Archive for the ‘Access controls’ Category

How Office 365 challenges traditional records management practices

September 27, 2016

If your organisation is using SharePoint on-premise now, or just starting out with Office 365, it is important to understand how the Office 365 ecosystem will challenge traditional ways of managing records practices while at the same time delivering a transformational all-digital experience for end users.

SharePoint On-Premises

When configured well, SharePoint on-premises (e.g. versions up to SharePoint 2016) allowed organisations to manage unstructured (i.e., document-based) content through a hierarchy of site collections – sites/sub-sites – document libraries – (folders/document sets) – documents.

In on-premise SharePoint environments, document libraries could be used to store and manage records, thereby becoming the logical containers or aggregations of records, similar to ‘files’ in traditional EDRM systems.

The Office 365 ecosystem

Office 365 changes and challenges the on-premises model of SharePoint by adding new ways of working to standard SharePoint team and publishing sites. These new ways of working include:

  • Office 365 Groups, each of which has a dedicated SharePoint site
  • OneDrive for Business, a personal version of SharePoint
  • Yammer
  • Skype for Business
  • Delve
  • Planner
  • Sway

Why is this important? 

SharePoint has been clearly positioned as Microsoft’s online document management engine. SharePoint, not network file shares, is the document management future. And so, by extension, it becomes the future location for the management of digital records for any organisation that subscribes to Office 365.

From both the business and end-user points of view, SharePoint provides easy-to-use and more efficient content management and collaboration capabilities allowing users to access and use a range of content anywhere, anytime, on any device. Coupled with collaboration options such as Office 365 Groups, Yammer, and Skype for Business, information is now available across a number of different applications within the same single ecosystem.

From a records management point of view, this new way of working challenges the idea that information can be stored in the context of a single function, activity or transaction that created it. Instead, it supports the concept that digital information cannot truly be assigned to a single function or context; its context may also depend on the context of the person seeking to access it.

That is, how one person stores information is not necessarily how others may expect to find or use it. Think of the parallels with eBay, Facebook, LinkedIn and similar products – algorithms present information to you, often in a ‘feed’, based on what the application knows about you, not how other people store that information.

‘Modern’ Team Sites

The most striking change with ‘modern’ team sites in SharePoint Online (compared with SharePoint 2013 and earlier) is the disappearance of the ribbon menu and the simplification of the user-experience to be more or less identical with OneDrive for Business.

When any library is selected (and before a document is selected), the user is presented with the common options: New (Folder, Word, Excel, PowerPoint, OneNote, Link), Upload, Quick Edit, and Sync.

o365sp1

When a document is selected, the user is presented with a context-specific menu offering again commonly used options: Open, Share, Get a link, Download, Delete, Pin to top, Move to, Copy to, Rename, Version History, Alert me, and Check out.

O365SP2.JPG

O365SP3.JPG

The familiar Library Settings, previously located on the ribbon menu, are now found via the Office 365 settings ‘cog’.

O365SP4.JPG

Microsoft have also changed the look of SharePoint Online sites and provided a new ‘SharePoint’ landing page to help users access all the sites they are following, and also present suggestions for sites to follow. In other words, the system understands the user’s context and presents content suggestions, the same way Facebook users are invited to befriend people.

From a records management point of view, little has changed with document libraries in team sites. SharePoint Online continues to offer all the same features as before:

  • Almost unlimited metadata options allowing multiple metadata-based views to be set up
  • Unique, persistent document IDs
  • Folders and document sets (although the latter are even harder to set up than they were)
  • Versioning (and more efficient storage of versions)
  • Popularity trends and per-document views
  • Detailed audit trails
  • Access/permission controls
  • Legal compliance/retention and disposal
  • Powerful search
  • Full integration with Office but now allowing users to save directly by default to SharePoint and OneDrive by default.
  • Hyperlinkable documents
  • Easy sharing

While it is still possible in SharePoint Online to manage records out the box, the other elements that make up the Office 365 ecosystem provide a much broader and complex environment for the storage and management of records. SharePoint Online is just one component of this environment.

Office 365 Groups

Office 365 Groups provide a way for a group of people within the organisation – as well as external users – to discuss and share information.

  • They are similar to Active Directory (AD) Distribution Groups in the sense that they are a pre-defined organisational group designed to receive information.
  • They are different in that, instead of being just the recipient of information, users (and people who join the group at a later date) can see all discussions that have been sent to all members and access any Group documents.

Office 365 Groups are made up of two main content elements: ‘Conversations’ email-based threads and ‘Files’.

O365SP5.JPG

  • Conversation threads are based on simple email exchanges presented in Outlook – currently it is not possible to create folders in the group.
  • The Files option in Office 365 Groups is a SharePoint site that allows the group to store, share and collaborate on any unstructured content.

Groups also include a calendar and a group Notebook (which opens OneNote Online in the Group SharePoint site).

Office 365 Groups content is stored either within the context of the Group’s email-based conversations or in unstructured content stored in an associated SharePoint site.

Office 365 Groups SharePoint sites are visible in the user’s list of SharePoint sites, making it easy to get back to the Group’s site or its conversations.

OneDrive for Business

OneDrive for Business is built on the SharePoint engine. The consumer version of OneDrive has been around for a few years and is a direct competitor to the likes of Google Drive, iDrive, DropBox, Box and so on.

OneDrive for Business, the online replacement for ‘personal’ network drives, allows users to store, synchronise and share ‘personal’ work information through an interface that in Office 365 is now almost identical with modern team sites (less the Library Settings).

As with personal drives on network drives, content stored by users on OneDrive for Business is inaccessible unless shared with others. Organisations have only 30 days by default to do something about the user’s OneDrive for Business content when they cease to be an employee, before the content is deleted.

Options to manage the otherwise hidden content of a departed user’s OneDrive for Business account include allowing the user’s manager to review and if necessary move or delete it, allowing an authorised person in IT to review it, and/or backing it up to other storage so it is not deleted.

Yammer

While the long-term future of Yammer is unclear in the face of Office 365 Groups, Yammer may still exist and capture information and records for a time to come.

Skype for Business

In addition to Yammer and the conversation options provided through Office 365 Groups, Skype for Business provides yet another option to discuss and share information including via voice and/or video calls.

Delve

All the options described above provide a function-rich environment to store and manage unstructured content and collaborate with other people both within and external to the organisation. But how to make sense of all this information?

Depending on licensing, Delve provides a way to find content that may be relevant to the user.

O365SP6.JPG

Delve suggests a range of content that may be of interest (based on the user’s profile, connections and content created or accessed), and provides an analysis of the user’s activity as recorded in Outlook, the calendar and other actions.

Challenges with managing records in Office 365

While Office 365 provides a transformative digital experience for end users, managing the records created and stored in various parts of Office 365 presents new challenges for records managers.

For example, there is far less ability to control the way content is stored or described in specific, pre-defined and/or metadata-driven aggregations and contexts. Users are likely to use whatever application is the most appropriate or convenient. For example, they may use OneDrive for Business to create and store large volumes of content, hidden away from corporate view. They may even share content from this application, including with external users.

The default settings in SharePoint, if not disabled, provide end-users with considerable latitude to create new SharePoint sites and Office 365 Groups, in addition to their personal OneDrive for Business sites, to store, manage and share rich digital content including with external users. In reality, these settings probably need to be disabled to prevent uncontrolled growth in the environment.

Even if records managers (as Site Collection Administrators) have oversight and control of the creation of SharePoint Online team sites, some questions arise:

  • How will they extend this control to SharePoint sites created to support Office 365 Groups, or the conversations that take place within those groups?
  • What about content stored in and shared from OneDrive for Business?
  • How will it be possible in the future to bring together all information about a given function/activity for disposal or disposition actions, especially if it’s not all stored in the one aggregation?

Good SharePoint (and Office 365) governance requires a good balance of control. Too much control and users will be put off using and benefiting from the ecosystem. Too little and the ecosystem may become uncontrollable but possibly very ‘lively’ in terms of content profusion.

Ideally, users should feel that they have the ability to manage their information within a lightly controlled environment – for example, SharePoint site owners cannot create new Sites (to prevent the massive proliferation of sites) but they can create document libraries (thereby reducing IT administrative controls).

Can analytics help with managing records?

Analytics via the Office Graph may provide a way to bring together information and records in context, a context (or contexts) which may be unforeseen by the person who created the content in the first instance. For example, a user may store information in a document library, unaware of its relevance or similarity to others in the organisation. Analytics may be able to connect the two, or the different people doing similar things.

At this stage, Analytics does not seem to provide the ability to bring together all information about a given subject. The model, instead, appears to be about presenting or making information accessible in any context at any time to users depending on their context at the time.

eDiscovery?

eDiscovery, a feature available from SharePoint 2013, has the potential ability to bring together all information about a given subject from across the Office 365 ecosystem. However, the primary purpose of eDiscovery is to support legal processes, not records management.

New ways of thinking are necessary

Records managers need to think differently about how they will approach the management of all types of digital records and other content (conversations, discussions, photographs, videos, Sway presentations) created and stored by users across the complex ecosystems that is Office 365.

It will no longer be possible to assume that all records relating to a given function/activity pair, subject, or context can or will be stored in the same aggregation of records. Instead, records managers need to find other ways to manage digital content, including to manage disposition activities.

Artificial Intelligence (AI) may provide the clue to this. Microsoft CEO Satya Nadella made this very clear in a keynote presentation to the Microsoft Ignite conference on 26 September where he noted that AI would be able to: “… to reason over large amounts of data and convert that into intelligence”. He also noted Microsoft’s ambition is to create an intelligent assistant that “… can take text input, can take speech input, that knows your deeply. It knows your context, your family, your work. It knows about the world.”

Nadella also noted that: ” The most profound shift is in the fact that the data underneath the applications of Office 365 is exposed in a graph structure. And in a trusted, private-preserving way, we can reason over this data and create intelligence. That’s really the profound shift in Office 365.” (Source: https://techcrunch.com/2016/09/26/microsoft-ceo-satya-nadella-on-how-ai-will-transform-his-company/)

(Note, the last two paragraphs were added on 29 September to include comments made by Satya Nadella about Microsoft’s AI ambitions).

 

 

Advertisements

Information Security in SharePoint Online

May 24, 2016

Until now, the security of information stored in SharePoint on-premise implementations was largely based on access control groups that gave or restricted access to the content on the site. Access to the content, and ability to do anything with it (e.g., edit, read) depending on what group you belonged to. The main five access control groups are:

  • SharePoint Administrator/s: Access to everything.
  • Site Collection Administrator: (Usually) access to everything, but this can be disabled.
  • Site Owners: ‘Full Control’ access to everything (except for the Site Collection Administration elements in Site Settings).
  • Site Members: ‘Contribute’ or add/edit access.
  • Site Visitors: Read only.

Other groups such as Designer and Reader existed for specific purposes.

At any point from the top level Site Collection downwards through all the content, these inherited permissions could be stopped and unique permissions – including for both individuals and new access groups – could be created and applied to control access to content.

Audit logs supplemented access controls by providing details of who did (including changing security permissions) or accessed what, and when. While the SharePoint Administrator and Site Collection Administrator’s names are not visible to Site Owners, Members or Visitors, they appear in the audit logs if any activity is recorded. System account activity is also recorded in the logs.

New Security Controls in SharePoint Online

SharePoint Online brings a range of new options to protect the security of information, in addition to access controls. These options, some of which are included with SharePoint 2013 an onwards, are:

  • Information security classifications
  • Data Loss Prevention (DLP)
  • Audited sharing
  • Information Rights Management (IRM)
  • Shredded storage (new from SP 2013)

Two of these options can be seen in the following Microsoft diagram:

mt718319.001.png

Source: ‘Monitoring and protecting sensitive data in Office 365’ https://msdn.microsoft.com/en-us/library/mt718319.aspx

Information Security Classifications

According to a number of online sources, from at least March 2011, Microsoft has classified its own information into three categories: High Business Impact (HBI), Moderate Business Impact (MBI), and Low Business Impact (LBI).

  • High Business Impact (HBI): Authentication / authorization credentials (i.e., usernames and passwords, private cryptography keys, PIN’s, and hardware or software tokens), and highly sensitive personally identifiable information (PII) including government provided credentials (i.e. passport, social security, or driver’s license numbers), financial data such as credit card information, credit reports, or personal income statements, and medical information such as records and biometric identifiers.
  • Moderate Business Impact (MBI): Includes all personally identifiable information (PII) that is not classified as HBI such as: Information that can be used to contact an individual such as name, address, e-mail address, fax number, phone number, IP address, etc; Information regarding an individual’s race, ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual orientation, commission or alleged commission of offenses and court proceedings.
  • Low Business Impact (LBI): Includes all other information that does not fall into the HBI or MBI categories.

Source: ‘Microsoft Vendor Data Privacy – Part 1’ (March 2011) https://www.auditwest.com/microsoft-vendor-data-privacy/

Microsoft released code (via Github) to apply these classifications to SharePoint on-premise deployments in 2014.

Source: https://github.com/OfficeDev/PnP/tree/master/Solutions/Governance.TimerJobs

In 2016 Microsoft released a Technical Case Study highlighting how it migrated all its SharePoint content to SharePoint Online – and how information classification formed part of that process.

Source: ‘SharePoint to the Cloud – Learn how Microsoft ran its own migration’ (Case Study – 2016)  https://msdn.microsoft.com/en-us/library/mt668814.aspx

In May 2016, Microsoft announced that this form of classification would be added to new SharePoint Online site collections during 2016.

The application of security classifications to SharePoint Online sites has two elements:

  • Security and compliance policies, set by the SharePoint Administrator via either the ‘Security policies’ or ‘Data management’ section of the Office 365 Security & Compliance Center. [As of 23 May 2016 the only policies are ‘Device management’ and ‘Data Loss Prevention’. While the DLP policies appear to allow the inclusion of security classifications, it is expected that Microsoft will add more options to support the application of security classifications during 2016. See below for more information on DLP.]
  • A new drop-down, three choice (LBI, MBI, HBI) option in the ‘Start a new site’ dialogue box under the question ‘How sensitive is your data?’ The choice of classification invokes the relevant security and compliance policies.

Microsoft provides examples of the types of information that would be covered by each of these at this interactive site: https://www.microsoft.com/security/data/

The application of these policies will enable organisations to control what happens to information stored in sites assigned these classifications. Among other things, this can prevent users from sending (or trying to send) MBI or HBI classified information to people not allowed to receive or view it, including through DLP policies discussed in the next section.

Data Loss Prevention (DLP)

Data Loss Prevention policies allow organisations to:

  • Identify sensitive information across both SharePoint Online and OneDrive for Business sites (and in Exchange, through the same settings).
  • Prevent the accidental sharing of sensitive information, including information classified MBI or HBI.
  • Monitor and protect sensitive information in the desktop versions of Word, Excel and Powerpoint 2016.
  • Help users learn how to stay compliant by providing DLP tips.
  • View reporting on compliance with policies.

 

DLP Conditions

DLP works by giving Site Administrators the ability to create and apply DLP policies in the Security & Compliance Center for SharePoint (which includes OneDrive for Business; there is a separate Center for Exchange). In the Center, the Administrator navigates from ‘Security policies’ to ‘Data loss prevention’.

The DLP policy area includes a range of ‘ready-to-use’, financial, medical and privacy templates for a number of countries including the US, UK and Australia. Examples of pre-defined Australian sensitive information types include: bank account numbers, driver’s licence numbers, medical account numbers, passport numbers, and tax file numbers.

You may also create a custom DLP policy.

Sources: https://technet.microsoft.com/en-us/library/ms.o365.cc.newpolicyfromtemplate.aspx  https://support.office.com/en-gb/article/Send-notifications-and-show-policy-tips-for-DLP-policies-87496bc5-9601-4473-8021-cb05c71369c1

DLP Actions

Specific actions must be set for every DLP policy; that is, what happens if the policy conditions are met. The default actions are:

  • Block access to content (for everyone except its owner, the person who last modified the content, and the owner of the site where the content is stored AND send a notification by email.
  • Suggest a Policy Tip to users. Options are (a) Use the default Policy Tip or (b) Customise the Policy Tip.
  • Allow override options. There is one main checkable option (‘Allow people who receive this notification to override the actions in this rule’) and two sub options:
    • A business justification is required to override this rule, and
    • A false positive can override this rule.

In addition to these actions, where the DLP policy identifies sensitive content in a document stored in SharePoint Online or OneDrive for Business it displays a small warning ‘stop’ sign icon on the document icon. Hovering over the item displays information about the DLP policy and options to resolve it.

DLP Incident Reports

Incident reports are designed to alert a compliance officer to details of events triggered by the DLP conditions, and provide reporting on those events.

Sources:

https://technet.microsoft.com/en-US/library/ms.o365.cc.DLPLandingPage.aspx

Audited Sharing

Information sharing is a common activity in SharePoint and in SharePoint 2016 and SharePoint Online it is actively encouraged through a new Share option.

In addition to other existing audit options, sharing activity can now be audited in SharePoint Online. The audit logs for Office 365 (which must be enabled) are accessed through the Office 365 Admin Center > Security & Compliance Center > Search & investigation > Audit log search.

Source: https://support.office.com/en-us/article/Use-sharing-auditing-in-the-Office-365-audit-log-50bbf89f-7870-4c2a-ae14-42635e0cfc01?ui=en-US&rs=en-US&ad=US]

Information Rights Management (IRM)

Microsoft’s Information Rights Management capability provides an additional layer of protection for a number of document types at the list and library level in SharePoint Online sites.

Supported document types include PDF, the 97-2003 file formats for Word, Excel and PowerPoint (e.g., Office documents without the ‘x’ at the end of the file extension – ‘word.doc’, the Office Open XML formats for Word, Excel, and PowerPoint (e.g. with the ‘x’ at the end – ‘word.docx’), the XML Paper Specification (XPS) format.

According to Microsoft, IRM:

‘… enables you to limit the actions that users can take on files that have been downloaded from lists or libraries. IRM encrypts the downloaded files and limits the set of users and programs that are allowed to decrypt these files. IRM can also limit the rights of the users who are allowed to read files, so that they cannot take actions such as print copies of the files or copy text from them.’

IRM is enabled via the Office 365 Admin Center > Admin > SharePoint > Settings > Information Rights Management > ‘Use the IRM service specific in your configuration’ and then ‘Refresh IRM Settings’.

Microsoft_IRM

Image source: ‘Apply IRM to a List or Library’ https://support.office.com/en-us/article/Apply-Information-Rights-Management-to-a-list-or-library-3bdb5c4e-94fc-4741-b02f-4e7cc3c54aa1

 

When IRM is activated on a library, any file that is downloaded is encrypted so that only authorised people can view them. Again, according to Microsoft:

‘Each rights-managed file also contains an issuance license that imposes restrictions on the people who view the file. Typical restrictions include making a file read-only, disabling the copying of text, preventing people from saving a local copy, and preventing people from printing the file. Client programs that can read IRM-supported file types use the issuance license within the rights-managed file to enforce these restrictions. This is how a rights-managed file retains its protection even after it is downloaded.’

Source:

https://support.office.com/en-us/article/Set-up-Information-Rights-Management-IRM-in-SharePoint-admin-center-239ce6eb-4e81-42db-bf86-a01362fed65c

Shredded storage

Shredded storage, as the name suggests, describes the way documents are stored in SharePoint, starting from SharePoint 2013. Instead of storing a document as a single blob, documents are stored in multiple blobs.

This is a more efficient – and possibly more secure – way to manage documents when they are updated by only updating the element/s that were changed. According to a Microsoft presentation on 4 May 2016:

‘… every file stored in SharePoint is broken down into multiple chunks that are individually encrypted. And, the keys are stored separately to keep the data safe. In the future, we would like to give you the ability to manage and bring your own encryption keys that are used to encrypt your data stored in SharePoint. If you want, you can revoke our access to the keys. And we will not be able to access your data in the service’.

Source:

https://blogs.technet.microsoft.com/wbaer/2012/11/12/introduction-to-shredded-storage-in-sharepoint-2013-rtm-update/

Other Information Security related options

The Microsoft website ‘Monitoring and protecting sensitive data in Office 365’ provides further information about other Information Security options in Office 365, including reporting options to support auditing of activity in the tenant.

Source: https://msdn.microsoft.com/en-us/library/mt718319.aspx

 

Planning access controls in SharePoint 2010 team sites

October 15, 2013

A key factor that needs to be considered when planning for the creation of team sites for the management of records is access control. Getting this right (or as close to right as possible) early on for team sites with sub-sites will save a lot of potential pain later on.

Team sites will normally have three levels of access permission:

  • Site owners. Full control. One to three for each site collection.
  • Site members. Contribute rights, i.e., add/edit/delete.
  • Site visitors. Read only access.

There are generally three ways to manage access controls in team sites that have sub-sites:

  • Inheritance, broken as required. Top level site owners control all sub-sites, site members and visitors can be the same.
  • Independent, within a site collection. Different site owners/members/visitors between the top site and sub-sites – although the site owners could be the same.
  • Independent, separate sites but linked. Different site owners/members/visitors for each site.

Inheritance model

This is the default access model for team sites with sub-sites and is enabled when a Site Administrator creates a new sub-site without choosing ‘More options’ on the ‘Create’ Team Site dialogue page. Site owners control the top and sub-sites, site members and visitors are the same unless inheritance is broken on any part of the site (sub-sites, libraries or lists, or documents).

  • The benefits of this model is that site owners control all the site collection and both members and visitors can be the same.
  • The negatives relate to the effort involved in restricting access and giving unique access to sub-sites, libraries/lists, or documents. For example, to provide access to a specific area, a person who is not part of the default members or visitors group must be either added to one of those groups, or added individually. When they are added individually by user name, their user name appears across the entire site collection; they will be able to navigate ‘up’ (and down) but they won’t see any content in any page, library or list. Another negative is that, once selected, it is not possible to revert to the independent model (unique permissions); it is only possible to break the inheritance model and create new security groups which is a bit messy.

Independent model, within a site collection

The option to select this model must be selected when the new sub-site is created by clicking on ‘More Options’ after the Title and URL name are entered. A new dialogue box opens with a section ‘Permissions’. This notes ‘You can give permissions to access your new site to the same users who have access to this parent site, or you can give permission to a unique set of users’. It adds, ‘If you select “Use same permissions as parent site”, one set of user permissions is shared by both sites. Consequently, you cannot change user permissions on your new site unless you are an administrator of this parent site’.

There are two options:

  • Use unique permissions
  • Use same permissions as parent site (the ‘inheritance’ model above).

Again, there are positives and negatives to this model:

  • The benefits of this model are that you can have unique access permissions on sub-sites, removing the requirement to break inheritance or worry about what users with access can see on the other parts of the site collection. Each sub-group within a team can have their own site that cannot be accessed by the other parts of the team – although you might consider giving other parts of the team visitor access, with the sub-group having ‘contribute’ rights.
  • The negatives of this model are in the requirement to manage multiple access permissions for the top level site and sub-sites. Consider a common team environment – normally only a couple of people will be the site owner. If the site collection has multiple sub-sites with unique permissions, each of those sub-sites will have their own site owners. Of course, you can assign the same person to the site owner of each sub-site, but it is still a degree of overhead you don’t get with the inheritance model.

Independent model, separate site collections

This model simply consists of either of the first two options, with separate site collections added as links either on the global (top) or current (left hand side) navigation. End users don’t know that these links are completely separate sites unless they look at the URLs.

  • The benefits of this model are the same as the benefits for the second option above (independent model). Each site collection has its own unique permissions. It also allows you, if you restrict team sites to one sub-site level, to have sub-sites on the linked sites, to get around that restriction. Separate site collections could have either ‘open’ access to everyone, or ‘closed’ access.
  • The negatives of this model are also the same as the negatives for the second option above. Generally, however, there will usually be a good or compelling reason for having a completely separate site collection linked to the primary team site, and this often relates to the proposed site audience. For example, members of the team may be involved in a project; the (separate) project site can be linked to the main team site, but only those members of the team site with access will be able to see it.

In summary, it is important to consider access controls carefully, understanding both the benefits and the negatives of each option, then plan and implement accordingly. Otherwise, if there is a requirement to change the access type, this could be difficult to implement later on and the sub-site may have to be re-created.

Understanding and managing access permissions in SharePoint 2010

March 19, 2013

By default, access permissions are set at the Site Collection level and then inherited downwards, to all libraries (and document sets), lists and documents on the main page and to all subsites and their libraries (and document sets), lists, and documents.

The default permissions are usually:

  • Site Owner (full control of the site)
  • Site Members (can add and edit)
  • Site Visitors (can view only)

Breaking the inheritance model of access permissions is relatively simple to do but can create confusion and, if not done correctly, make content completely inaccessible even to the Site Owner. Breaking the inheritance model on documents is particularly dangerous as there is no easy way to identify or manage access restrictions applied across the farm.

Simple access controls via de-inheritance

The simplest way to limit access to a site or the content on a site is to de-inherit the access permissions. To change this on:

  • Sites, go to Site Actions – Site Permissions
  • Libraries/Lists, go to Library/List – Library/List Permissions
  • Document Sets or documents, click on the down arrow next to the name and click on Manage Permissions

… then choose ‘Stop Inheriting Permissions’. If that option is not there, then the Site, Library/List, Document Set or Document may already have permissions on it. (You may see the following statement: ‘Some content on this site has unique permissions which are not controlled from this page. Show me uniquely secured content’).

But there’s a catch, creating the first layer of confusion. When you stop inheriting permissions, the same permission groups remain on the page. But didn’t you just STOP inheriting those permissions?

The reason I think Microsoft left the default permission groups there is so you don’t inadvertently lock yourself out of the Site, Library/List, Document Set or Document – if no group is left and you navigate away from that page, you will almost certainly be denied access. The really good thing to note is that, if you have realised you are about to make something inaccessible (and before you navigate away), you can click on ‘Inherit Permissions’.

So, after you stop inherited permissions the next things you need to do are (a) remove any groups you no longer want to access the site, and then (b) add or create a group you want to access the site. To do that, you click on ‘Grant Permissions’. The dialogue box that appears asks you to select users or groups, and then grant the specific permissions. A group must exist to add it and these are added at the Site Collection or Site Level.

Note that a created group does not on its own have specific permissions, it is only a group of names. You create the permissions when you give that group access to the site, library/list, document set, or document. If you have a group already, you can add new names to that group.

I’d recommend you create a group at the Site Collection level because it will appear there anyway and you need to understand what impact that has – any new group you create will have access to anywhere else in the site by default UNLESS you break the inheritance model.

Slightly complex access controls via de-inheritance and groups

The most common use case for slightly complex access controls are at the library/list, document set or document levels. That is, there is a business requirement to restrict access to one of those, or provide access to a specific document set and nothing else. For the sake of this posting, we will consider the case of a library, in a second level sub-site, that contains multiple document sets, each with multiple documents. The business area wants to restrict access to one of the document sets to a specific group of people.

This is where you need to exercise great care as, without careful planning, you could inadvertently allow all the members of that group to access anything else across the entire site collection where access is inherited. This is because, when you create an access group, the group will appear across the entire site collection.

To allow access to a document set only within a site collection (and assuming there are multiple sub-sites each of which inherit from the top level), you need to first understand access permissions already set.

First, break inheritance on all sub-sites; by default this will leave the default groups plus the new one you have created, so you you only need to remove that new group on all sub-site access permissions. This will remove the new group from all libraries/lists, document sets and documents on each site.

Second, you need to add the group to the specific document set. To do that, stop inheriting the permissions, which leaves the default access permissions, then add the new group by clicking on Grant Permissions.

Now, if you go to the site permissions, you will see the new group listed (which can be a bit disconcerting), and the statement (against a yellow background): ‘Some content on this site has unique permissions which are not controlled from this page. Show me uniquely secured content’.

What this means is that members of the group you have added:

  • Cannot access the site, or site collection (they will get an ‘Access Denied’ message).
  • Can see the document set they have been given access to (but no other document set or document in the same library)
  • Can see the site’s libraries and lists but cannot see any content in those lists. This is a good reason for being careful about naming those libraries.

As noted already, access permissions can be very difficult to manage and very easy to get wrong. Careful planning will help to ensure you don’t lock yourself out.