The following factors also affect the level of access for user (i:0#.f|membership|user@example.com)

%3CLINGO-SUB%20id%3D%22lingo-sub-1807436%22%20slang%3D%22en-US%22%3EThe%20following%20factors%20also%20affect%20the%20level%20of%20access%20for%20user%20(i%3A0%23.f%7Cmembership%7Cuser%40example.com)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1807436%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20serendipitously%20come%20across%20some%20implicit%20permissions%20on%20SharePoint.%20I%20made%20a%20new%20subsite%20for%20someone%20and%20assured%20them%20that%20only%20they%20could%20access%20it.%20While%20I%20was%20doing%20the%20usual%20checks%2C%20I%20noticed%20some%20high%20profile%20user%20having%20%3CEM%3E%3CSTRONG%3Eunfettered%3C%2FSTRONG%3E%20%3C%2FEM%3Eaccess%20to%20this%20new%20subsite%20I%20created%2C%20as%20per%20the%20subject%20above.%20I%20checked%20somewhere%20online%20where%20some%20suggested%20to%20check%20the%20the%20Site%20Collection%20Administrators%20and%20only%20myself%20are%20listed%20here%20so%20I%20started%20becoming%20very%20baffled.%20What%20is%20very%20strange%2C%20is%20that%20I%2C%20being%20a%20Site%20Collection%20Admin%2C%20do%20not%20have%20this%20level%20of%20unfettered%20access.%20If%20I%20don't%20don't%20have%20explicit%20permission%20to%20access%20a%20site%2C%20I%20don't%20have%20access.%20But%20this%20one%20staff%20member%20does!%20Just%20look%20at%20this...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SharePoint_Permissions_Issue.png%22%20style%3D%22width%3A%20583px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F228431i70C16D68C3C5BDD2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SharePoint_Permissions_Issue.png%22%20alt%3D%22SharePoint_Permissions_Issue.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20for%20sure%20that%20this%20user%20must%20have%20some%20form%20of%20admin%20permissions%20somewhere%2C%20but%20where%3F%20I%20then%20found%2C%20more%20shockingly%2C%20that%20four%20other%20staff%20members%20also%20have%20this%20super%20permission%20status!%20These%20are%20low%20rank%20staff%20that%20never%20had%2C%20and%20never%20will%20have%20any%20admin%20permissions%20at%20all%20whatsoever%20and%20they%20are%20able%20to%20access%20highly%20sensitive%20information%20on%20our%20entire%20SharePoint%20site!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20what%20is%20going%20on%20here%20and%20how%20I%20could%20possibly%20I%20remediate%20this%20and%20hopefully%20prevent%20anyone%20else%20from%20gaining%20these%20seemingly%20implicit%20super%20powers%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20reading%3C%2FP%3E%3CP%3ESteven%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20checked%20all%20staff%20members%20and%20found%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1807436%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDocument%20Library%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFiles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESites%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1834964%22%20slang%3D%22en-US%22%3ERe%3A%20The%20following%20factors%20also%20affect%20the%20level%20of%20access%20for%20user%20(i%3A0%23.f%7Cmembership%7Cuser%40example.c%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1834964%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F261748%22%20target%3D%22_blank%22%3E%40volrath%3C%2FA%3E%26nbsp%3B%20I%20may%20be%20wrong%20but%20sounds%20to%20me%20like%20someone%20with%20global%20access%20doesn't%20know%20what%20they're%20doing.%26nbsp%3B%20This%20is%20the%20issue%20I%20have%20with%20the%20way%20O365%20permissions%20are%20done%20for%20SharePoint%20Developers%20and%20Administrators%20at%20my%20workplace.%26nbsp%3B%20Because%20we%20have%20others%20in%20the%20IT%20dept.%20that%20handle%20AD%20and%20other%20programs%2C%20only%20network%20team%20has%20Global%20access...%20that%20impedes%20on%20allowing%20SP%20team%20to%20deploy%20contents%2C%20make%20some%20changes%20and%20at%20times%20put%20a%20finger%20on%20why%20we%20can't%20get%20something%20to%20work%20in%20SP%20-%20because%20it's%20affiliated%20with%20something%20else%20that%20has%20it%20turned%20off%2C%20etc.%26nbsp%3B%20This%20is%20ridiculous!%26nbsp%3B%20SP%20program%20administration%20should%20have%20never%20been%20pulled%20into%20the%20same%20cluster%20as%20the%20other%20Office%20products.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all

 

I've serendipitously come across some implicit permissions on SharePoint. I made a new subsite for someone and assured them that only they could access it. While I was doing the usual checks, I noticed some high profile user having unfettered access to this new subsite I created, as per the subject above. I checked somewhere online where some suggested to check the the Site Collection Administrators and only myself are listed here so I started becoming very baffled. What is very strange, is that I, being a Site Collection Admin, do not have this level of unfettered access. If I don't don't have explicit permission to access a site, I don't have access. But this one staff member does! Just look at this...

 

SharePoint_Permissions_Issue.png

 

I thought for sure that this user must have some form of admin permissions somewhere, but where? I then found, more shockingly, that four other staff members also have this super permission status! These are low rank staff that never had, and never will have any admin permissions at all whatsoever and they are able to access highly sensitive information on our entire SharePoint site!

 

Does anyone know what is going on here and how I could possibly remediate this and hopefully prevent anyone else from gaining these seemingly implicit super powers?

 

Thanks for reading

Steven

4 Replies

@volrath  I may be wrong but sounds to me like someone with global access doesn't know what they're doing.  This is the issue I have with the way O365 permissions are done for SharePoint Developers and Administrators at my workplace.  Because we have others in the IT dept. that handle AD and other programs, only network team has Global access... that impedes on allowing SP team to deploy contents, make some changes and at times put a finger on why we can't get something to work in SP - because it's affiliated with something else that has it turned off, etc.  This is ridiculous!  SP program administration should have never been pulled into the same cluster as the other Office products.  

@volrath 

 

I have a similar issue, I noticed that the group "All Users" was being given Site Collection Admin automatically. I made a post about it yesterday and was now roaming more deeply in here to see if anyone had the same problem.

Your post is the first thing I noticed and then found out about what's said in my post.

 

But if your Site Collection Admin only lists yourself, it might be something else.

 

On my side I don't know why those permissions are added back.

 

Regards

@ADessimoz 

I think it's a case of someone with global permissions or tenant/higher permissions granting permissions to what they think is a certain area but not realizing that some permissions apply to all areas of o365.  SharePoint has always had its own "corner" to have information remain truly secure but once it was pulled under the governance of someone in charge of all MS program, many without the expertise try to accommodate one thing and affect other parts.  SP should have the ability to break permission inheritance and allow SP administrators and developers to have full control over that corner to continue protecting any and all areas that requires protection.

 

@metati 

 

I found the source of my problem.

 

By luck, I guess, I had another issue on my Veeam for Office 365 and while resolving it I saw that somewhere there on the Backup accounts, the group All users was selected.

That was it causing the group to be added every night.

 

Never would have thought of going check that there if it weren't for the issue I had.