SOLVED

User has access to SharePoint files for a team channel she's not a member of

Copper Contributor

We have a team with several channels. A couple of these channels are only open for a subset of this team. This means that not all team members can see or access these channels.

 

Today, one user who's not a member of these channels discovered something:

- She was in a file folder for one of the teams she IS a member of

- She chose "Open in SharePoint"

- She was then taken to the same file folder in SharePoint

- She then chose Documents in the left side menu in SharePoint

- She could now see the file folders for ALL channels, even the ones she doesn't have access to inside Teams.

 

Is this normal behavior between SharePoint and Teams? If so, that is a huge security fault. Or is it a setting I can set to prevent this? 

 

7 Replies

Hi @Hogne1260 ,

 

Users should only ever see information they have been given access too so something must be wrong with the permissions here.  By default, if a user is a member of a Team they have access to all the channels and in turn the document library which stores the files. The exception to this is if you have created Private Channels.  However, when creating Private Channels a Team site (SPO site) is created for each separate Private Channel so from your description of folders it doesn't sound like this is the case? 

Of its visible from the document root folder it’s not a private channel! PC lives in a separate site and has a library of its own! Check the privacy of the channel if it’s a private channel! Also keep in mind that if you previously had a normal channel with this name and later was deleted that folder and it’s files are still in SharePoint.

Adam

@Paul Turner By SPO, do you mean that the private  channel will have a completely new SharePoint site with the same name as the channel? Or do you mean that it should have it's own folder structure, where the top folder has the same name as the private channel? 

@adam deltinger Thanks for the tip about the possibility of this being a deleted channel. I will check with those who created this team. 

best response confirmed by Hogne1260 (Copper Contributor)
Solution
You are correct. A private channel creates a completely separate SPO site with it's own document library and you can update permission for this from the Teams channel itself. Any changes of permissions via the SPO site will be overwritten when the private channel synchronises so always administer from Teams.
The Private channel permissions are independent of the Team permissions but will inherit from the Team permissions at the point of creation.

@Paul Turner  Thanks! I didn't know this. I have to update som of my documentation. 

@Hogne1260 Did you ever get to the bottom of this because today (3 years after you posting!) a user has just come across the exact same thing which has concerned me massively with the amount of other teams we have. One thing I noticed is that looking at the SP settings for a private channel, it seems as though it has the standard SP permissions groups - Owners, members and viewers but surely that shouldn't be the case if it is a private channel?? Massive issue if I have to check every single team!

1 best response

Accepted Solutions
best response confirmed by Hogne1260 (Copper Contributor)
Solution
You are correct. A private channel creates a completely separate SPO site with it's own document library and you can update permission for this from the Teams channel itself. Any changes of permissions via the SPO site will be overwritten when the private channel synchronises so always administer from Teams.
The Private channel permissions are independent of the Team permissions but will inherit from the Team permissions at the point of creation.

View solution in original post