Best Practices for Permissions on an O365 Group SharePoint Site

Silver Contributor

So it seems that you can break permissions of individual lists/libraries/items, but you can't actually set permissions on the site as a whole?  Am I missing something when looking at configuring general permissions of a SharePoint Site

 

Is there general guidance on best practices for doing complex permissions on an O365 Group SharePoint Site?

38 Replies

I think that Site Permissions are determined by the Group membership/ownership.

I agree with Salvatore...behind the scenes a Site Group has the regular SharePoint Groups: Owners, Members and Contributors. By default, the Group itself is added to the Site Members Group...you can check this typing directly in the browser the people page: _layouts/15/people.aspx

Juan, do you know, BTW, why the Group itself is added to the Site Members?

@Brent Ellis

Anyway, if you feel adventurous, you can try "https://<tenant>.sharepoint.com/sites/<group>/_layouts/15/user.aspx".

Be careful! Smiley Wink

Of course,
You can always use "Old" URLs 🙂 directly in the browser

Nobody has really answered the question here, and I too have similar questions in terms of best practice.  For instance, what if you want to open your Group site up to a wider audience without adding group members?

at the moment I'm leaning towards not touching groups team sites permissions. My main concern is user experience. Even though you could assign permission to nonmember of this group, the end user would not see the group in the left navigation compared to when he/she is a direct member in that group.  

Also I've seen a new Site Permissions UI (right side pane) coming up, amd rumors about a view only permission set. 

Hi all,

 

Is it correct that when creating a group the default permissions for members is "Edit" and not "Contribute" correct?

 

Is it possible to change(e.g. to contribute) this when provisioning? Is it wrong to think that the default permissions for members is a bit much? I mean they have the potential to mess up things just because they can.

 

Cheers

That is accurate. And I whole-heartedly agree with bumping it down to contribute. We do that manually right now.

You can access the traditional SP permissions page including the Visitors group using this URL. That would be a way to make the group visible to additional people who aren't necessarily members of the group.

 

"https://<tenant>.sharepoint.com/sites/<group>/_layouts/15/user.aspx"

Hi @Brent Ellis, When you say manually do you mean you set the default when you provision the Group e.g. via powershell? Would love to know 🙂

Nah, straight up manually, navigate to user.aspx and click change permission

It is ironic though, with all the user interface changes "taking away" capabilities from site admins, why not load down the regular members with more than they need
Thanks! Good to know I can change it even manually 😕 hope they address this in the future.
So......I can now no longer change the default Group membership permissions

It appears that Group Members, Group Owners, and Group Visitors is totally locked down, and can't modify permissions at all.

Guess it was just a matter of time....neutering the sharepoint sites continues
I'm with you in this perception....also trying to look for workarounds seems not be the right thing to do. But I'm still missing what are the plans of Microsoft in regards of what can be done and can't be done when defining the security to access to a modern team site or a Group site

Also discovered the same...might be the fact that that default permission of "edit" for members may tie in closley with the other services so changing it might cause implications.

 

I hope they address this soon as it will become difficult to manage. 

 

Another question, is it possible to turn external sharing on or off for individual site collections which were created as part of a group? Since the collection does not appear in the SP admin site collections possible via Powershell maybe?

 

Cheers

 

 


@Damien Flood wrote:

Another question, is it possible to turn external sharing on or off for individual site collections which were created as part of a group? Since the collection does not appear in the SP admin site collections possible via Powershell maybe?


Yes, it is.

See "Manage external sharing for Office 365 Group site collections" in https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environm...

Damian, check this thread out of you haven't already. Good explanation of roadmap and contribute permissions in Groups. Pls they just have ability to change group membership a different way. And groups now included in PowerShell to get sites

https://techcommunity.microsoft.com/t5/SharePoint/UPDATE-Create-Office-365-Groups-with-team-sites-fr...