Delve showing documents users do not have access to

Copper Contributor

Hello,

 

We are not extensive users of Delve in my organization, but we had a case today of a user came to me who could see documents showing up in Delve that she did not have access to. The user could not open the documents (she was landing on a "Request Access" page) but titles and thumbnails can already be a lot of information. The user was not a member of the sites the documents were saved in or had not been shared the file with. She did not have any administrator roles, so I have no idea why she could see these documents. It was not consistent either: she only saw documents from a specific user show up (she was not part of his team). Any thoughts? Did this happen to other people as well? I don't want to disable Graph for SharePoint unless it is an actual pattern. 

 

I also noticed much of the effort has been focused on Microsoft Search lately, not Delve, is the idea that Delve will be decommissioned in favor of Search?

20 Replies
Open a support ticket so they can dig into what could be happening to your user

Thanks, I already did. 

I stumbled upon this article while investigating a related issue. You may want to check out the section titled "My private document is "trending around" another person - how is that possible?" from this link: https://support.office.com/en-ie/article/who-can-see-my-documents-f5f409a2-37ed-4452-8f61-681e5e1836...

 

Up until now, my understanding too was that users should not even see documents thay dont have access to so this is a big red flag for me. Could this be what's happening for your user as well? Were you able to open a support ticket and did that help at all?

That's an interesting point, I had to read that section a few times but as I understand it, it's not saying that, following the example mentioned in the article, the manager will see the document at all, they would only be shown it if the document was shared with them.  It is saying that you might see the document mentioned when browsing the manger's people page, it's just an indication that Delve thinks the document would be relevant to them based on what it knows. 

 

The manager won't see this document, in their Delve page and won't be able to access it, Delve won't override permissions and inadvertently give access to something that someone wouldn't normally be able to see otherwise.

@Cian Allner: You are right - I misread the article (they did seem to make that part a little confusing though IMHO). So then I have no clue why I am seeing the exact same behavior in my client's tenant as you have reported in this issue. I am investigating at  my end as well but i there's any information you can share once you find it out will be helpful. Thanks again!

@Cian Allner I also posted this on #sphelp: https://twitter.com/mahajang/status/1097912015383904256 

One thing I did notice though in my client's environment is that they were sharing links to documents, which apparently has security implications too: https://derekgusoff.wordpress.com/2018/08/14/copy-link-in-modern-sharepoint-non-obvious-security-imp...

I am now wondering if the 2 issues are related. They unfortunately turned off Office Graph in their environment and did not maintain screenshots of the document in question so there's no easy way for me to check now. You may want to check in your tenant though if the document in question was being shared through a link. Sorry for the multiple posts but I am actively researching this since it has such a major security implication for a lot of organizations.

Thanks!

That sounds plausible, while I would expect the Share option to add additional permissions for the specified user, who is being given access to the document, Copy link isn't so obvious.  Reading the article and elsewhere, Copy link will share by default the document with the whole organization, breaking inheritance, that could result in unexpected over-sharing.  This then could be reflected in Delve.

 

Using this option instead would improve matters:

 

Copylink.png

 

"People with existing access returns a link that can be used by people who already have access to the document or folder. It does not change the permissions on the item. Use this if you just want to send a link to somebody who already has access." 

 

As part of the overall governance, it would be important to configure global sharing options appropriately and change settings on sites for when different requirements are required like mentioned in the article you posted. User education plays its part as well, in setting expectations and how things should work.

Thanks. Yes, that's what I am thinking too but dot seem to find an easy way to confirm that the 2 issues are related. Is this something you were able to confirm by reviewing the settings/ permissions for the documents that the user in your original question is seeing? You probably already know this but here's what you would see against a document for which a link has been generated using the "Copy Links" option:CopyLink.JPG

 

I haven't dealt with this issue specifically, so I am just going on the information I have looked at and how things look in my dev tenant.  My hunch is that Copy link permissions is only applicable when accessing the resource directly from the link generated and doesn't work through any others means.  If that was true, it's up to how Delve treats this, for example, a document shared with copy link won't appear in search, so I'd expect, I suppose Delve to be the same if there is that distinction:

 

Sharing files and folders:

 

" If you want to change who has access to the folder or document, on the Send Link display, click the ellipses icon in the upper right, and then click Manage access to go to the Permissions page. On the Permissions page, you can update or delete the access links that you have created.

 

Note that if you want the document to appear in search results for the person you're sharing with, you must give them direct access to the file rather than sharing with a link."

@Cian Allner So sorry! I had been asking you to check the security on the document thinking all this while it was you who started the thread! lol

 

@Claire-Isabelle Carlier Any chance you could check the document to see if it was being shared through a link so we can test our hypothesis. Please refer to this link for steps to confirm or deny that: https://techcommunity.microsoft.com/t5/Microsoft-Search/Delve-showing-documents-users-do-not-have-ac...

@Cian Allnerwe have had to turn off Delve in our Office 365 education tenancy. We had multiple confidentiality issues where all staff recent documents were not only visible but could be opened by any other staff member. Non-membership of a group did not prevent users from seeing Group documents.

For instance, our HR team has 2 members and holds confidential files on all staff. But any staff member could see and read these confidential documents from the Delve dashboard by first typing in the staff members' name in the search Window. This behaviour, according to the Delve security guide should not happen.

Hi Claire-Isabelle, Can you share a screenshot of what this user saw here or file a private bug via the feedback tool so I can investigate? Clearly this shouldn't be happening. :(
@Claire-Isabelle: How did you open the ticket? Asking as I'm not seeing any feedback from you in the queue? Did you submit via the "Feedback" link in the right side of the search results? That will route it directly to me for triage. Cheers, -Wendy

@Wendy_MSFT I created a ticket in the Service Request section of the Microsoft 365 admin center. I can give you the ticket number if you are interested. 

Thanks, Claire-Isabelle! Yes, please share the bug #.
Just did via private message. Thanks for your help.
Thank for the follow-up claire-Isabelle. Please let us know ASAP if you are able to repro this issue in the future with another user. Cheers, -Wendy

@Claire-Isabelle Carlier We saw a similar issue recently where some documents in a SharePoint site were showing in Delve search, but users did not have access to these documents.

We re-indexed the offending SharePoint site and the documents disappeared from Delve search, so our theory is that the search index was out of date.

It does raise the question though as to how often a full crawl is done in SharePoint to ensure that the search index is kept current - unfortunately I don't know the answer to this. Does anyone here know?

Thanks @Richard Rodgers this is interesting. It seems from this post that changes should be indexed within the hour, but this may defer from one SLA to another. 

https://techcommunity.microsoft.com/t5/Office-365/SharePoint-Online-search-crawl-schedule/td-p/59527