Restrict Administrators from specific Document Libraries

%3CLINGO-SUB%20id%3D%22lingo-sub-1172561%22%20slang%3D%22en-US%22%3ERestrict%20Administrators%20from%20specific%20Document%20Libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1172561%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20some%20confidential%20document%20libraries%20that%20only%20Sr%20Management%20should%20be%20able%20to%20access%2C%20however%2C%20as%20IT%20administrators%2C%20we're%20SharePoint%20Admins%2C%20site%20owners%20etc%20and%20therefore%20have%20full%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20we%20break%20that%20JUST%20for%20a%20document%20library.%26nbsp%3B%20For%20example%2C%20we%20have%20multiple%20Subsites%20on%20SO%20that%20each%20have%20a%20document%20library.%26nbsp%3B%20The%20admins%20should%20be%20admins%20on%20the%20SITES%20but%20not%20have%20access%20to%20read%20the%20files%20inside%20the%20document%20library%20(else%20how%20can%20you%20ever%20have%20something%20confidential)%3F%26nbsp%3B%20This%20mostly%20is%20important%20to%20Payroll%20and%20HR%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20in%20the%20library%20settings%20and%20they%20are%20unique%20as%20the%20subsite%20permissions%20are%20unique%20but%20cannot%20see%20a%20way%20to%20break%20the%20inheritance%20of%20the%20library%20from%20the%20site.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20must%20be%20possible%20as%20even%20the%20IT%20administrators%20that%20setup%20the%20sites%20need%20to%20be%20able%20to%20remove%20themselves%20from%20some%20files.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1172561%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1172711%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20Administrators%20from%20specific%20Document%20Libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1172711%22%20slang%3D%22en-US%22%3EAdmins%20have%20always%20had%20access%20to%20everything%2C%20it's%20where%20Admin%20governance%20%2F%20roles%20come%20into%20play%20by%20restricting%20your%20admins%20and%20what%20they%20can%20do.%20SharePoint%20admins%20obviously%20can%20go%20in%20and%20assign%20themselves%20as%20Site%20collection%20admins.%20These%20admins%20can%20see%20all%20files%20no%20matter%20what.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20where%20you%20have%20to%20deploy%20extra%20tech.%20like%20IRM%20or%20possibly%20the%20newer%20sensitivity%20Labels%20with%20encryption%20on%20documents%20that%20can%20allow%20you%20to%20label%20documents%20as%20confidential%20and%20only%20people%20specified%20to%20see%20that%20label%20can%20open%20those%20documents.%20See%20the%20following%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fencryption-sensitivity-labels%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fencryption-sensitivity-labels%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOf%20course%2C%20this%20protects%20the%20document%20itself.%20The%20label%20can%20still%20have%20an%20admin%20that%20has%20rights%20to%20edit%20labels%20add%20themselves%20to%20the%20label%20permissions%20and%20get%20into%20the%20file%2C%20but%20you%20have%20to%20keep%20in%20mind%2C%20this%20is%20where%20audit%20log%20monitoring%20comes%20into%20play.%20You%20can%20have%20someone%20audit%20for%20these%20events%20and%20changes%20by%20admins%20to%20dig%20into%20why%20they%20are%20doing%20these%20actions.%20%3CBR%20%2F%3E%3CBR%20%2F%3EEven%20if%20you%20don't%20do%20labels%2C%20you%20can%20audit%20permission%20changes%20on%20sites%20%2F%20libraries%20to%20see%20if%20admins%20accessed%20content%20as%20well.%20But%20using%20labels%20and%20encryption%20etc.%20keeps%20people%20from%20sharing%20these%20documents%20outside%20of%20your%20organization%20%2F%20to%20other%20users%20by%20downloading%20them%20etc.%3C%2FLINGO-BODY%3E
Frequent Contributor

We have some confidential document libraries that only Sr Management should be able to access, however, as IT administrators, we're SharePoint Admins, site owners etc and therefore have full access.

 

How do we break that JUST for a document library.  For example, we have multiple Subsites on SO that each have a document library.  The admins should be admins on the SITES but not have access to read the files inside the document library (else how can you ever have something confidential)?  This mostly is important to Payroll and HR files.

 

I'm in the library settings and they are unique as the subsite permissions are unique but cannot see a way to break the inheritance of the library from the site.

 

This must be possible as even the IT administrators that setup the sites need to be able to remove themselves from some files.

1 Reply
Admins have always had access to everything, it's where Admin governance / roles come into play by restricting your admins and what they can do. SharePoint admins obviously can go in and assign themselves as Site collection admins. These admins can see all files no matter what.

This is where you have to deploy extra tech. like IRM or possibly the newer sensitivity Labels with encryption on documents that can allow you to label documents as confidential and only people specified to see that label can open those documents. See the following: https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-sensitivity-labels

Of course, this protects the document itself. The label can still have an admin that has rights to edit labels add themselves to the label permissions and get into the file, but you have to keep in mind, this is where audit log monitoring comes into play. You can have someone audit for these events and changes by admins to dig into why they are doing these actions.

Even if you don't do labels, you can audit permission changes on sites / libraries to see if admins accessed content as well. But using labels and encryption etc. keeps people from sharing these documents outside of your organization / to other users by downloading them etc.