Jan 10 2019 07:29 AM
Hi everyone,
we figured out a behavior with sharing items/documents in SharePoint which from our point of view is a bug.
Let us assume that the user "Jon Doe" is the owner of a SharePoint Site Collection / Web. Now another user navigates to a document in a library, selects a document and clicks the "Share" action. Than he chooses "People with existing access"
We select "John Doe" who already has access to this document because he is the owner of the site and click "Apply".
SharePoint now breaks the role inheritance of the item and inserts Johns dedicated account. The expected behavior should be: SharePoint recognizes that John already has access and simply sends him the link.
The actual behavior leads to unnecessary item level permission which where hard to monitor and control in terms of security and governance.
Any advice, ideas or tipps on how to assign this to the right people at Microsoft?
Thanks
Björn
Jan 10 2019 07:42 AM
Jan 10 2019 02:05 PM
I believe this is working as intended by MS. (I'm with you - I don't like it either).
Jan 11 2019 03:15 AM
If this is intended by Microsoft I do not understand the difference between
"People in my Organisation" vs. "People with existing access", because both options lead to item level permissions ;-(
If I transfer this to a support request within O365 Admin center, I bet this will lead to a never ending story :( I raised a request in user voice
Jan 11 2019 03:20 AM
And additionally, within our concrete use case, only site owners are allowed to share documents to people outside the site collection. Now when a member of the site uses the SHARE button just to inform another member that a document has changes, a workflow will always kickoff an approval e-mail for the owners because of the item permissions that have to be changed (disgusting!!)
Jan 11 2019 09:33 AM
Jan 14 2019 01:18 PM
Hi Bjorn,
I have the same experience and frustrations with item level sharing. For sites with restricted content we disable sharing and coach users to provide document URL locations.
It's not the best user experience but it preserves the security model.
I voted on your user voice.
Norm
Jan 15 2019 09:58 AM
SolutionHi all,
The bad news is that this is unexpected. When sharing with a "People with existing access link", it should only send the user a canonical URL and it definitely shouldn't permission the user to the item.
The good news is that a fix is already rolling out and so this should go away shortly :)
Thanks!
Stephen Rice
OneDrive Program Manager II
Jan 15 2019 09:59 AM
Jan 15 2019 10:00 AM
Jan 15 2019 10:02 AM
@Chris Webb, it should be a direct URL (though it may have the parameters we use to direct users to the previewer, etc.). Thanks!
Stephen Rice
OneDrive Program Manager II
Jan 15 2019 10:03 AM
Apr 06 2019 01:10 PM - edited Apr 06 2019 01:33 PM
@Stephen Rice Thanks for posting this information. Could you share more details, maybe a link to the roadmap?
As a SharePoint architect, this is a nightmare. I try to build an architecture around work teams to prevent breaking permission inheritance, but it breaks as soon as sharing occurs even between teammates.
Another related issue is to set the default sharing to "People with Existing Access". Is this also part of the update? The request has 280 votes on Uservoice.
Apr 08 2019 10:38 AM
Which roadmap feature are you looking for? If you are asking about the fix I mentioned above, that should already be complete (though if you are still seeing this happen, please let me know!).
As for the UserVoice item below, this is still something we are looking at and don't have any timelinese to offer. Thanks!
Stephen Rice
OneDrive Program Manager II
Apr 08 2019 10:48 AM
@Stephen Rice just tested in my company tenant (Targeted Release for all users) and confirmed that sharing a doc from OneDrive changed the permissions from inherited to unique.
Apr 08 2019 11:03 AM - edited Apr 08 2019 11:05 AM
@Stephen Rice @Kevin Crossman I can confirm I'm seeing the issue too. That's actually what drove me to the forum in the first place.
I am looking at modern communication sites if this makes any difference.
Apr 08 2019 11:30 AM
Hi all,
Thanks for confirming. Let me circle back with the team and see what's going on.
Stephen Rice
OneDrive Program Manager II
Apr 29 2019 02:29 AM
Hi Stephen,
I still have the issue in my tenant (People with existing access" breaks role inheritance).
Any news on that?
Alberto
Apr 30 2019 01:19 PM
Can you send me a Fiddler trace of the sharing event via private message? This will help us debug and figure out what is happening. Thanks!
Stephen Rice
OneDrive Program Manager II
May 02 2019 09:29 AM
Hi Stephen and thanks for your reply.
I have understood a bit better what happens.
First of all it happens only when "Copy link" is used, because the "Share" button always gives you the option to change the link type before creating the link, independently from the type it uses by default.
Therefore I can control what's going on, independently from the default link type I get from the SharePoint.
The "Copy link" instead creates a link immediately, before you change the link type, therefore if the default option turns out to be "People in my organization with the link" the inheritance is broken.
The effective default link type I get seems to depend on a combination of the following settings
"SharePoint admin > Sharing > Default file and folder links" and the setting "SharePoint admin > Active Sites> select the site > Sharing"
In my case the first setting was "Anyone with the link" and the second was "New and existing guests".
In this scenario the default link type becomes (unexpectedly) "People in my organization with the link" and when a user clicks on "Copy link" with the intention to send it by email to a person that already has access, he basically breaks the permissions inheritance.
Not sure if this can be considered a bug but for sure I find "copy link" very misleading, especially for my users.
I believe that Share should be used to grant permissions while Copy link should be used only for copying a link without granting any permissions, as this is the way it is understood by the users.
A possible improvement would be to have to possibility to change the link type before it is created, which is not the case now.
Thanks,
Jan 15 2019 09:58 AM
SolutionHi all,
The bad news is that this is unexpected. When sharing with a "People with existing access link", it should only send the user a canonical URL and it definitely shouldn't permission the user to the item.
The good news is that a fix is already rolling out and so this should go away shortly :)
Thanks!
Stephen Rice
OneDrive Program Manager II