May 09 2017 10:22 AM
Is it expected that when sharing documents via OneDrive for Business and assigning "Edit" permission, those users can delete the documents as well? This is a bit concerning as there doesn't appear to be a way to grant someone the ability to edit a document without also allowing them to delete that document from the original users' OneDrive.
To confirm this:
This moves the document into the original owners' recycle bin, which prevents further access by anyone they have shared it with.
May 09 2017 10:35 AM
SolutionMay 10 2017 03:48 AM
@jcgonzalezmartinis correct, as always.
When you choose to give edit rights while sharing, you are actually assigning behind the scenes the SharePoint "Contribute" permission level, which allows users to "view, add, update, and delete list items and documents" (from https://support.office.com/en-us/article/Understanding-permission-levels-in-SharePoint-87ecbb0e-6550...).
Unforunately there is not a permission level which allows users to edit but not delete documents.
May 10 2017 05:06 AM
While I appreciate the replies, I can tell you that our users will reconsider using OneDrive for Business to share files with others when they know that this can happen. I am sure that there are plenty of scenarios where allowing others to delete your files makes sense, but not providing a simple way to allow editing without deletion will make users uncomfortable with the platform.
May 13 2017 11:18 AM
The delete right being part of the "Edit" permission isn't the biggest issue in our environment. Instead, our biggest issue is people with "Edit" permissions have the right to change permissions on the document/library/list/site.
IMHO, when Microsoft made "Edit" the default with SP2013/SharePoint Online, it was a huge mistake.
May 14 2017 07:49 AM - edited May 14 2017 08:09 AM
Totally agree with you. EDIT permissions SHOULD NOT allow permission controls. This is undermining our ability to use ODFB since users (content owners) do not have control over access to their files if they collaborate.
I assume the thinking behind this behavior is that if someone can edit a document, they can download and share it -- but the same is true for READ as well and READ does not have permission controls.
So IDK what they heck the thinking is.
Read = Read
Edit = Contribute (don't like the delete list permission, but understand it's probably more about list control than list delete)
Full Control = Contribute + Permissions control
Just like it has been for years.
May 14 2017 08:06 AM
@Deleted @James Redmore
Couldn't the problem be solved simply unchecking "Allow members to share the site and individual files and folders" in Access Requests Settings?
May 14 2017 08:10 AM
May 14 2017 08:31 AM
Yes, you're right @Salvatore Biscari -- My problem is with the default settings. The default of this setting should be "off" and the default permission for the members groups should be contribute. The subtle change from "contribute" to "edit", combined with the default of allowing members to share, was a drastic change.
Even better would be an option in the admin center to set what the default should be. We have 7,000+ SharePoint sites (organized into 800+ site collections), so changing a default setting is a labor intensive activity for us.
May 15 2017 02:37 AM
@Deleted
My 2 cents:
All this said, I agree with you that a global option in the admin center would be much better. 😉
May 16 2017 08:17 PM
Thanks again Salvatore, we found the setting and looped our OneDrives to disable the settings -- users can turn them back on if they choose, but we prefer the more secured profile by default. This is so much better -- feel like I'm back in a comfortable old pair of jeans! cheers
Allow members to share the site and individual file and folders
Allow members to invite others to the site members group. <Site> Members. This setting must be enabled to let members share the site.
Connect-PnPOnline -Url $url
$RootWeb = Get-PnPWeb -Includes MembersCanShare
$SubWebs = Get-PnPSubWebs -Recurse
$AllWebs = @()
$AllWebs += $RootWeb
$RootURL = $RootWeb.Title
Write-Host $RootURL
foreach ($SubWeb in $SubWebs) {
$Sub = Get-PnPWeb -Identity $SubWeb -Includes MembersCanShare
$AllWebs += $Sub
}
foreach ($Web in $AllWebs) {
$WebTitle = $Web.ServerRelativeUrl
if ($Web.MembersCanShare) {
$Web.MembersCanShare = $false
$Web.Update()
$Web.Context.ExecuteQuery()
Write-Host "$WebTitle - MembersCanShare Disabled" -Fore Yellow
} else {
Write-Host "$WebTitle - MembersCanShare Already Disabled" -Fore DarkCyan
}
}
May 16 2017 10:01 PM
I'm not totally happy with either EDIT nor CONTRIBUTE. While EDIT is often to broad, CONTRIBUTE has too either little (when removing the DELETE permissions from this level) or too much (when leaving the DELETE permissions).
Therefore it is currently not possible to have a library where users can upload + rename, but not delete, since DELETE is necessary to RENAME a file ...
May 16 2017 10:02 PM
Jul 13 2017 11:57 AM
While it seems that this is how the permissions currently work, this isn't a solution to the question/problem.
Is there any update regarding wether or not an additional permission setting exists (or can exist in the future) that would allow for read/write permissions without the ability to delete files to non-owners? This is the problem, and I see no solution posted at this time.
May 09 2017 10:35 AM
Solution