Item permissions on based on AD groups in Sharepoint Online List

%3CLINGO-SUB%20id%3D%22lingo-sub-327166%22%20slang%3D%22en-US%22%3EItem%20permissions%20on%20based%20on%20AD%20groups%20in%20Sharepoint%20Online%20List%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327166%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20SharePoint%20Online%20Users%2C%3C%2FP%3E%3CP%3EI%20have%20the%20below%20security%2Fpermission%20requirement%20and%20want%20to%20know%20whether%20this%20is%20possible%20in%20SharePoint%20Online.%3C%2FP%3E%3CP%3EThere%20is%20a%20list%20having%20users%20from%20different%20countries.%20The%20permissions%20are%20given%20through%20AD%20groups%20(each%20country%20having%20their%20own%20AD%20group%2C%20one%20for%20each%20edit%2C%20read%20etc..).%3CBR%20%2F%3EThe%20end%20user%20should%20be%20able%20to%20see%20only%20the%20items%20specific%20to%20his%20country%20and%20the%20global%20items(common%20to%20all)%20and%20not%20the%20items%20from%20other%20countries.%3CBR%20%2F%3EIs%20it%20posible%20to%20acheive%20this%20even%20through%20code%3F%20With%20the%20SharePoint%20Modern%20interface%20and%20Microsoft%20discouraging%20coding%20to%20an%20extent%2C%20is%20it%20possible%3F%20Or%20can%20this%20be%20done%20with%20the%20OOTB%20features%2C%20am%20i%20missing%20something%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EKevin%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-866735%22%20slang%3D%22en-US%22%3ERe%3A%20Item%20permissions%20on%20based%20on%20AD%20groups%20in%20Sharepoint%20Online%20List%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-866735%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F177418%22%20target%3D%22_blank%22%3E%40Matt%20Weston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMay%20I%20ask%20what%20you%20would%20suggest%20to%20prevent%20users%20in%20a%20given%20country%20from%20seeing%20items%20entered%20by%20users%20in%20a%20different%20country%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20thought%20of%20separate%20lists%20altogether%20and%20merge%20them%20into%20a%20single%20one%20for%20analysis%2C%20but%20that%20overhead%20may%20be%20similar%20to%20managing%20different%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much%3C%2FP%3E%3CP%3ELeonel%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327629%22%20slang%3D%22en-US%22%3ERe%3A%20Item%20permissions%20on%20based%20on%20AD%20groups%20in%20Sharepoint%20Online%20List%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327629%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F177418%22%20target%3D%22_blank%22%3E%40Matt%20Weston%3C%2FA%3EThanks%20a%20lot%20for%20the%20reply.%20I'll%20keep%20this%20in%20mind%20and%20will%20probably%20need%20to%20change%20my%20approach.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327186%22%20slang%3D%22en-US%22%3ERe%3A%20Item%20permissions%20on%20based%20on%20AD%20groups%20in%20Sharepoint%20Online%20List%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327186%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F268367%22%20target%3D%22_blank%22%3E%40kevingeorget%3C%2FA%3E%2C%20short%20answer%20is%20yes%20you%20can%20do%20what%20you're%20describing.%20Effectively%20you're%20describing%20breaking%20permissions%20inheritance%20on%20each%20list%20item%2C%20and%20removing%20the%20groups%20that%20don't%20want%20accessing%20that.%20This%20is%20achievable%20through%20the%20UI%2C%20Flow%2C%20Code%2C%20SPD%20workflows.%20Removing%20permissions%20means%20that%20the%20rest%20of%20the%20data%20is%20security%20trimmed%2C%20therefore%20achieving%20the%20desired%20effect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHowever%3C%2FSTRONG%3E%2C%20I%20would%20not%20recommend%20this%20approach%2C%20as%20creating%20a%20huge%20number%20of%20unique%20list%20item%20permissions%20will%20make%20the%20administration%20of%20the%20system%20extremely%20difficult.%20Also%2C%20by%20using%20Active%20Directory%20Groups%2C%20you%20can't%20see%20the%20membership%20of%20the%20group%20from%20SharePoint%2C%20therefore%20you'll%20need%20to%20cross%20reference%20group%20memberships%20with%20Active%20Directory%20or%20buy%20your%20AD%20Admins%20a%20pack%20of%20biscuits%20and%20ask%20them%20to%20do%20it%20for%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPersonally%20I%20don't%20like%20breaking%20permission%20inheritance%20below%20list%2Flibrary%20level%2C%20so%20if%20possible%20I%20would%20consider%20other%20options%20for%20how%20to%20store%20my%20data.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-869373%22%20slang%3D%22en-US%22%3ERe%3A%20Item%20permissions%20on%20based%20on%20AD%20groups%20in%20Sharepoint%20Online%20List%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-869373%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216718%22%20target%3D%22_blank%22%3E%40Leonel%20GUZMAN%3C%2FA%3E%26nbsp%3B%2C%20there's%20not%20an%20easy%20answer%20to%20this%20that%20I'm%20aware%20of.%20My%20personal%20approach%20would%20be%2C%20that%20if%20I%20need%20to%20have%20that%20separation%20of%20countries%20then%20I'd%20have%20either%20completely%20separate%20lists%20or%20separate%20sites%20altogether.%20The%20choice%20will%20depend%20on%20what%20the%20ramifications%20are%20with%20regards%20to%20having%20different%20countries%20within%20the%20same%20site.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDepending%20on%20what%20you%20want%20to%20do%2C%20you%20could%20maintain%20a%20master%20list%20somewhere%2C%20with%20Flow%20copying%20data%20to%20it%2C%20which%20goes%20against%20the%20principal%20of%20%22one%20version%20of%20the%20truth%22%2C%20or%20depending%20on%20the%20data%20you%20could%20use%20something%20like%20PowerBI%20to%20pull%20all%20of%20you%20data%20sources%20together%20into%20a%20single%20dashboard.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi SharePoint Online Users,

I have the below security/permission requirement and want to know whether this is possible in SharePoint Online.

There is a list having users from different countries. The permissions are given through AD groups (each country having their own AD group, one for each edit, read etc..).
The end user should be able to see only the items specific to his country and the global items(common to all) and not the items from other countries.
Is it posible to acheive this even through code? With the SharePoint Modern interface and Microsoft discouraging coding to an extent, is it possible? Or can this be done with the OOTB features, am i missing something?

 

Regards,

Kevin

 

4 Replies
Highlighted

Hi @kevingeorget, short answer is yes you can do what you're describing. Effectively you're describing breaking permissions inheritance on each list item, and removing the groups that don't want accessing that. This is achievable through the UI, Flow, Code, SPD workflows. Removing permissions means that the rest of the data is security trimmed, therefore achieving the desired effect.

 

However, I would not recommend this approach, as creating a huge number of unique list item permissions will make the administration of the system extremely difficult. Also, by using Active Directory Groups, you can't see the membership of the group from SharePoint, therefore you'll need to cross reference group memberships with Active Directory or buy your AD Admins a pack of biscuits and ask them to do it for you.

 

Personally I don't like breaking permission inheritance below list/library level, so if possible I would consider other options for how to store my data.

Highlighted

@Matt WestonThanks a lot for the reply. I'll keep this in mind and will probably need to change my approach.

Highlighted

@Matt Weston 

May I ask what you would suggest to prevent users in a given country from seeing items entered by users in a different country?

 

I've thought of separate lists altogether and merge them into a single one for analysis, but that overhead may be similar to managing different groups.

 

Thank you very much

Leonel

 

Highlighted

Hi @Leonel GUZMAN , there's not an easy answer to this that I'm aware of. My personal approach would be, that if I need to have that separation of countries then I'd have either completely separate lists or separate sites altogether. The choice will depend on what the ramifications are with regards to having different countries within the same site.

 

Depending on what you want to do, you could maintain a master list somewhere, with Flow copying data to it, which goes against the principal of "one version of the truth", or depending on the data you could use something like PowerBI to pull all of you data sources together into a single dashboard.