The following factors also affect the level of access for user (i:0#.f|membership|user@example.com)

%3CLINGO-SUB%20id%3D%22lingo-sub-1807436%22%20slang%3D%22en-US%22%3EThe%20following%20factors%20also%20affect%20the%20level%20of%20access%20for%20user%20(i%3A0%23.f%7Cmembership%7Cuser%40example.com)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1807436%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20serendipitously%20come%20across%20some%20implicit%20permissions%20on%20SharePoint.%20I%20made%20a%20new%20subsite%20for%20someone%20and%20assured%20them%20that%20only%20they%20could%20access%20it.%20While%20I%20was%20doing%20the%20usual%20checks%2C%20I%20noticed%20some%20high%20profile%20user%20having%20%3CEM%3E%3CSTRONG%3Eunfettered%3C%2FSTRONG%3E%20%3C%2FEM%3Eaccess%20to%20this%20new%20subsite%20I%20created%2C%20as%20per%20the%20subject%20above.%20I%20checked%20somewhere%20online%20where%20some%20suggested%20to%20check%20the%20the%20Site%20Collection%20Administrators%20and%20only%20myself%20are%20listed%20here%20so%20I%20started%20becoming%20very%20baffled.%20What%20is%20very%20strange%2C%20is%20that%20I%2C%20being%20a%20Site%20Collection%20Admin%2C%20do%20not%20have%20this%20level%20of%20unfettered%20access.%20If%20I%20don't%20don't%20have%20explicit%20permission%20to%20access%20a%20site%2C%20I%20don't%20have%20access.%20But%20this%20one%20staff%20member%20does!%20Just%20look%20at%20this...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SharePoint_Permissions_Issue.png%22%20style%3D%22width%3A%20583px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F228431i70C16D68C3C5BDD2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SharePoint_Permissions_Issue.png%22%20alt%3D%22SharePoint_Permissions_Issue.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20for%20sure%20that%20this%20user%20must%20have%20some%20form%20of%20admin%20permissions%20somewhere%2C%20but%20where%3F%20I%20then%20found%2C%20more%20shockingly%2C%20that%20four%20other%20staff%20members%20also%20have%20this%20super%20permission%20status!%20These%20are%20low%20rank%20staff%20that%20never%20had%2C%20and%20never%20will%20have%20any%20admin%20permissions%20at%20all%20whatsoever%20and%20they%20are%20able%20to%20access%20highly%20sensitive%20information%20on%20our%20entire%20SharePoint%20site!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20what%20is%20going%20on%20here%20and%20how%20I%20could%20possibly%20remediate%20this%20and%20hopefully%20prevent%20anyone%20else%20from%20gaining%20these%20seemingly%20implicit%20super%20powers%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20reading%3C%2FP%3E%3CP%3ESteven%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1807436%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDocument%20Library%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFiles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESites%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
New Contributor

Hi all

 

I've serendipitously come across some implicit permissions on SharePoint. I made a new subsite for someone and assured them that only they could access it. While I was doing the usual checks, I noticed some high profile user having unfettered access to this new subsite I created, as per the subject above. I checked somewhere online where some suggested to check the the Site Collection Administrators and only myself are listed here so I started becoming very baffled. What is very strange, is that I, being a Site Collection Admin, do not have this level of unfettered access. If I don't don't have explicit permission to access a site, I don't have access. But this one staff member does! Just look at this...

 

SharePoint_Permissions_Issue.png

 

I thought for sure that this user must have some form of admin permissions somewhere, but where? I then found, more shockingly, that four other staff members also have this super permission status! These are low rank staff that never had, and never will have any admin permissions at all whatsoever and they are able to access highly sensitive information on our entire SharePoint site!

 

Does anyone know what is going on here and how I could possibly remediate this and hopefully prevent anyone else from gaining these seemingly implicit super powers?

 

Thanks for reading

Steven

1 Reply
Highlighted

@volrath  I may be wrong but sounds to me like someone with global access doesn't know what they're doing.  This is the issue I have with the way O365 permissions are done for SharePoint Developers and Administrators at my workplace.  Because we have others in the IT dept. that handle AD and other programs, only network team has Global access... that impedes on allowing SP team to deploy contents, make some changes and at times put a finger on why we can't get something to work in SP - because it's affiliated with something else that has it turned off, etc.  This is ridiculous!  SP program administration should have never been pulled into the same cluster as the other Office products.