Hello, We are not extensive users of Delve in my organization, but we had a case today of a user came to me who could see documents showing up in Delve that she did not have access to. The user could not open the documents (she was landing on a "Request Access" page) but titles and thumbnails can already be a lot of information. The user was not a member of the sites the documents were saved in or had not been shared the file with. She did not have any administrator roles, so I have no idea why she could see these documents. It was not consistent either: she only saw documents from a specific user show up (she was not part of his team). Any thoughts? Did this happen to other people as well? I don't want to disable Graph for SharePoint unless it is an actual pattern. I also noticed much of the effort has been focused on Microsoft Search lately, not Delve, is the idea that Delve will be decommissioned in favor of Search?

That's an interesting point, I had to read that section a few times but as I understand it, it's not saying that, following the example mentioned in the article, the manager will see the document at all, they would only be shown it if the document was shared with them. It is saying that you might see the document mentioned when browsing the manger's people page, it's just an indication that Delve thinks the document would be relevant to them based on what it knows. The manager won't see this document, in their Delve page and won't be able to access it, Delve won't override permissions and inadvertently give access to something that someone wouldn't normally be able to see otherwise.

Open a support ticket so they can dig into what could be happening to your user

Cian Allner: You are right - I misread the article (they did seem to make that part a little confusing though IMHO). So then I have no clue why I am seeing the exact same behavior in my client's tenant as you have reported in this issue. I am investigating at my end as well but i there's any information you can share once you find it out will be helpful. Thanks again!

That sounds plausible, while I would expect the Share option to add additional permissions for the specified user, who is being given access to the document, Copy link isn't so obvious. Reading the article and https://www.linkedin.com/pulse/share-copy-link-breaks-document-permissions-sharepoint-milan-gross, Copy link will share by default the document with the whole organization, breaking inheritance, that could result in unexpected over-sharing. This then could be reflected in Delve. Using this option instead would improve matters: "People with existing access returns a link that can be used by people who already have access to the document or folder. It does not change the permissions on the item. Use this if you just want to send a link to somebody who already has access." As part of the overall governance, it would be important to configure global sharing options appropriately and change settings on sites for when different requirements are required like mentioned in the article you posted. User education plays its part as well, in setting expectations and how things should work.

I haven't dealt with this issue specifically, so I am just going on the information I have looked at and how things look in my dev tenant. My hunch is that Copy link permissions is only applicable when accessing the resource directly from the link generated and doesn't work through any others means. If that was true, it's up to how Delve treats this, for example, a document shared with copy link won't appear in search, so I'd expect, I suppose Delve to be the same if there is that distinction: https://support.office.com/en-us/article/sharing-files-and-folders-74cab0bf-39c6-4112-a63f-88ee121722d0 " If you want to change who has access to the folder or document, on the Send Link display, click the ellipses icon in the upper right, and then click Manage access to go to the Permissions page. On the Permissions page, you can update or delete the access links that you have created. Note that if you want the document to appear in search results for the person you're sharing with, you must give them direct access to the file rather than sharing with a link."

Delve showing documents users do not have access to

20 Replies

Wendy_MSFT
Former Employee
May 22, 2019
Thank for the follow-up claire-Isabelle. Please let us know ASAP if you are able to repro this issue in the future with another user. Cheers, -Wendy
Wendy_MSFT
Former Employee
May 21, 2019
Hi Claire-Isabelle, Can you share a screenshot of what this user saw here or file a private bug via the feedback tool so I can investigate? Clearly this shouldn't be happening. :-(
gauravmahajan
Brass Contributor
Feb 19, 2019
I stumbled upon this article while investigating a related issue. You may want to check out the section titled "My private document is "trending around" another person - how is that possible?" from this link: https://support.office.com/en-ie/article/who-can-see-my-documents-f5f409a2-37ed-4452-8f61-681e5e1836f3

Up until now, my understanding too was that users should not even see documents thay dont have access to so this is a big red flag for me. Could this be what's happening for your user as well? Were you able to open a support ticket and did that help at all?
- Cian Allner
  Silver Contributor
  Feb 19, 2019
  That's an interesting point, I had to read that section a few times but as I understand it, it's not saying that, following the example mentioned in the article, the manager will see the document at all, they would only be shown it if the document was shared with them. It is saying that you might see the document mentioned when browsing the manger's people page, it's just an indication that Delve thinks the document would be relevant to them based on what it knows.
  
  The manager won't see this document, in their Delve page and won't be able to access it, Delve won't override permissions and inadvertently give access to something that someone wouldn't normally be able to see otherwise.
  - Michael Portman
    Copper Contributor
    May 20, 2019
    Cian Allnerwe have had to turn off Delve in our Office 365 education tenancy. We had multiple confidentiality issues where all staff recent documents were not only visible but could be opened by any other staff member. Non-membership of a group did not prevent users from seeing Group documents.
    For instance, our HR team has 2 members and holds confidential files on all staff. But any staff member could see and read these confidential documents from the Delve dashboard by first typing in the staff members' name in the search Window. This behaviour, according to the Delve security guide should not happen.
jcgonzalezmartin
MVP
Nov 23, 2018
Open a support ticket so they can dig into what could be happening to your user
- Claire-Isabelle Carlier
  Copper Contributor
  Nov 23, 2018
  Thanks, I already did.
  - Wendy_MSFT
    Former Employee
    May 21, 2019
    @Claire-Isabelle: How did you open the ticket? Asking as I'm not seeing any feedback from you in the queue? Did you submit via the "Feedback" link in the right side of the search results? That will route it directly to me for triage. Cheers, -Wendy

Forum Discussion

Delve showing documents users do not have access to

20 Replies

Resources