Home

Should we care about broken permissions in the context of sharing files in O365?

%3CLINGO-SUB%20id%3D%22lingo-sub-1137425%22%20slang%3D%22en-US%22%3ERe%3A%20Should%20we%20care%20about%20broken%20permissions%20in%20the%20context%20of%20sharing%20files%20in%20O365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1137425%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355824%22%20target%3D%22_blank%22%3E%40mikkele%3C%2FA%3E%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20nice%20if%20it%20didn't%20break%20inheritance%2C%20but%20the%20benefit%20of%20sharing%20cancels%20out%20the%20issues.%20I%20have%20kind%20of%20got%20used%20to%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20with%20none%20sharing%20links%20its%20still%20a%20good%20idea%20not%20to%20break%20inheritance%20if%20you%20can%2C%20so%20at%20the%20document%20library%20and%20folder%20level%20but%20in%20some%20cases%20it%20has%20to%20happen.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20thing%20to%20bear%20I%20mind%20is%20that%20when%20each%20file%20breaks%20inheritance%20when%20a%20link%20is%20created%20the%20inherited%20permissions%20are%20copied.%20Whatever%20you%20do%2C%20do%20not%20accidentally%20delete%20once%20of%20the%20groups%20giving%20access%26nbsp%3B%20-%20such%20as%20%3CSITE%20name%3D%22%22%3E%20members%20to%20the%20site.%20Contrary%20to%20what%20I%20thought%20it%20cascade%20deletes%20down%20to%20all%20uniquely%20permissioned%20files.%20Try%20adding%20those%20permissions%20back%20in%20and%20it%20doesnt%20work%20as%20the%20files%20are%20uniquely%20permissioned.%20I%20had%20a%20site%20with%20200%2C000%20files%20and%20every%20single%20file%20that%20had%20unique%20permissions%20disappeared%20from%20the%2050%20users%20that%20needed%20to%20access%20them.%20Luckily%20you%20can%20roll%20a%20full%20library%20back%20to%20a%20point%20in%20time%20now.%20You%20couldn't%20at%20the%20time.%3C%2FSITE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1137275%22%20slang%3D%22en-US%22%3EShould%20we%20care%20about%20broken%20permissions%20in%20the%20context%20of%20sharing%20files%20in%20O365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1137275%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20Office%20365%20ecosystem%20almost%20all%20files%20are%20essentially%20stored%20in%20SharePoint.%20The%20sharing%20window%20is%20now%20also%20being%20standardised%20across%20services%20including%20mobile%20experience%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20users%20share%20a%20file%2C%20except%20for%20%3CEM%3EPeople%20with%20existing%20Access%3C%2FEM%3E%20%3CSTRONG%3Eall%20other%203%20sharing%20options%20break%20inheritance%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAssuming%20that%20we%20are%20following%20best%20practices%20like%20train%20users%20to%20use%20the%20most%20appropriate%20option%2C%20use%20Anonymous%20only%20where%20necessary%2C%20set%20default%20expiration%2C%20maybe%20use%20sensitivity%20labels%20to%20protect%20files%20shared%20externally%2C%20etc.%20%3CSTRONG%3Eat%20the%20end%20of%20the%20day%20when%20users%20share%20files%2C%20even%20internally%2C%20there%20will%20be%20tons%20of%20files%20with%20broken%20inheritance.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20negative%20impact%20about%20this%20or%20any%20recommendation%20or%20best%20practice%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167893i8E5C924C090DB2EE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1137275%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EFiles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1139082%22%20slang%3D%22en-US%22%3ERe%3A%20Should%20we%20care%20about%20broken%20permissions%20in%20the%20context%20of%20sharing%20files%20in%20O365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1139082%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214649%22%20target%3D%22_blank%22%3E%40Andrew%20Hodges%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EContrary%20to%20what%20I%20thought%20it%20cascade%20deletes%20down%20to%20all%20uniquely%20permissioned%20files.%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3Ethat's%20good%20to%20know%20(and%20unexpected%3F)%20I%20didn't%20think%20that%20would%20be%20the%20case%2C%20it's%20probably%20because%20those%20SharePoint%20groups%20object%20are%20still%20linked%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1139135%22%20slang%3D%22en-US%22%3ERe%3A%20Should%20we%20care%20about%20broken%20permissions%20in%20the%20context%20of%20sharing%20files%20in%20O365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1139135%22%20slang%3D%22en-US%22%3EI%20would%20expect%20the%20objects%20inside%20the%20group%20to%20be%20updated%20but%20I%20wasnt%20expecting%20if%20I%20uniquely%20permission%20a%20document%20library%20deleting%20that%20same%20group%20from%20above%20removes%20it%20from%20doc%20lib.%20Just%20how%20it%20is%20I%20guess.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

In the Office 365 ecosystem almost all files are essentially stored in SharePoint. The sharing window is now also being standardised across services including mobile experience

 

When users share a file, except for People with existing Access all other 3 sharing options break inheritance.

 

Assuming that we are following best practices like train users to use the most appropriate option, use Anonymous only where necessary, set default expiration, maybe use sensitivity labels to protect files shared externally, etc. at the end of the day when users share files, even internally, there will be tons of files with broken inheritance.

 

Is there any negative impact about this or any recommendation or best practice?

 

clipboard_image_0.png

3 Replies
Highlighted

Hi @mikkele ,

 

It would be nice if it didn't break inheritance, but the benefit of sharing cancels out the issues. I have kind of got used to it. 

 

I think with none sharing links its still a good idea not to break inheritance if you can, so at the document library and folder level but in some cases it has to happen. 

 

One thing to bear I mind is that when each file breaks inheritance when a link is created the inherited permissions are copied. Whatever you do, do not accidentally delete once of the groups giving access  - such as <Site name> members to the site. Contrary to what I thought it cascade deletes down to all uniquely permissioned files. Try adding those permissions back in and it doesnt work as the files are uniquely permissioned. I had a site with 200,000 files and every single file that had unique permissions disappeared from the 50 users that needed to access them. Luckily you can roll a full library back to a point in time now. You couldn't at the time.

Highlighted

@Andrew Hodges 

Contrary to what I thought it cascade deletes down to all uniquely permissioned files. 

that's good to know (and unexpected?) I didn't think that would be the case, it's probably because those SharePoint groups object are still linked 

Highlighted
I would expect the objects inside the group to be updated but I wasnt expecting if I uniquely permission a document library deleting that same group from above removes it from doc lib. Just how it is I guess.