Aug 22 2019 04:32 AM
Hi,
I was wondering if someone could help me decide what is the best way of implementing SharePoint permissions for the site I am working on. I am using SharePoint classic on Office365. It is an intranet site with various departments which means we will have unique permissions at almost every level or 1st level sub-site at the least. A sample structure of the site with required permissions is as follows:
LEVEL | SITE/SUBSITE | USERS |
0 | Home | Admins (AD Group); All Employees (AD Group); |
0 | Employees | Admins (AD Group); All Employees (AD Group); |
2 | HR | Admins (AD Group); HR Managers (AD Group); HR Employees (AD Group); <adhocemployee1>; <username1> |
3 | HR Managers | Admins (AD Group); HR Managers (AD Group) |
3 | Staff | Admins (AD Group); HR Employees (AD Group); All Employees (AD Group) |
2 | IT | Admins (AD Group); IT Team (AD Group) |
1 | Non-Employees | Admins (AD Group); All Employees (AD Group); All Non-Employees (AD Group) |
where 0,1,2 and 3 are the different levels of sites, 0 being top level site and 3 being the 3rd level sub-site. Since the main permissions we will be using are Read, Contribute and Full Control, I plan to have 3 SharePoint Groups each for every sub-site. So, 3 for Employees, 3 for HR and so on. I am not sure if this is the right approach. Would it be better to have all users/AD groups individually assigned permissions rather than organizing them in groups? We will also have library level permissions assigned to users/AD Groups due to how they are accessed by the people in our organization which makes it a bit complicated and difficult to manage and adhoc requests that come in ever so often for access to certain sub-sites/libraries.
My Approach:
HR sub-site permissions with SharePoint Groups
GROUP NAME | PERMISSION LEVEL | USERS |
HR Admins | Full Control | Admins (AD Group) |
HR Readers | Read | HR Employees (AD Group); |
HR Contributors | Contribute | HR Managers (AD Group); <username1> |
The other approach which I am not inclined towards is as follows:
USERS | PERMISSION LEVEL |
HR Managers (AD Group) | Contribute |
<username1> | Read |
HR Employees (AD Group) | Read |
Admins (AD Group) | Full Control |
<adhocemployee1> | Read |
Hoping someone would be able to tell me which approach is more suitable for my scenario.
Thank you!
Aug 22 2019 12:50 PM
Stay away (as much as possible) from assigning individual permissions. If you have 1 or 2 users that "might" be OK, but still.
And seeing that you will also break permissions inheritance on one or more libraries, this can/will get messy pretty quickly...
Why are you using a classic site? Can you not use a Communication site & hubsites?
Build your Modern Intranet on SharePoint in Office 365
Aug 23 2019 04:06 AM
@Veronique Lengelle I've recently migrated our existing intranet from SharePoint 2010 to Office365. I am yet to understand why I should choose Modern site over classic. Apart from the benefit of viewing the site in mobile view, it seems to lack flexibility, and features that were otherwise available in the classic version are not available anymore. I would like to use announcements web part, have more than 3 levels of menu items in the mega menu, attach images inline with text, and many others, which are not currently available on modern sites.
I will go ahead with my approach in terms of permissions then, and see how that works out. Thank you.
Sep 14 2022 06:57 AM
Sep 14 2022 10:32 PM
@TazIT News pages in SharePoint are normal site pages only with some flags (promoted state) set to some specific value.
So, if you want to grant access to create news pages in site, you are granting access to create/edit site pages in SharePoint site. You cannot differentiate the permissions using SharePoint out of the box features.
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.