SOLVED

Share to "People with existing access" breaks role inheritance

Brass Contributor

Hi everyone,

 

we figured out a behavior with sharing items/documents in SharePoint which from our point of view is a bug.

 

Let us assume that the user "Jon Doe" is the owner of a SharePoint Site Collection / Web. Now another user navigates to a document in a library, selects a document and clicks the "Share" action. Than he chooses "People with existing access"

 2019-01-10 16_13_56-Change Communication Portal - OneNote.png

 

 

 

 

We select "John Doe" who already has access to this document because he is the owner of the site and click "Apply".

 

SharePoint now breaks the role inheritance of the item and inserts Johns dedicated account. The expected behavior should be: SharePoint recognizes that John already has access and simply sends him the link.

 

The actual behavior leads to unnecessary item level permission which where hard to monitor and control in terms of security and governance.

 

Any advice, ideas or tipps on how to assign this to the right people at Microsoft?

 

Thanks

Björn

52 Replies
Raise a support issue in the Office365 admin center with a SharePoint topic as the issue

I believe this is working as intended by MS. (I'm with you - I don't like it either).

If this is intended by Microsoft I do not understand the difference between 

"People in my Organisation" vs. "People with existing access", because both options lead to item level permissions ;-( 

 

If I transfer this to a support request within O365 Admin center, I bet this will lead to a never ending story :(  I raised a request in user voice 

 

And additionally, within our concrete use case, only site owners are allowed to share documents to people outside the site collection. Now when a member of the site uses the SHARE button just to inform another member that a document has changes, a workflow will always kickoff an approval e-mail for the owners because of the item permissions that have to be changed (disgusting!!)

I think the reason they did this now, because it used to actually work before where it would just give a direct link to the item, which I preferred myself. But the new "See who read your file" etc. in the hover card, pulls from the Link data I think. So they replaced it with links too.

I wish we had a way like we used to, to get the raw file location easy. Used to be able to just right click and copy link and get a link to a file. Now right click opens SharePoint menu, and copy link turns it to a sharing link. Need at least a "Copy Direct Link" option if anything. Then I could live with the sharing dialog how it's been changed.

Hi Bjorn,

 

I have the same experience and frustrations with item level sharing. For sites with restricted content we disable sharing and coach users to provide document URL locations.

 

It's not the best user experience but it preserves the security model.

 

I voted on your user voice.

 

Norm

best response confirmed by Björn Nettingsmeier (Brass Contributor)
Solution

Hi all,

 

The bad news is that this is unexpected. When sharing with a "People with existing access link", it should only send the user a canonical URL and it definitely shouldn't permission the user to the item.

 

The good news is that a fix is already rolling out and so this should go away shortly :)

 

Thanks!

 

Stephen Rice

OneDrive Program Manager II

Awesome, good to know and thanks for the update Stephen
So will this go back to how it used to work where the direct URL will be copied? Or will it still be a generated link minus the permission setting?

@Chris Webb, it should be a direct URL (though it may have the parameters we use to direct users to the previewer, etc.). Thanks!

 

Stephen Rice

OneDrive Program Manager II

Nice, I always wondered why this changed, that's how I used to get direct links to documents etc. Good to see it coming back to how it was!

@Stephen Rice Thanks for posting this information. Could you share more details, maybe a link to the roadmap?

 

As a SharePoint architect, this is a nightmare. I try to build an architecture around work teams to prevent breaking permission inheritance, but it breaks as soon as sharing occurs even between teammates.

 

Another related issue is to set the default sharing to "People with Existing Access". Is this also part of the update? The request has 280 votes on Uservoice.

Hi @Christophe Humbert,

 

Which roadmap feature are you looking for? If you are asking about the fix I mentioned above, that should already be complete (though if you are still seeing this happen, please let me know!).

 

As for the UserVoice item below, this is still something we are looking at and don't have any timelinese to offer. Thanks!

 

Stephen Rice

OneDrive Program Manager II

@Stephen Rice just tested in my company tenant (Targeted Release for all users) and confirmed that sharing a doc from OneDrive changed the permissions from inherited to unique.

@Stephen Rice @Kevin Crossman I can confirm I'm seeing the issue too. That's actually what drove me to the forum in the first place.

I am looking at modern communication sites if this makes any difference.

Hi all,

 

Thanks for confirming. Let me circle back with the team and see what's going on. 

 

Stephen Rice

OneDrive Program Manager II

@Stephen Rice 

 

Hi Stephen,

I still have the issue in my tenant (People with existing access" breaks role inheritance).

Any news on that?

Alberto

Hi @Alberto Schiavon,

 

Can you send me a Fiddler trace of the sharing event via private message? This will help us debug and figure out what is happening. Thanks!

 

Stephen Rice

OneDrive Program Manager II

@Stephen Rice 

 

Hi Stephen and thanks for your reply.

 

I have understood a bit better what happens.

First of all it happens only when "Copy link" is used, because the "Share" button always gives you the option to change the link type before creating the link, independently from the type it uses by default.

Therefore I can control what's going on, independently from the default link type I get from the SharePoint.

The "Copy link" instead creates a link immediately, before you change the link type, therefore if the default option turns out to be "People in my organization with the link" the inheritance is broken.

 

The effective default link type I get seems to depend on a combination of the following settings

"SharePoint admin > Sharing > Default file and folder links" and the setting "SharePoint admin > Active Sites> select the site > Sharing"

 

In my case the first setting was "Anyone with the link" and the second was "New and existing guests".

In this scenario the default link type becomes (unexpectedly) "People in my organization with the link" and when a user clicks on "Copy link" with the intention to send it by email to a person that already has access, he basically breaks the permissions inheritance.

 

Not sure if this can be considered a bug but for sure I find "copy link" very misleading, especially for my users.

I believe that Share should be used to grant permissions while Copy link should be used only for copying a link without granting any permissions, as this is the way it is understood by the users.

 

A possible improvement would be to have to possibility to change the link type before it is created, which is not the case now.

Thanks,

1 best response

Accepted Solutions
best response confirmed by Björn Nettingsmeier (Brass Contributor)
Solution

Hi all,

 

The bad news is that this is unexpected. When sharing with a "People with existing access link", it should only send the user a canonical URL and it definitely shouldn't permission the user to the item.

 

The good news is that a fix is already rolling out and so this should go away shortly :)

 

Thanks!

 

Stephen Rice

OneDrive Program Manager II

View solution in original post