SOLVED

Document Management with lots of specialized permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-1507352%22%20slang%3D%22en-US%22%3EDocument%20Management%20with%20lots%20of%20specialized%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507352%22%20slang%3D%22en-US%22%3E%3CDIV%3EI%20have%20a%20document%20management%20question.%20How%20do%20you%20handle%20the%20case%20where%20a%20team%20writes%20a%20lot%20of%20sensitive%20documents%20that%20need%20to%20be%20tightly%20controlled.%20Sometimes%20person%20A%20should%20see%20it.%20Sometimes%20person%20B.%20Sometimes%20person%20A%20and%20B.%20Sometimes%20person%20A%20and%20B%20need%20read%20and%20person%20C%20needs%20write.%20Is%20document%20level%20permissions%20the%20only%20way%20to%20go%3F%20Would%20you%20set%20different%20libraries%20(or%20Teams%20channels)%20for%20all%20the%20possible%20sharing%20scenarios%3F%20Any%20thoughts%20and%20insights%20would%20be%20appreciated.%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1507352%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDocument%20Library%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFiles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1507500%22%20slang%3D%22en-US%22%3ERe%3A%20Document%20Management%20with%20lots%20of%20specialized%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507500%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F421392%22%20target%3D%22_blank%22%3E%40michaelkubala%3C%2FA%3E%26nbsp%3Bthe%20first%20rule%20of%20thumb%20is%20to%20keep%20it%20as%20simple%20as%20you%20can.%20It%20can%20be%20annoying%20to%20open%20a%20library%20and%20see%206%20documents%20when%20the%20person%20next%20to%20you%20can%20see%2010.%20It%20can%20be%20equally%20annoying%20as%20an%20administrator%20to%20have%20to%20work%20through%20a%20complex%20permission%20structure%2C%20especially%20if%20it%20has%20been%20set%20up%20in%20association%20with%20multiple%20custom%20permission%20groups%20and%2For%20unique%20permissions%20applied%20to%20folders%20or%20document%20sets%20(in%20addition%20to%20folders)%20and%2For%20Member%20groups%20with%20read-only%20or%20Visitor%20groups%20with%20contribute%20permissions%20applied%20to%20them.%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20first%20suggestion%20is%20to%20create%20a%20basic%20security%20matrix%20-%20who%20in%20the%20team%20can%20edit%20or%20view%20the%20records.%20From%20this%2C%20you%20may%20then%20create%20a%20few%20(not%20too%20many)%20permission%20groups.%20Remember%2C%20the%20more%20complicated%20you%20make%20this%2C%20the%20harder%20is%20to%20to%20work%20out%20who%20has%20what%20access.%26nbsp%3B%3C%2FP%3E%3CP%3EConsider%20if%20you%20can%20group%20access%20controls%20and%20documents%20by%20libraries.%20For%20example%2C%20a%20library%20where%20everyone%20has%20read%20access%2C%20another%20with%20an%20edit%20group%20and%20a%20read%20group.%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20mention%20Teams%20channels%2C%20but%20remember%20that%20every%20Team%20has%20a%20single%20SharePoint%20site%20linked%20with%20it%20(visible%20from%20the%20'Files'%20tab)%3B%20every%20channel%20creates%20a%20new%20folder%20in%20the%20default%20'Documents'%20library%20on%20that%20linked%20SPO%20site.%20But%20you%20can%20open%20the%20SPO%20site%20and%20create%20new%20libraries%20with%20different%20permissions%2C%20and%20these%20libraries%20can%20be%20pinned%20to%20the%20menu%20bar%20in%20a%20Team%20(in%20addition%20to%20the%20default%20'Files'%20tab%20that%20cannot%20be%20removed).%20Everyone%20in%20the%20Team%20will%20see%20the%20new%20tab%20(for%20a%20new%20library)%20but%20if%20they%20don't%20have%20access%20they%20won't%20see%20it.%20If%20they%20do%2C%20they%20will%20only%20be%20able%20to%20edit%20or%20read%20depending%20on%20the%20permissions%20on%20the%20library.%26nbsp%3B%3C%2FP%3E%3CP%3EDepending%20on%20how%20complex%20your%20requirement%20is%2C%20I'd%20suggest%20separate%20libraries%20with%20unique%20permission%20groups%20may%20be%20the%20easiest.%20The%20next%20would%20be%20the%20same%20library%20with%20unique%20permission%20groups%20applied%20to%20folders.%20Really%20really%20try%20to%20avoid%20unique%20permissions%20applied%20to%20documents.%3C%2FP%3E%3CP%3EIn%20so%20many%20cases%2C%20as%20a%20SPO%20admin%2C%20I%20simply%20restore%20the%20default%20inherited%20permissions%20to%20fix%20access%20issues.%20My%20point%20was%20often%20the%20same%20-%20just%20because%20people%20have%20edit%20rights%2C%20doesn't%20mean%20they%20will%20edit%2C%20and%20if%20you%20are%20really%20worried%20about%20it%2C%20put%20an%20alert%20on%20the%20library.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1507522%22%20slang%3D%22en-US%22%3ERe%3A%20Document%20Management%20with%20lots%20of%20specialized%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4163%22%20target%3D%22_blank%22%3E%40Andrew%20Warland%3C%2FA%3E%26nbsp%3B%20that%20was%20a%20great%20answer.%26nbsp%3B%20SharePoint%20has%20a%20great%20level%20of%20control%20that%20can%20be%20used%20as%20you%20mentioned.%26nbsp%3B%20That%20seems%20to%20be%20the%20best%20answer%2C%20and%20using%20group%20permissions%20within%20SharePoint%20for%20assigning%20privilege's.%26nbsp%3B%20We%20have%20done%20this%20on%20many%20occasions%20and%20it%20just%20works%2C%20and%20is%20very%20simple.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1507537%22%20slang%3D%22en-US%22%3ERe%3A%20Document%20Management%20with%20lots%20of%20specialized%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507537%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F664737%22%20target%3D%22_blank%22%3E%40kerry6a1%3C%2FA%3E%26nbsp%3Bthank%20you!%20I%20think%20our%20number%201%20support%20issue%20was%20always%20something%20to%20do%20with%20permissions%20-%20primarily%20'why%20can't%20I%20see%20something'%20or%20'what%20did%20I%20do'.%20In%20one%20instance%20the%20Site%20Owners%20(accidentally)%20deleted%20the%20Site%20Owners%20group%20from%20a%20site%20that%20was%20full%20of%20unique%20permissions.%20It%20took%20close%20to%202%20weeks%20to%20restore%20the%20Site%20Owners%20back%20on%20everything%20that%20had%20unique%20permissions%20assigned%20to%20it.%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20in%20mind%20too%20that%20permissions%20also%20drive%20what%20you%20can%20see%20via%20Delve%20or%20Discover%20-%20and%20even%20if%20you%20disable%20Delve%20(not%20a%20good%20idea%20I%20think)%2C%20end-users%20can%20still%20find%20those%20documents%20if%20they%20search%20for%20them%20(and%20have%20access%20to%20them).%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20it%20simple%20is%20a%20great%20approach.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1507982%22%20slang%3D%22en-US%22%3ERe%3A%20Document%20Management%20with%20lots%20of%20specialized%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507982%22%20slang%3D%22en-US%22%3EI%20don%E2%80%99t%20know%20how%20broad%20your%20group%20of%20users%20would%20be%20but%20instead%20of%20Messing%20with%20permissions%20look%20into%20utilizing%20labels%20and%20data%20classification.%20Define%20that%20then%20you%20can%20specify%20who%20can%20open%20files%20with%20label%20x.%20Or%20these%20people%20can%20open%20documents%20labeled%20y.%20This%20way%20documents%20will%20maintain%20that%20label%20wherever%20it%20goes%20and%20permissions%20never%20have%20to%20be%20trimmed%20or%20broken%20to%20have%20sensitive%20documents%20secure.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509339%22%20slang%3D%22en-US%22%3ERe%3A%20Document%20Management%20with%20lots%20of%20specialized%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509339%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4163%22%20target%3D%22_blank%22%3E%40Andrew%20Warland%3C%2FA%3E%26nbsp%3Bgreat%20answer.%20Thanks%20for%20the%20insight.%20It%20looks%20like%20my%20best%20bet%20is%20to%20try%20to%20simplify%20the%20permissions%20structure%20rather%20than%20build%20out%20some%20solution%20to%20encourage%20the%20current%20practice%20of%20using%20file%20level%20permissions.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509345%22%20slang%3D%22en-US%22%3ERe%3A%20Document%20Management%20with%20lots%20of%20specialized%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509345%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3Bthat's%20a%20very%20interesting%20idea.%20I'm%20going%20to%20look%20into%20that.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor
I have a document management question. How do you handle the case where a team writes a lot of sensitive documents that need to be tightly controlled. Sometimes person A should see it. Sometimes person B. Sometimes person A and B. Sometimes person A and B need read and person C needs write. Is document level permissions the only way to go? Would you set different libraries (or Teams channels) for all the possible sharing scenarios? Any thoughts and insights would be appreciated. 
6 Replies
Highlighted
Best Response confirmed by michaelkubala (Contributor)
Solution

@michaelkubala the first rule of thumb is to keep it as simple as you can. It can be annoying to open a library and see 6 documents when the person next to you can see 10. It can be equally annoying as an administrator to have to work through a complex permission structure, especially if it has been set up in association with multiple custom permission groups and/or unique permissions applied to folders or document sets (in addition to folders) and/or Member groups with read-only or Visitor groups with contribute permissions applied to them. 

My first suggestion is to create a basic security matrix - who in the team can edit or view the records. From this, you may then create a few (not too many) permission groups. Remember, the more complicated you make this, the harder is to to work out who has what access. 

Consider if you can group access controls and documents by libraries. For example, a library where everyone has read access, another with an edit group and a read group. 

You mention Teams channels, but remember that every Team has a single SharePoint site linked with it (visible from the 'Files' tab); every channel creates a new folder in the default 'Documents' library on that linked SPO site. But you can open the SPO site and create new libraries with different permissions, and these libraries can be pinned to the menu bar in a Team (in addition to the default 'Files' tab that cannot be removed). Everyone in the Team will see the new tab (for a new library) but if they don't have access they won't see it. If they do, they will only be able to edit or read depending on the permissions on the library. 

Depending on how complex your requirement is, I'd suggest separate libraries with unique permission groups may be the easiest. The next would be the same library with unique permission groups applied to folders. Really really try to avoid unique permissions applied to documents.

In so many cases, as a SPO admin, I simply restore the default inherited permissions to fix access issues. My point was often the same - just because people have edit rights, doesn't mean they will edit, and if you are really worried about it, put an alert on the library. 

 

Highlighted

@Andrew Warland  that was a great answer.  SharePoint has a great level of control that can be used as you mentioned.  That seems to be the best answer, and using group permissions within SharePoint for assigning privilege's.  We have done this on many occasions and it just works, and is very simple.

Highlighted

@kerry6a1 thank you! I think our number 1 support issue was always something to do with permissions - primarily 'why can't I see something' or 'what did I do'. In one instance the Site Owners (accidentally) deleted the Site Owners group from a site that was full of unique permissions. It took close to 2 weeks to restore the Site Owners back on everything that had unique permissions assigned to it. 

Keep in mind too that permissions also drive what you can see via Delve or Discover - and even if you disable Delve (not a good idea I think), end-users can still find those documents if they search for them (and have access to them). 

Keep it simple is a great approach. 

Highlighted
I don’t know how broad your group of users would be but instead of Messing with permissions look into utilizing labels and data classification. Define that then you can specify who can open files with label x. Or these people can open documents labeled y. This way documents will maintain that label wherever it goes and permissions never have to be trimmed or broken to have sensitive documents secure.
Highlighted

@Andrew Warland great answer. Thanks for the insight. It looks like my best bet is to try to simplify the permissions structure rather than build out some solution to encourage the current practice of using file level permissions. 

Highlighted

@Chris Webb that's a very interesting idea. I'm going to look into that. Thanks!