are not currently available on modern sites.

 

I will go ahead with my approach in terms of permissions then, and see how that works out. Thank you.

 

Related Conversations
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
PacketMon Components are not loading in WAC 1909
HotCakeX in Windows Admin Center on
2 Replies