cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

The following factors also affect the level of access for user (i:0#.f|membership|user@example.com)

volrath
Copper Contributor

‎Oct 22 2020 02:22 AM - edited ‎Oct 22 2020 02:57 AM

‎Oct 22 2020 02:22 AM - edited ‎Oct 22 2020 02:57 AM

The following factors also affect the level of access for user (i:0#.f|membership|user@example.com)

Hi all

 

I've serendipitously come across some implicit permissions on SharePoint. I made a new subsite for someone and assured them that only they could access it. While I was doing the usual checks, I noticed some high profile user having unfettered access to this new subsite I created, as per the subject above. I checked somewhere online where some suggested to check the the Site Collection Administrators and only myself are listed here so I started becoming very baffled. What is very strange, is that I, being a Site Collection Admin, do not have this level of unfettered access. If I don't don't have explicit permission to access a site, I don't have access. But this one staff member does! Just look at this...

 

SharePoint_Permissions_Issue.png

 

I thought for sure that this user must have some form of admin permissions somewhere, but where? I then found, more shockingly, that four other staff members also have this super permission status! These are low rank staff that never had, and never will have any admin permissions at all whatsoever and they are able to access highly sensitive information on our entire SharePoint site!

 

Does anyone know what is going on here and how I could possibly remediate this and hopefully prevent anyone else from gaining these seemingly implicit super powers?

 

Thanks for reading

Steven

11.9K Views
1 Like
4 Replies
Reply
4 Replies
metati

‎Oct 29 2020 01:14 PM

‎Oct 29 2020 01:14 PM

Re: The following factors also affect the level of access for user (i:0#.f|membership|user@example.c

@volrath  I may be wrong but sounds to me like someone with global access doesn't know what they're doing.  This is the issue I have with the way O365 permissions are done for SharePoint Developers and Administrators at my workplace.  Because we have others in the IT dept. that handle AD and other programs, only network team has Global access... that impedes on allowing SP team to deploy contents, make some changes and at times put a finger on why we can't get something to work in SP - because it's affiliated with something else that has it turned off, etc.  This is ridiculous!  SP program administration should have never been pulled into the same cluster as the other Office products.  

0 Likes
Reply
ADessimoz

‎Jan 04 2021 11:59 PM

‎Jan 04 2021 11:59 PM

Re: The following factors also affect the level of access for user (i:0#.f|membership|user@example.c

@volrath 

 

I have a similar issue, I noticed that the group "All Users" was being given Site Collection Admin automatically. I made a post about it yesterday and was now roaming more deeply in here to see if anyone had the same problem.

Your post is the first thing I noticed and then found out about what's said in my post.

 

But if your Site Collection Admin only lists yourself, it might be something else.

 

On my side I don't know why those permissions are added back.

 

Regards

0 Likes
Reply
metati

‎Jan 05 2021 08:39 AM

‎Jan 05 2021 08:39 AM

Re: The following factors also affect the level of access for user (i:0#.f|membership|user@example.c

@ADessimoz 

I think it's a case of someone with global permissions or tenant/higher permissions granting permissions to what they think is a certain area but not realizing that some permissions apply to all areas of o365.  SharePoint has always had its own "corner" to have information remain truly secure but once it was pulled under the governance of someone in charge of all MS program, many without the expertise try to accommodate one thing and affect other parts.  SP should have the ability to break permission inheritance and allow SP administrators and developers to have full control over that corner to continue protecting any and all areas that requires protection.

 

0 Likes
Reply
ADessimoz

‎Jan 06 2021 01:35 AM

‎Jan 06 2021 01:35 AM

Re: The following factors also affect the level of access for user (i:0#.f|membership|user@example.c

@metati 

 

I found the source of my problem.

 

By luck, I guess, I had another issue on my Veeam for Office 365 and while resolving it I saw that somewhere there on the Backup accounts, the group All users was selected.

That was it causing the group to be added every night.

 

Never would have thought of going check that there if it weren't for the issue I had.

 

0 Likes
Reply