"Allow members to share the site and individual files and folders." make the site got messy

%3CLINGO-SUB%20id%3D%22lingo-sub-3332423%22%20slang%3D%22en-US%22%3E%22Allow%20members%20to%20share%20the%20site%20and%20individual%20files%20and%20folders.%22%20make%20the%20site%20got%20messy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3332423%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CP%3EInside%20each%20SharePoint%20site%20there%20is%20an%20option%20to%20allow%20members%20to%20Share%20files%20with%20other%20members%20using%20this%20setting%3A-%3C%2FP%3E%3CDIV%20class%3D%22%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F369820i8E60C282D3A3D215%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EMy%20question%20is%20when%20we%20should%20allow%20this%3F%20as%20per%20my%20experience%2C%20if%20we%20allow%20members%20to%20Share%20files%20with%20new%20members%2C%20this%20will%20cause%20the%20related%20files%2Ffolders%20to%20have%20unique%20permissions%2C%20and%20after%20couple%20of%20months%20the%20files%20permissions%20will%20became%20almost%20impossible%20to%20maintain.%20so%20for%20long%20running%20sites%2C%20should%20we%20always%20disable%20this%20option%3F%20and%20instead%20create%20multiple%20libraries%20and%20group%20the%20files%20based%20on%20the%20permissions%20we%20need%20to%20apply%2C%20so%20we%20only%20manage%20the%20permission%20on%20the%20library%20level%3F%20rather%20than%20having%20most%20of%20the%20files%20having%20unique%20permissions%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3332423%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDocument%20Library%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3332903%22%20slang%3D%22en-US%22%3ERe%3A%20%22Allow%20members%20to%20share%20the%20site%20and%20individual%20files%20and%20folders.%22%20make%20the%20site%20got%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3332903%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F233354%22%20target%3D%22_blank%22%3E%40john%20john%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebased%20on%20my%20experience%2C%20my%20suggestion%20is%20to%20go%2C%20if%20possible%2C%20with%202nd%20approach%3A%3C%2FP%3E%3CUL%3E%3CLI%3Ecreate%20multiple%20libraries%20and%20group%20the%20files%20based%20on%20the%20permissions%20we%20need%20to%20apply%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20know%20this%20is%20not%20always%20possible%20%3CEM%3E(depending%20on%20Business%20Units%20or%20Departments%20need)%3C%2FEM%3E%20and%20you%20have%20to%20reach%20a%20compromise.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20said%3A%20The%20more%20granularity%20and%20flexibility%20you%20will%20provide%20to%20end-users%20in%20terms%20of%20permissions%20%3CEM%3E(by%20breaking%20the%20inheritance%20with%20the%20sharing)%3C%2FEM%3E%20the%20more%20difficult%20will%20be%20to%20you%20to%20control%20the%20access%20of%20your%20data.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3336364%22%20slang%3D%22en-US%22%3ERe%3A%20%22Allow%20members%20to%20share%20the%20site%20and%20individual%20files%20and%20folders.%22%20make%20the%20site%20got%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3336364%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1357800%22%20target%3D%22_blank%22%3E%40mr_w1nst0n%3C%2FA%3EThanks%20for%20your%20reply..%20But%20what%20we%20need%20to%20do%20in%20this%20case%3F%20i%20want%20to%20start%20a%20new%20project%20and%20as%20a%20first%20setup%20i%20need%20to%20set%207%20hub%20sites%20which%20consider%20as%20long%20running%20sites%2C%20for%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EIT%3C%2FLI%3E%3CLI%3EFinance%3C%2FLI%3E%3CLI%3ESales%3C%2FLI%3E%3CLI%3EMarketing%3C%2FLI%3E%3CLI%3EManagment%3C%2FLI%3E%3CLI%3EHR%3C%2FLI%3E%3CLI%3EConsultation%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20should%20we%20allow%20members%20to%20share%20files%20or%20not%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3346751%22%20slang%3D%22en-US%22%3ERe%3A%20%22Allow%20members%20to%20share%20the%20site%20and%20individual%20files%20and%20folders.%22%20make%20the%20site%20got%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3346751%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F233354%22%20target%3D%22_blank%22%3E%40john%20john%3C%2FA%3E%26nbsp%3Bas%20I%20said%20it's%20not%20black%20or%20white%2C%20you%20have%20to%20see%20what%20fits%20better%20for%20the%20overall%20organization.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIF%20you%20foresee%20that%20the%20unique%20permissions%20may%20generate%20too%20much%20%3CEM%3E%22headaches%22%3C%2FEM%3E%20for%20the%20IT%20department%20and%20it's%20not%20sustainable%20in%20the%20long%20run%20then%2C%20%3CU%3E%3CEM%3Ein%20my%20opinion%3C%2FEM%3E%3C%2FU%3E%2C%20you%20have%20the%20following%20options%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Configure%20the%207%20hub%20sites%26nbsp%3B%3CU%3E%3CSTRONG%3Ewith%3C%2FSTRONG%3E%3C%2FU%3E%20a%20sensitivity%20label%3C%2FP%3E%3CP%3EUsing%20a%20sensitivity%20label%20gives%20the%20possibility%20to%20share%20files%2C%20folders%20and%20site%26nbsp%3B%3CU%3E%3CSTRONG%3Eonly%3C%2FSTRONG%3E%3C%2FU%3E%26nbsp%3Bto%20site%20owners.%3C%2FP%3E%3CP%3E(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-teams-groups-sites%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUse%20sensitivity%20labels%20with%20Microsoft%20Teams%2C%20Microsoft%20365%20Groups%2C%20and%20SharePoint%20sites%20-%20Microsoft%20Purview%20%7C%20Microsoft%20Docs%3C%2FA%3E).%3C%2FP%3E%3CP%3EYou%20still%20have%20the%20technical%20%3CEM%3E%22drama%22%3C%2FEM%3E%20of%20unique%20permissions%20but%20only%20the%20site%20owner%20will%20be%20capable%20to%20share%20contents%20which%20gives%20you%20a%20more%20structured%20control%20on%20what's%20going%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Disable%20the%20sharing%20via%20PowerShell%20in%20the%207%20hub%20sites%20%3CEM%3E(DisableCompanyWideSharingLinks)%20%3C%2FEM%3Eand%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20create%20a%20dedicated%20site%20collection%20where%20you%20allow%20corporate%20people%20to%20share%20files%2C%20folders.%3C%2FP%3E%3CP%3E%3CEM%3E(You%20will%20monitor%20later%20only%20this%20specific%20site%20to%20review%20the%20sharing)%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20You%20disable%20the%20sharing%20completely%20and%20you%20manage%20the%20permissions%20manually%20or%20via%20workflow%20to%20assign%20access%20to%20people%20on%20demand%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valued Contributor

Inside each SharePoint site there is an option to allow members to Share files with other members using this setting:-

 

image.png

My question is when we should allow this? as per my experience, if we allow members to Share files with new members, this will cause the related files/folders to have unique permissions, and after couple of months the files permissions will became almost impossible to maintain. so for long running sites, should we always disable this option? and instead create multiple libraries and group the files based on the permissions we need to apply, so we only manage the permission on the library level? rather than having most of the files having unique permissions?

Thanks

3 Replies

Hi @john john ,

 

based on my experience, my suggestion is to go, if possible, with 2nd approach:

  • create multiple libraries and group the files based on the permissions we need to apply

I know this is not always possible (depending on Business Units or Departments need) and you have to reach a compromise.

 

As you said: The more granularity and flexibility you will provide to end-users in terms of permissions (by breaking the inheritance with the sharing) the more difficult will be to you to control the access of your data. 

 

@mr_w1nst0nThanks for your reply.. But what we need to do in this case? i want to start a new project and as a first setup i need to set 7 hub sites which consider as long running sites, for

 

  • IT
  • Finance
  • Sales
  • Marketing
  • Managment
  • HR
  • Consultation

 

so should we allow members to share files or not?

Thanks

@john john as I said it's not black or white, you have to see what fits better for the overall organization.

 

IF you foresee that the unique permissions may generate too much "headaches" for the IT department and it's not sustainable in the long run then, in my opinion, you have the following options:

 

1. Configure the 7 hub sites with a sensitivity label

Using a sensitivity label gives the possibility to share files, folders and site only to site owners.

(Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites - Microsoft ...).

You still have the technical "drama" of unique permissions but only the site owner will be capable to share contents which gives you a more structured control on what's going on.

 

2. Disable the sharing via PowerShell in the 7 hub sites (DisableCompanyWideSharingLinks) and          create a dedicated site collection where you allow corporate people to share files, folders.

(You will monitor later only this specific site to review the sharing) 

 

3. You disable the sharing completely and you manage the permissions manually or via workflow to assign access to people on demand