Nov 16 2016 09:35 AM
So it seems that you can break permissions of individual lists/libraries/items, but you can't actually set permissions on the site as a whole? Am I missing something when looking at configuring general permissions of a SharePoint Site
Is there general guidance on best practices for doing complex permissions on an O365 Group SharePoint Site?
Feb 27 2017 01:14 AM
Hi Brent,
in regards to the improved permission management for Office 365 groups (https://techcommunity.microsoft.com/t5/SharePoint/UPDATE-Create-Office-365-Groups-with-team-sites-fr...) there are some more options to handle advanced permissions - I wouldn't call this complex. However, this already helps a lot for several user scenarios.
Moreover, I'd recommend as best practices first to set each new Group as private so that not everybody in the tenant can access it. Second, only certain users in the regarding security group should be allowed to create groups. And third, consider the invitation to external users (guests): permit this generally or only allow for certain groups.
Unfortunately, at the moment this has to be done manually after a group's creation. This also applies to more granular permissions, which are still possible to modify in the SharePoint site. However, I'd wish to have a better permission management or other governance options during groups creation process in order to enforce policies. At the moment this is only possible with 3rd party solutions. For now I can just say, use PowerShell and the manual permission management in the SharePoint sites to achieve your complex group permissions.
Hope this helps.
Rob
Mar 06 2017 10:53 PM - edited Mar 07 2017 03:36 AM
Can somebody please shed some light here -
When an Office 365 group is created, the Owners group in the Sharepoint team site has no user added to it !
Now, when we reduce the permissions of the Members group to contribute, there is no user in the site, who can then manage the permissions on the site !!
Its strange, why isn't the user who created the Office 365 group added as an Owner in the site. Or am I missing something here ?
Mar 07 2017 04:12 AM
Hi @Vipul Kelkar,
I guess, this is a GUI issue, because I have the same problem. I cannot see the users in the regarding groups. However, when I check the permissions, I can see that regarding users should have permission due to the membership of regarding permission group.
Microsoft would say, this is by Design, although it's actually a GUI bug. ;) Hope, this will be fixed.
Mar 07 2017 06:13 AM
In the current Groups UI, site permissions are managed in the new pane accessible from the cog menu:
And, as clearly stated, owners and members should be managed only by OWA.
Mar 07 2017 06:29 AM
you are right, it's recommended to manage permissions with the end user interface. However, every PowerUser is aware how to use the native permissions from previous normal site collections. Very often companies have complex permission requirements, which will definitely not be covered by only three groups (Owners, Members, Visitiors). Therefore we want to conifgure additional permissions directly on the site. It's deifnitely confusing, when users are granted permission to this site, but there is actually nobody in the regarding groups.
Doesn't matter, which UI I use, it should be deifnitely consistent to avoid ambiguities. That's my opinion. Happy to hear your opinion. :)
Mar 07 2017 08:33 AM
I agree with you: the various UIs should be consistent.
Nevertheless, Groups have definitely a non-standard implementation wrt their parts (team sites, shared mailbox etc.): I think we should accept it.
Also, in classic team sites, upon creation, the three groups (Owners, in particular, but also Members and Visitors, of course) are empty.
Mar 07 2017 08:43 AM
Mar 08 2017 12:08 AM
Mar 08 2017 12:13 AM
Mar 08 2017 10:31 AM
Feb 23 2018 03:43 AM
Hello everyone!
I absolutely agree with Robert Mulsow. I also cannot see members once I enter the advanced site permissions options for a specific private group.
Also, it is very difficult to set permissions on a folder level. I entered the library settings and then entered permissions for this library. Later I tried to break the inheritance, but I ended up being kicked out of the group.
Any recommendations?
It is important to be able to set permissions on a document or a folder level as 3 types of group members (owner, member, visitor) will not cut it :(.
Feb 24 2018 05:19 AM
@Deleted
As it has been stated in several other threads, it is better to leave alone permissions in Groups teamsites.
If you need more sophisticated permissions structures, then you should better use classic team sites.
Feb 26 2018 04:39 AM
Feb 26 2018 10:33 AM
Great blog about these modern sites, Groups, Teams, etc. and what's the recommended way to use them - also from security perspective.
Nov 08 2018 07:48 AM
Nov 08 2018 07:53 AM
Nov 16 2018 05:29 AM
We do the same.
Nov 16 2018 05:29 AM
@Brent Ellis wrote:
That is accurate. And I whole-heartedly agree with bumping it down to contribute. We do that manually right now.
We do the same.
Feb 11 2020 01:23 PM
I know this is a dormant thread, but just in case I'd be interested in ongoing developments on this thread. Launching a number of group/team sites and would love to be able to kick members down to contribute rights.