Share to "People with existing access" breaks role inheritance

Björn Nettingsmeier · ‎Jan 10 2019

Hi everyone,

we figured out a behavior with sharing items/documents in SharePoint which from our point of view is a bug.

Let us assume that the user "Jon Doe" is the owner of a SharePoint Site Collection / Web. Now another user navigates to a document in a library, selects a document and clicks the "Share" action. Than he chooses "People with existing access"

We select "John Doe" who already has access to this document because he is the owner of the site and click "Apply".

SharePoint now breaks the role inheritance of the item and inserts Johns dedicated account. The expected behavior should be: SharePoint recognizes that John already has access and simply sends him the link.

The actual behavior leads to unnecessary item level permission which where hard to monitor and control in terms of security and governance.

Any advice, ideas or tipps on how to assign this to the right people at Microsoft?

Thanks

Björn

Kevin Crossman · ‎May 02 2019

@Alberto Schiavon Agree 100% with Alberto's comments

Chris Webb · ‎May 02 2019

Totally agree as well. I did express this idea to SharePoint Team while in Seattle last month, they liked the idea, hoping they follow through and change it. I said default should be existing access on the copy link button for easy of change, but ideally we should be able to just set the default setting for Share and Copy buttons.

Anyway, fully support the idea that Copy link should work like it used to when you right click and get a direct link to the document, no permissions changed.

Stephen Rice · ‎May 09 2019

Hi all,

Sorry for the delay in checking back in here. This issue should now be fixed. When you share to a user who already has access (via the existing access link), inheritance should no longer be broken. Please let me know if you are still seeing this. Thanks!

Stephen Rice

OneDrive Program Manager II

Kevin Crossman · ‎May 09 2019

@Stephen Rice It's still breaking the inheritance in my tenant (junipernetworks)

Stephen Rice · ‎May 09 2019

Hi @Kevin Crossman,

Thanks for checking back in. Can you verify what steps you are using to repro this? On my side, I did:

1) Set the default sharing link to "Specific People"

2) Created a file in a document library

3) Clicked "Copy Link" & copied the Existing Access link

4) Checked Manage Access & Advanced Permissions: No new links were created & the item is still inheriting from it's parent.

Is there some step I am missing here? Thanks!

Stephen Rice

OneDrive Program Manager II

Kevin Crossman · ‎May 09 2019

@Stephen Rice Sorry, I thought we were talking about the Share feature (not Copy Link) and for "People with existing access" not "specific people" (that's the title of the thread here).

Stephen Rice · ‎May 10 2019

Hi @Kevin Crossman,

Sorry, I may have misunderstood then :) I just tried clicking Share & sending the Existing Access link to a user who had access to a parent and that did not also break inheritance.

If you select Specific People though, that will always break inheritance.

Are you seeing something different than I am describing above? Thanks!

Stephen Rice

OneDrive Program Manager II

Kevin Crossman · ‎May 13 2019

@Stephen Rice our default in our tenant and the one I was using was "People in <tenant> with the link can view". That one still breaks the permissions inheritance.

But, yes, when I choose "people with existing access" it does not break the permissions inheritance.

Christophe Humbert · ‎May 14 2019

@Stephen Rice Thanks for confirming the behavior.

Would you also have an update on my second point: how to make "existing access" the default? From an end user perspective, "specific people" looks fine and it's not obvious why they would need to pick a different option.

Stephen Rice · ‎May 14 2019

Hi @Kevin Crossman,

That is expected then. Specific People is intended to modify the permissions of the doc & add the, well, specified people :)

Hi @Christophe Humbert,

Nothing to share on that just yet but it is something we've talked about. Thanks,

Stephen Rice

OneDrive Program Manager II

Christophe Humbert · ‎May 14 2019

@Stephen Rice Thanks, and once again I really appreciate the quick reply.

Specific People is intended to modify the permissions of the doc & add the, well, specified people :)

I guess that's where the issue is. In plain English, "existing access" and "specific people" are not exclusive. I might want to share files with Mary and Joe, who are specific people and also already part of the team.

Stephen Rice · ‎May 14 2019

@Christophe Humbert, it's my pleasure!

And you are absolutely right :) We've played with/tweaked the language here before to help improve clarity and I don't think anyone things we've nailed it just yet. I'll pass along to the team as food for thought as we make more changes here. Thanks!

Stephen Rice

OneDrive Program Manager II

Joe McGiven Corban · ‎Oct 24 2019

Hi Stephen - any progress on this please? I see the last update was mid-may, so 5 months ago. Would be good o have an option to send a link to folks whom already have access via the the Share menu without breaking inherited security. Any update on this would be appreciated.
Cheers, Joe

Stephen Rice · ‎Oct 24 2019

Hi @Joe McGiven Corban,

I'd suggest checking out the External Sharing in M365 talk at Ignite in 2 weeks time ;)

Stephen Rice

Senior Program Manager II

Joe McGiven Corban · ‎Dec 16 2019

Hi Stephen,

Our lead SPOL developer gave us a run down recently on what was covered at Ignite, but this wasn't touched on. Perhaps you could enlighten us? That is... the Willy Wonker Golden ticket here would be....

A user selects "Copy Link" on a slected doc in the doc library and the following applies:
1. The share type defaults to "People with existing access"
2. Those people include named users already as members of the site, and those to whom the item has already been shared - basically, everyone listed as having access to the item.
3. The inheritance is not broken (...please note, only counts if the item has not been previously shared, which of course in itself will break the inheritance)

Any updates you have on this would be appreciated.
Cheers, Joe

Joe McGiven Corban · ‎Dec 16 2019

Sorry... I never tested, and a simple Google test found this...
https://www.contentandcode.com/blog/ignite-day-5/

So, it seems all good.
I really should have done my home work before posting...

zacheriah · ‎Feb 07 2020

@Stephen Rice We are still seeing this behavior. It's very frustrating

Stephen Rice · ‎Feb 07 2020

Hi @zacheriah,

Can you share in more detail what you are seeing here, including repro steps? Thanks!

Stephen Rice

Senior Program Manager, OneDrive

zacheriah · ‎Feb 07 2020

Thanks for the quick reply.

Let's say a user does the following:

1. Clicks "share" on a file

2. Leaves the default "people you specify can view"

3. Enters a user account

4. Clicks "Send"

What ends up happening is the item permission inheritance is broken. Thus, if a new group or user was added to the top-level permissions, they will be unable to access the file with broken inheritance.

Stephen Rice · ‎Feb 07 2020

Hi @zacheriah,

That is by design (and yes, I promise I'll go deeper ;) ). The "People you specify" link creates what we call a Specific People or a People Sharing Link, which is used to grant additional permissions to the document based on the users you enter. As this link can add net new people to the document, it breaks inheritance on the item.

The good news is that we just shipped a new control to help you out here! On a per-site basis, you can now set the default sharing link to "People with existing access". This type of link does not add new people to the document and only works for people who already have access (whether it's other unique permissions on that item or by having access via a parent). As a result, it will never break inheritance (caveating the bug that started this whole thread where it apparently did sometimes. That's now been fixed).

If you want to try this out, you'll need PowerShell (UI coming shortly) and run this command:

Set-SPOSite -Identity $SiteURLHere -DefaultLinkToExistingAccess $true

Hope that helps!

Stephen Rice

Senior Program Manager, OneDrive

Share to "People with existing access" breaks role inheritance

Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Re: Share to "People with existing access" breaks role inheritance

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Share to "People with existing access" breaks role inheritance