Oct 25 2019 07:56 AM - edited Oct 25 2019 10:12 AM
Hi SharePoint-ers.
I have a classic site collection:
Level 1. My Company SP farm
Level 2. Operations (site collection) everyone in operations has read access
Level 3. Project 1 (team site)
We had a breach on project 1, where a new site owner deleted all unique permissions, and that site then inherited from the parent. All is well, we found out about the breach quickly, cleaned it up, did an audit, nobody saw what they weren't supposed to. However, the risk is still there that it could happen again.
What I'm wondering, is there a way (other than creating a brand new modern site which is it's own site collection and site all at the same time and copying all the original content, permissions, and recreating workflows) to move/promote my classic Project 1 site to a modern site?
PS. We are looking at permission levels. Taking away Full Control from Team Owners and substituting "Team Owners" permission levels, so they can't delete unique site permissions and inherit from the top more permissive site.
Oct 25 2019 10:58 AM
SolutionHi @Stephen Morley,
There are different options depending on the resources available to you.
For low-complexity sub-sites, you could manually build and migrate content.
For mid to high-complexity sub-sites, you could use a 3rd party app like Sharegate Desktop.
If you are comfortable with Powershell scripting, you could use the PnP cmdlets to clone and migrate sub-sites.
If its an option for you, I highly recommend Sharegate.
I hope this helps.
Norm
Oct 28 2019 11:48 AM
Changing to a modern site isn't going to fix your problem with users changing permissions. A modern communication site uses the exact same permission groups and principles as a classic SharePoint site. Site owners can even create their own little world of subsites and you are right back where you started.
For both classic and modern communication sites we have created a separate permission level that lets them do everything except create subsites or add/remove/create/delete permission groups. We make that group the owner of all the member/visitor groups so they can modify the people IN the groups but they can't modify the groups themselves.
To help eliminate the bottleneck of having to go through an IT ticket every time the site "owners" need a new group or private list or library, we've tapped certain power users in the business and made them owners with full control.
When you create a new site, you do have to go in and reassign the new group as the "owner" group under permsetup.aspx so that the new "owner" group has the ability to receive access requests, share the site, etc. And it does complicate reporting a bit since the members of the Owners group are not truly the site "owners" - as in the people who are responsible for the site and content. But once you get through all that, it's worked OK for us for the past 4+ years.
P.S. I have almost 100 collections and close to 500 sites in my business area.
Oct 25 2019 10:58 AM
SolutionHi @Stephen Morley,
There are different options depending on the resources available to you.
For low-complexity sub-sites, you could manually build and migrate content.
For mid to high-complexity sub-sites, you could use a 3rd party app like Sharegate Desktop.
If you are comfortable with Powershell scripting, you could use the PnP cmdlets to clone and migrate sub-sites.
If its an option for you, I highly recommend Sharegate.
I hope this helps.
Norm