Aug 22 2019 04:32 AM
Aug 22 2019 04:32 AM
I was wondering if someone could help me decide what is the best way of implementing SharePoint permissions for the site I am working on. I am using SharePoint classic on Office365. It is an intranet site with various departments which means we will have unique permissions at almost every level or 1st level sub-site at the least. A sample structure of the site with required permissions is as follows:
|0||Home||Admins (AD Group); All Employees (AD Group);|
|0||Employees||Admins (AD Group); All Employees (AD Group);|
|2||HR||Admins (AD Group); HR Managers (AD Group); HR Employees (AD Group); <adhocemployee1>; <username1>|
|3||HR Managers||Admins (AD Group); HR Managers (AD Group)|
|3||Staff||Admins (AD Group); HR Employees (AD Group); All Employees (AD Group)|
|2||IT||Admins (AD Group); IT Team (AD Group)|
|1||Non-Employees||Admins (AD Group); All Employees (AD Group); All Non-Employees (AD Group)|
where 0,1,2 and 3 are the different levels of sites, 0 being top level site and 3 being the 3rd level sub-site. Since the main permissions we will be using are Read, Contribute and Full Control, I plan to have 3 SharePoint Groups each for every sub-site. So, 3 for Employees, 3 for HR and so on. I am not sure if this is the right approach. Would it be better to have all users/AD groups individually assigned permissions rather than organizing them in groups? We will also have library level permissions assigned to users/AD Groups due to how they are accessed by the people in our organization which makes it a bit complicated and difficult to manage and adhoc requests that come in ever so often for access to certain sub-sites/libraries.
HR sub-site permissions with SharePoint Groups
|GROUP NAME||PERMISSION LEVEL||USERS|
|HR Admins||Full Control||Admins (AD Group)|
|HR Readers||Read||HR Employees (AD Group);|
|HR Contributors||Contribute||HR Managers (AD Group); <username1>|
The other approach which I am not inclined towards is as follows:
|HR Managers (AD Group)||Contribute|
|HR Employees (AD Group)||Read|
|Admins (AD Group)||Full Control|
Hoping someone would be able to tell me which approach is more suitable for my scenario.
Aug 22 2019 12:50 PM
Stay away (as much as possible) from assigning individual permissions. If you have 1 or 2 users that "might" be OK, but still.
And seeing that you will also break permissions inheritance on one or more libraries, this can/will get messy pretty quickly...
Why are you using a classic site? Can you not use a Communication site & hubsites?
Aug 23 2019 04:06 AM
@Veronique Lengelle I've recently migrated our existing intranet from SharePoint 2010 to Office365. I am yet to understand why I should choose Modern site over classic. Apart from the benefit of viewing the site in mobile view, it seems to lack flexibility, and features that were otherwise available in the classic version are not available anymore. I would like to use announcements web part, have more than 3 levels of menu items in the mega menu, attach images inline with text, and many others, which are not currently available on modern sites.
I will go ahead with my approach in terms of permissions then, and see how that works out. Thank you.