Jan 10 2019 07:29 AM
Hi everyone,
we figured out a behavior with sharing items/documents in SharePoint which from our point of view is a bug.
Let us assume that the user "Jon Doe" is the owner of a SharePoint Site Collection / Web. Now another user navigates to a document in a library, selects a document and clicks the "Share" action. Than he chooses "People with existing access"
We select "John Doe" who already has access to this document because he is the owner of the site and click "Apply".
SharePoint now breaks the role inheritance of the item and inserts Johns dedicated account. The expected behavior should be: SharePoint recognizes that John already has access and simply sends him the link.
The actual behavior leads to unnecessary item level permission which where hard to monitor and control in terms of security and governance.
Any advice, ideas or tipps on how to assign this to the right people at Microsoft?
Thanks
Björn
May 02 2019 09:31 AM
@Alberto Schiavon Agree 100% with Alberto's comments
May 02 2019 12:43 PM
May 09 2019 11:52 AM
Hi all,
Sorry for the delay in checking back in here. This issue should now be fixed. When you share to a user who already has access (via the existing access link), inheritance should no longer be broken. Please let me know if you are still seeing this. Thanks!
Stephen Rice
OneDrive Program Manager II
May 09 2019 01:29 PM
@Stephen Rice It's still breaking the inheritance in my tenant (junipernetworks)
May 09 2019 02:18 PM
Hi @Kevin Crossman,
Thanks for checking back in. Can you verify what steps you are using to repro this? On my side, I did:
1) Set the default sharing link to "Specific People"
2) Created a file in a document library
3) Clicked "Copy Link" & copied the Existing Access link
4) Checked Manage Access & Advanced Permissions: No new links were created & the item is still inheriting from it's parent.
Is there some step I am missing here? Thanks!
Stephen Rice
OneDrive Program Manager II
May 09 2019 02:41 PM
@Stephen Rice Sorry, I thought we were talking about the Share feature (not Copy Link) and for "People with existing access" not "specific people" (that's the title of the thread here).
May 10 2019 02:44 PM
Hi @Kevin Crossman,
Sorry, I may have misunderstood then :) I just tried clicking Share & sending the Existing Access link to a user who had access to a parent and that did not also break inheritance.
If you select Specific People though, that will always break inheritance.
Are you seeing something different than I am describing above? Thanks!
Stephen Rice
OneDrive Program Manager II
May 13 2019 11:27 AM
@Stephen Rice our default in our tenant and the one I was using was "People in <tenant> with the link can view". That one still breaks the permissions inheritance.
But, yes, when I choose "people with existing access" it does not break the permissions inheritance.
May 14 2019 01:06 PM
@Stephen Rice Thanks for confirming the behavior.
Would you also have an update on my second point: how to make "existing access" the default? From an end user perspective, "specific people" looks fine and it's not obvious why they would need to pick a different option.
May 14 2019 01:14 PM
Hi @Kevin Crossman,
That is expected then. Specific People is intended to modify the permissions of the doc & add the, well, specified people :)
Nothing to share on that just yet but it is something we've talked about. Thanks,
Stephen Rice
OneDrive Program Manager II
May 14 2019 02:13 PM - edited May 14 2019 02:13 PM
@Stephen Rice Thanks, and once again I really appreciate the quick reply.
Specific People is intended to modify the permissions of the doc & add the, well, specified people :)
I guess that's where the issue is. In plain English, "existing access" and "specific people" are not exclusive. I might want to share files with Mary and Joe, who are specific people and also already part of the team.
May 14 2019 04:03 PM
@Christophe Humbert, it's my pleasure!
And you are absolutely right :) We've played with/tweaked the language here before to help improve clarity and I don't think anyone things we've nailed it just yet. I'll pass along to the team as food for thought as we make more changes here. Thanks!
Stephen Rice
OneDrive Program Manager II
Oct 24 2019 01:28 PM
Oct 24 2019 02:30 PM
I'd suggest checking out the External Sharing in M365 talk at Ignite in 2 weeks time ;)
Stephen Rice
Senior Program Manager II
Dec 16 2019 04:37 PM
Dec 16 2019 04:46 PM
Feb 07 2020 09:40 AM
@Stephen Rice We are still seeing this behavior. It's very frustrating
Feb 07 2020 10:07 AM
Hi @zacheriah,
Can you share in more detail what you are seeing here, including repro steps? Thanks!
Stephen Rice
Senior Program Manager, OneDrive
Feb 07 2020 10:10 AM
Thanks for the quick reply.
Let's say a user does the following:
1. Clicks "share" on a file
2. Leaves the default "people you specify can view"
3. Enters a user account
4. Clicks "Send"
What ends up happening is the item permission inheritance is broken. Thus, if a new group or user was added to the top-level permissions, they will be unable to access the file with broken inheritance.
Feb 07 2020 10:15 AM
Hi @zacheriah,
That is by design (and yes, I promise I'll go deeper ;) ). The "People you specify" link creates what we call a Specific People or a People Sharing Link, which is used to grant additional permissions to the document based on the users you enter. As this link can add net new people to the document, it breaks inheritance on the item.
The good news is that we just shipped a new control to help you out here! On a per-site basis, you can now set the default sharing link to "People with existing access". This type of link does not add new people to the document and only works for people who already have access (whether it's other unique permissions on that item or by having access via a parent). As a result, it will never break inheritance (caveating the bug that started this whole thread where it apparently did sometimes. That's now been fixed).
If you want to try this out, you'll need PowerShell (UI coming shortly) and run this command:
Set-SPOSite -Identity $SiteURLHere -DefaultLinkToExistingAccess $true
Hope that helps!
Stephen Rice
Senior Program Manager, OneDrive