07-07-2020 03:53 PM
07-07-2020 03:53 PM
07-07-2020 05:50 PMSolution
@michaelkubala the first rule of thumb is to keep it as simple as you can. It can be annoying to open a library and see 6 documents when the person next to you can see 10. It can be equally annoying as an administrator to have to work through a complex permission structure, especially if it has been set up in association with multiple custom permission groups and/or unique permissions applied to folders or document sets (in addition to folders) and/or Member groups with read-only or Visitor groups with contribute permissions applied to them.
My first suggestion is to create a basic security matrix - who in the team can edit or view the records. From this, you may then create a few (not too many) permission groups. Remember, the more complicated you make this, the harder is to to work out who has what access.
Consider if you can group access controls and documents by libraries. For example, a library where everyone has read access, another with an edit group and a read group.
You mention Teams channels, but remember that every Team has a single SharePoint site linked with it (visible from the 'Files' tab); every channel creates a new folder in the default 'Documents' library on that linked SPO site. But you can open the SPO site and create new libraries with different permissions, and these libraries can be pinned to the menu bar in a Team (in addition to the default 'Files' tab that cannot be removed). Everyone in the Team will see the new tab (for a new library) but if they don't have access they won't see it. If they do, they will only be able to edit or read depending on the permissions on the library.
Depending on how complex your requirement is, I'd suggest separate libraries with unique permission groups may be the easiest. The next would be the same library with unique permission groups applied to folders. Really really try to avoid unique permissions applied to documents.
In so many cases, as a SPO admin, I simply restore the default inherited permissions to fix access issues. My point was often the same - just because people have edit rights, doesn't mean they will edit, and if you are really worried about it, put an alert on the library.
07-07-2020 05:59 PM
@Andrew Warland that was a great answer. SharePoint has a great level of control that can be used as you mentioned. That seems to be the best answer, and using group permissions within SharePoint for assigning privilege's. We have done this on many occasions and it just works, and is very simple.
07-07-2020 06:11 PM
@kerry6a1 thank you! I think our number 1 support issue was always something to do with permissions - primarily 'why can't I see something' or 'what did I do'. In one instance the Site Owners (accidentally) deleted the Site Owners group from a site that was full of unique permissions. It took close to 2 weeks to restore the Site Owners back on everything that had unique permissions assigned to it.
Keep in mind too that permissions also drive what you can see via Delve or Discover - and even if you disable Delve (not a good idea I think), end-users can still find those documents if they search for them (and have access to them).
Keep it simple is a great approach.
07-07-2020 11:27 PM
07-08-2020 09:09 AM
@Andrew Warland great answer. Thanks for the insight. It looks like my best bet is to try to simplify the permissions structure rather than build out some solution to encourage the current practice of using file level permissions.
07-08-2020 09:11 AM
@Chris Webb that's a very interesting idea. I'm going to look into that. Thanks!