Best practice using Azure security groups to manage library permissions - I thought we had it!

%3CLINGO-SUB%20id%3D%22lingo-sub-2125678%22%20slang%3D%22en-US%22%3EBest%20practice%20using%20Azure%20security%20groups%20to%20manage%20library%20permissions%20-%20I%20thought%20we%20had%20it!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2125678%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20designed%20a%20hierarchy%20based%20on%20internal%20teams%20that%20we%20want%20to%20use%20for%20access%20to%20document%20library%20resources.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20in%20a%20simplified%20version%20we%20might%20want%3A%3C%2FP%3E%3CUL%3E%3CLI%3EExec%20Team%20to%20have%20access%20to%20%3CEM%3Eall%3C%2FEM%3E%20resources%20%E2%86%93%3C%2FLI%3E%3CLI%3EPayroll%20%E2%86%92%20limited%20to%20that%20group%20and%20Exec%3C%2FLI%3E%3CLI%3EManagers%20access%20to%20almost%20all%20but%20payroll%20and%20and%20manager%20HR%20locations%20%E2%86%93%26nbsp%3B%3C%2FLI%3E%3CLI%3ESenior%20Team%20Leads%20to%20team%20docs%2C%20Growth%20and%20HR%20folders%20except%20for%20Team%20Leads%20and%20above%20%E2%86%93%3C%2FLI%3E%3CLI%3ENuts%20%26amp%3B%20Bolts%20to%20admin%20and%20finance%20docs%20%E2%86%93%3C%2FLI%3E%3CLI%3EGrowth%20Team%20access%20to%20multiple%20team%20docs%2C%20theirs%20and%20all%20experience%20teams%20%E2%86%93%3C%2FLI%3E%3CLI%3EExperience%20Teams%20access%20to%20all%20customer%20data%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESo%20we%20created%20AAD%20Security%20Groups%20starting%20with%20Experience%20permission%20group%20and%20then%20Growth.%20The%20Growth%20permission%20group%20gets%20a%20group%20membership%20to%20Experience%20etc%20up%20to%20the%20Exec%20permission%20group%20which%20has%20a%20group%20membership%20to%20all%20the%20security%20permission%20groups.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20don't%20want%20SP%20site%20membership%20to%20define%20access%20to%20docs%20so%20we%20delete%20the%20inherited%20permissions%20and%26nbsp%3B%20add%20a%20Limited%20Access%20Group%20to%20the%20document%20library%20settings%20for%20the%20lowest%20hierarchical%20group%20then%20all%20above%20should%20have%20access.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20idea%20is%20then%20if%20we%20add%20a%20Manager%20user%2C%20they%20are%20not%20added%20to%20multiple%20sites%20as%20Members%2C%20instead%2C%20access%20permissions%20are%20conferred%20via%20their%20permission%20group%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EManagers%20belong%20to%20Senior%20Team%20Leads%20which%20belongs%20to%20Growth%20and%20so%20on%3C%2FP%3E%3CP%3EWhen%20checking%20permissions%20on%20an%20Experience%20library%20for%20someone%20assigned%20to%20Manager%20for%20example%2C%20it%20shows%20they%20have%20multiple%20permission%20levels%20conferred%20by%20their%20group%20and%20all%20the%20groups%20that%20the%20Managers%20permission%20group%20belongs%20to%20on%20a%20downward%20cascading%20basis.%20BUT%2C%20the%20individuals%20only%20have%20access%20if%20Direct%20Members%20in%20their%20own%20group%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40FE3C8A5543DEF164D4C09E9B7F45E1A4%2Fimages%2Femoticons%2Ffacepalm_40x40.gif%22%20alt%3D%22%3Afacepalm%3A%22%20title%3D%22%3Afacepalm%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20have%20thoughts%20on%20why%20that%20would%20be%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20if%20the%20above%20isn't%20possible%2C%20what%20do%20other%20people%20do%20to%20assign%20a%20person%20to%20have%20access%20to%20multiple%20libraries%3F%20We%20have%20not%20found%20the%20perfect%20model%20for%20our%20operating%20needs.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThanks%20a%20TON%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2125678%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDocument%20Library%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESites%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

We designed a hierarchy based on internal teams that we want to use for access to document library resources.

 

For example, in a simplified version we might want:

  • Exec Team to have access to all resources ↓
  • Payroll → limited to that group and Exec
  • Managers access to almost all but payroll and and manager HR locations ↓ 
  • Senior Team Leads to team docs, Growth and HR folders except for Team Leads and above ↓
  • Nuts & Bolts to admin and finance docs ↓
  • Growth Team access to multiple team docs, theirs and all experience teams ↓
  • Experience Teams access to all customer data

So we created AAD Security Groups starting with Experience permission group and then Growth. The Growth permission group gets a group membership to Experience etc up to the Exec permission group which has a group membership to all the security permission groups. 

 

We don't want SP site membership to define access to docs so we delete the inherited permissions and  add a Limited Access Group to the document library settings for the lowest hierarchical group then all above should have access. 

 

The idea is then if we add a Manager user, they are not added to multiple sites as Members, instead, access permissions are conferred via their permission group


Managers belong to Senior Team Leads which belongs to Growth and so on

When checking permissions on an Experience library for someone assigned to Manager for example, it shows they have multiple permission levels conferred by their group and all the groups that the Managers permission group belongs to on a downward cascading basis. BUT, the individuals only have access if Direct Members in their own group :facepalm:

 

Anyone have thoughts on why that would be?

And if the above isn't possible, what do other people do to assign a person to have access to multiple libraries? We have not found the perfect model for our operating needs. 

Thanks a TON in advance!

0 Replies