Site collection admin & confidentiality

Occasional Contributor

Dear all, is there a possibility to prevent site collection admins from actually opening documents in the SharePoint libraries they manage? So they can do all the admin stuff they need to do, but without having the option to look at confidential information (on document level). Love to hear from you. Frank.

 

4 Replies

Hi@Frank Vandenheede ,

 

The Site collection admin role overwrites all permissions on the site enabling the user to view/edit all data. There isn't a way to stop a site collection admin viewing data. 

 

Quite a few customers give 2 accounts to these users so that in their day to day work they are only seeing data as a user and not as a site collection admin. They are then governed by your policy when accessing sites as the Site collection Admin user. Audit logs can be looked at to see what a particular user has looked at on a site.

 

Hope that helps

 

Andy

 

There is not way now, but I expect this to be solved with the upcoming sensitivity labels integration in SPO Sites

@Andrew HodgesHi Andy, thanks for your reply. We are thinking of using Azure Information Protection to keep admins from watching highly sensitive information. Would that be an option? Kind regards, Frank.

I would ensure that admins only add themselves into Site Collection Admins when they need access - rather than having that access all of the time.

Also, any action any user takes (e.g. read a file, access a site, delete a file, etc.) is logged in the Unified Audit Log as well, so whatever an admin does, will be logged.