I've noticed when I flip between my test accounts, my test account (restricted) often inherits permissions from my actual (site collection admin) account. I see this as a pretty major security flaw in our own deployment. Not sure what others have seen, but I am training my users to access SharePoint in either an incognito window, or to set up up one browser to clear cache and cookies upon closure of the browser.

Well the idea is I'm using an admin account that has access to all sites and documents to get all the content from Sharepoint by crawling.


afterwards I want the users including me as an IT who uses the search to view only the content they have access to without seeing the documents from another departments.
e.g. an Accountant from Finance site can only find documents from Finance without being able to see HR documents on the search.

as for some reason after enabling the search even though I do not have access to lets say "Marketing" site I still see all their documents on the search and if I click on the search results it will take me to the file on word online and I can view and edit the files without having this permission on Sharepoint. which is a huge security flaw if that's the case or something is seriously wrong with the implementation with office online.


I know I can exclude some sites from being crawled into but I want to have the flexibility that won't require me to do everything manually such as changing the settings every time a new site is created, a new document library is created or new users joining.