7 steps to clean up unique permissions

cleanup-headerIn my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:

  • Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
  • This will lead to unexpected access denied messages and therefore Access requests.
  • Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
  • Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.

So, how to take back control of your site after you have changed some of the settings?

Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.

1. Process pending Access requests

Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.

2. Remediate content with unique permissions

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show items
Show the items with unique permissions, intended and accidental. Very useful functionality!

b. You will get a pop-up with all lists and libraries that have different permissions.

Cleanup-showitemsiwhtuniquepermissions
Focus on the lists with “View exceptions”. Those contain the items where you have created unique permissions by accident.

c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.

Cleanup-Documentswithuniquepermissions
List of documents (or items) that have unique permissions. Rightclick “manage permissions” and open the link in a new tab.

e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item.  (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.

Cleanup-deleteuniquepermissions
After noting down Kimberley B as a potential Visitor click “Delete Unique Permissions” to bring the document’s permissions in line with the rest of the document library and site.

h. Repeat steps e, f and g for the next document or list item.

3. Weed out “limited access”

Limited access is an annoying thing that tells you that there are, or have been, unique permissions – or it may mean nothing at all.
If this site has existed for some time and you do not know it very well, you can skip this step for now because you might remove people who are there for a good reason.

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show users
Show people with limited access. This can be caused by Sharing, Get a Link or accepting an Access request.

b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.

Cleanup-RemoveKimB
You can remove Kimberley B from this page. (“Beperkte toegang” means “Limited Access”)

c. Remove any individual users so you are left with only the site groups.

4. Add the new users

Add the users that you noted down during steps 1, 2 and 3 to their respective groups.

5. Review the Members group

During the time that you had no restrictions, Members may have added other Members.  Review your list of Members and change their roles or remove them where needed.

6. Replace any “breaking links” on your pages

Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type  will generally have  “guestaccess”  in their link and they will cause unique permissions.

When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.

Cleanup-GetaLink
Link “”Document 5″has been created with “Get a Link”. The URL is: …../Team/Share/_layouts/15/guestaccess.aspx?/….

Replace every one of those links with the “Restricted Link” equivalent.

7. Monitor

Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.

How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?

Image courtesy of artur84 at FreeDigitalPhotos.net

Limiting unwanted sharing and unique permissions

Preventsharing-fenceIn my recent posts you have seen that you can create unique permissions for list items and documents very easily, with

Additionally, you often add people with Contribute permissions while your normal Members group has Edit permissions (=Contribute + Manage Apps).
Plus your site members can add practically anyone to your site without informing you.

Why am I making such a fuss?

  • Maintenance and support
    Unique permissions create extra issues with access, and provide extra work for the Site owner.
    You may also need more support, although your support team might like that 🙂
  • Information security
    People with Edit or Contribute permissions can share content with external users, who then are often able to share your content with others if given those permissions. Your information may be shared with your competitors in this way!
  • Performance
    Having lots of unique and individual permissions may slow down your site.

Office365’s out-of-the-box functionality allows unlimited sharing. My own environment is like that, so all experiences that I have described before are done in the “unlimited sharing” default mode.

Fortunately, there are some options that a tenant administrator, a site collection administrator and a site owner can do to limit the potential damage.

1. Disable anonymous access

Disabling anonymous access lets you get rid of the “no sign-in required” options that you have when you get a link, or the “sign in required” when you share a folder or list item. While it may not reduce the creation of unique permissions too much, it will make it more obvious who has been given access. This will allow you to determine whether those people need to be added to a site group, or removed from your site.

Your tenant administrator can disable this at the Office365 Admin center for all Office365 applications, or at the SharePoint admin center for the SharePoint sites.

Preventsharing-GetaLink
This is Get a Link after I have disabled anonymous sharing. Only 3 options left for the Site owner instead of 5.

2. Disable external sharing

While this also will not prevent all unique permissions, it may limit them, because of sheer numbers. Chances are your colleagues will already have access to your site, making the chances of unique permissions during sharing a bit less.
Of course this will make it impossible to share confidential stuff with externals.

It is a good practice to reserve one or some site collections for sharing with externals, so you can keep the other site collections for purely internal content.
Your tenant admin can disable external sharing on various aspects at the Office365 tenant and the SharePoint admin level.  Gregory Zelfond has already documented how to do that.
By the way, Gregory has written more useful posts on external sharing.

This will give the following results, depending on whether the external user is already in your site collection or not.

preventsharing-noexternalsharing-indirectoy
This message will appear when you want to share with an external user who has been added to another (external) site collection in the tenant earlier.

 

preventsharing-noexternal-usernotindirectory
And this message I received when I wanted to share with a completely new person.

3. Change Sharing settings in your site

This will probably be in your control, so go to Site Settings > Site Permissions > Access Requests and look at the two check boxes on the top of the pop-up.

preventsharing-defaultsharingsettings
By default the access request and sharing settings are like this. Read the explanation carefully!

This will mostly influence what a Site member can do.

You have four options:

4a. Both checked: I have done my experiments with this setting. You know what that does 🙂

4b. Top checked, bottom unchecked

Share:
Member: Can share documents without approval from the site owner, but needs approval for sharing the site.
Visitor: Can share site and documents with approval from site owner.

Get a Link:
Member sees “Edit link” option
Visitor sees the “Restricted Link” option

4c. Top unchecked, bottom checked:

Share:
Member=Visitor: Can share site and documents but needs approval from site owner

Get a Link:
Member=Visitor: Restricted Link

This option brings another message to your Site Permissions page:

prebensharing-tiredofapprovals
If you get tired of approvals, you can change the settings again. (But look: no item with unique permissions…until you approve a request)

4d: Both unchecked:

Same as 4c.

So, this setting will help you to “tame” your site members, and give them the same sharing options as your site’s visitors. You will have more approvals to do, but are more in control.
But beware hitting the “Accept” or “Approve” button in sharing requests for documents or list items!

4. Remove access request email

If you can not get access requests, you can not break permissions when accepting them!

Preventsharing-noaccessrequest
You can uncheck the “Allow access requests” box and no email will be sent.

This can work in formal all-company sites with official content and little collaboration.
On the other side of the spectrum, it is also an option for sites with a strictly defined and controlled audience, e.g. a management team.
It will however be very clumsy in a project site!

But…your visitors will get a nasty error message when they try to share a document or site, and when you are combining this with options 4c or 4d, your members will experience that too.

preventsharing-noemail
Not a very nice message, and also not exactly correct. It should say “There is no email address to send the request to”,

Realize that all of these settings have been developed with a reason, so you may want to ponder what is really important for you and if you need to lock down everything or just a few features.

While you think about this, I will go and write how to check and fix the permissions, where needed, after you have taken your measures.

Image courtesy of winnond at FreeDigitalPhotos.net

Sharing = scaring (part 2)

Sharing2-imageIn my most recent post I focused on sharing documents and items by the Site owner, demonstrating that the Site owner him/herself can easily create lots of unique permissions by sharing folders, documents and items.

But what happens if a another user of your team site shares? Can a Member or Visitor create unique permissions as well, and does the Site owner know what the Site members are doing?

Once again, we start out with a team site with the standard permission sets (Owner, Member with Edit permissions, Visitor with Read permissions) and no unique permissions.

Durian Grey is a Visitor and Mystery Guest is a Member. We also introduce Kimberley B, who has no access at present.

Sharing documents/items by a Member

Now, Mystery Guest shares as follows:

  1. Durian, Can View
  2. Kimberley, Can View
  3. Durian, Can Edit
  4. Kimberley, Can Edit

The following results are as expected:

  • Document 1 does not change permissions since Durian already has Read access to this site.
  • Documents 2, 3 and 4 get unique permissions after clicking the “Share” button in the Sharing screen.
  • The persons are added as individuals to the document
  • Documents 3 and 4 have the individual added with “Contribute” while Members in this site have “Edit” permissions. (and the Share option is called “Can Edit”) So, a new role is added.

These following results were a surprise for me:

  • The documents shared with Kimberley B generate an External Sharing Invitation (access request) but the Site owner does not get an email notification.
  • Kimberley B can only share the document with existing site members when she has View permissions. but she can share the document with ANYONE, including new externals, when she has Edit permissions.
  • When Kimberley B shares with another external user this creates an External Sharing Invitation for the new person.
SharingbyexternalCanEdit
Kimberley B can share the Edit permissions for this document with everyone, even though she has no permissions on site level. Scary!

 

Sharing documents/items by a Visitor

Durian shares document 5 with Mystery Guest. He can not select Can View or Can Edit. When he clicks “Share”, he sees a message that this request is being sent to the Site Owner but that does not happen; the message goes straight to Mystery Guest. She can access in her normal role and no unique permissions are created. Phew!

Durian then shares document 5 with Kimberly B.

SharingbyVisitor
A Visitor can share but always needs approval from the Site owner.

 

When he clicks “Share” the following things happen:

  • The Site owner receives the normal “someone wants to share” email, Durian gets a copy
  • An access request in Pending Requests appears. By default, the request is for Edit (not Contribute), as an individual. The Site Owner can not select one of the permissions groups, so has to give individual permissions. 😦
  • As soon as the Site owner selects a permissions set and hits Approve, the item has unique permissions.
  • Durian receives an email that the sharing request has been accepted.
  • Kimberley B receives an email that a document has been shared.
  • Kimberley B can share the document with only existing members or anyone, according to her permissions.

Sharing a site

Since Mystery Guest has found that Kimberley has no access, she shares the complete site with Kimberley. She is not a Site owner, so she can not select a permission set when she shares the site.

As soon as Mystery Guest clicks “Share”

  • Kimberley B receives an email.
  • She is added into the Members group (even without having accessed the site).
Sharing2-KimBisaddedasmember
Uh…how does Kimberley B suddenly end up in this group?

 

Durian has the same thought.

  • He shares the site with Kimberley B.
  • His request is sent to the Site Owner and an Access Request is created.
  • The Site Owner goes to the Access Requests list and selects the Visitors group of the site and clicks Approve. (Members is the default, btw)
  • A confirmation email is sent to Kimberley B and Durian.

Now Durian wants to share the site with another external person, who has never been invited before. He can not do that.

Sharing2-Durianshareswithnsomeoneelse

What to think of this?

It is complicated!

Although a number of things are understandable this can turn into a messy site:

  • Get a Link, Share and Access Requests can all very easily create unique permissions for documents (including pages), folders and list items.
  • Members can use Get a Link and Share, create unique permissions, and add new Members, without the Site owner knowing.
  • Visitors can do less and generally need approval from the Site owner; this is better for the Site owner’s overview, but can create a lot of work because of the approval requests.
  • External users can share your document with anyone, if they have Edit permissions.

Don’t panic!

Before you start panicking, please be aware that my tenant is almost out-of-the-box and all the sharing options are turned on by default.  Tenant admins can take measures to reduce the unlimited sharing Microsoft thinks we need.
I will share those measures with you next time.

I have also found a few differences with regards to users who are mentioned in my tenant (with and without license) and who are not. When I have recovered from my current identity crisis, juggling 4 accounts and 3 browsers, I will try to find out more. 🙂

Image courtesy of marcolm at FreeDigitalPhotos.net

Sharing = scaring (part 1)

Sharing=scaring1If you thought that only “Get a Link” and Access Requests can upset the carefully constructed permissions settings in your site, you have not used “Share” yet 🙂

How “Share” works

Currently you can share a site, folders *, documents and items tem via this option. It does not work for libraries and lists, but I expect this is a matter of time.

(* only when a specific setting has been enabled)

If you select a document and click Share, or go to the Share button to share the site, a pop-up opens and you can:

  • Add the person (pick from people picker or type email address)
  • Select role (“Can View” or (the default!) “Can Edit”)
  • Add a message
  • Determine if sign-in is required (if you allow anonymous access)
  • Determine if you want to send an email (recommended; otherwise people may not know something has been shared with them)
  • If this is a site and you are the Site owner, you can select the desired permission group (recommended) or a permission level.

The person you share with will receive an email, and you will get a copy.

Sharing-2
The Sharing screen. If you share the site and are the Site owner, you will see an option to add the person to a group.

New Share interface

During my experiments, I noticed a difference in Share interface between sharing from a Document library web part on a page (screenshot above) and from the native Document library (screenshots below).

CHAOPS has already written about it.

Sharing-newShareInterface
The new Share interface. You get this when you share from the Document library itself.
Sharing9-clickonanyone
If you select a different option than “Anyone” in the screenshot above, you will see these options.

Sharing a site

Sharing a site (using the Share button top right on any page of a site) is actually a faster way to add someone to your site than going to Site Settings > Site Permissions.
From the Share pop-up you can add people to a site group.

I recommend this to Site owners.

Sharing documents/items with people who do not have access

I am quite alone in my tenant, so I can only share with externals. However, externals have exactly the same options as employees so it does not really matter. My tenant allows anonymous access, so I can decide between “no sign in required” (anonymous access) and “sign in required”.

This is my test document library.

Sharing-1

I have inherited the permissions for the Newsfeed, so I have very straightforward site permissions before I start sharing.

Sharing-3
I wish I knew how to change the permission level descriptions to English!

I share the document numbers as follows:

  1. Can View with Durian Grey, no sign in
  2. Can Edit with Durian Grey, sign in
  3. Can View with Mystery Guest, sign in
  4. Can Edit with Mystery Guest, no sign in

Without those people even accessing the documents, here’s what happens:

  • The permission inheritance for each document breaks as soon as you hit Share.
Sharing-4
All shared documents get unique permissions
  • If you do not require sign-in, the permission inheritance is simply broken with no people added or anything.
Sharing-5-anonymous access
With anonymous sharing, permission inheritance for the document breaks, nothing else.
  • If you require sign-in, the person who you share with is added to the permissions with Read (if you select “Can View”) or Contribute (if you select “Can Edit”), as an individual user, NOT in a group.
Sharing 4- signinuser added as individual
In case of “sign-in required”, you see that Durian Grey is added as individual with Contribute permissions.
  • The persons you share with get “limited access” to your site and will show up in that yellow bar. This is as expected, but be aware that this happens.

    Sharing 6- people with limited access.
    Two people with Limited Access added to your site….somewhere.

Once they have accessed the documents, nothing changes.
So you, as the site owner, have done all the damage yourself 😦

Sharing documents/items with people who have access

Let me add Mystery Guest as Member and Durian Grey as Visitor, and share some documents with them in their new status.

5. Can View with Durian Grey
6. Can Edit with Durian Grey
7. Can View with Mystery Guest
8. Can Edit with Mystery Guest

After sending out the emails this is what the permissions looked like:

Sharing 7-sharingwithmembers
Only one document has unique permissions after sharing with people who are added to the site.

Only document 6 has unique permissions: where I shared the document as “Can Edit” with Durian Grey who can only Read. That makes sense.

It is that I have given up fighting unique permissions, otherwise I would have recommended that you add all likely members for your team site into site groups. 🙂

Sharing a folder

Folders are documents, so I would expect folders to behave in a similar way as documents. I can indeed share a folder from the native Document library, with the new interface. And indeed, depending on the permissions that the audience has, I will either create unique permissions or not.

However, when I want to share a folder from the Document library web part on the homepage I get this error message.

Sharing-folderssharingdisabled

How inconsistent!

After disabling that Site Feature and trying again I get the familiar older Share pop-up.

Sharing-oldShareinterfaceforfolder
Interface when sharing a folder from a Document library web part

But hey, what is that, just above the “hide options”?

“Share everything in this folder, even items with unique permissions”. Checked by default, of course.

I can not even imagine what this will do to your permissions! When I can gather the courage, I will give it a test.

This is enough interesting news for now.

In my next posts, I will discuss what happens when a member or visitor shares. And then I will share some options to prevent unique permissions and clean your site.

Image courtesy of imagerymajestic at FreeDigitalPhotos.net

7 ways to create and foster unique permissions in your SharePoint site

SnowflakeUniquePermissionsSome people call me “obsessed” with SharePoint permissions, and especially with breaking permission inheritance from the parent.

They are correct and I’ve got good reason (or so I think): the majority of issues and support questions have to do with non-standard permissions and people not fully understanding the consequences of creating unique permissions that they or their predecessors have done, knowingly or accidentally.

So while pondering my personal branding 🙂 I thought it might be better to embrace the options that Microsoft has created for us to share freely. After all, this thing is not called SharePoint for nothing! In Office365 everything is geared towards sharing content, without any considerations or warnings that many of these options create unique permissions, so who am I to worry, or go against that principle?

And what’s more, people who create unique permissions keep me in work! There’s nothing I like better than a complicated permissions puzzle, so if I want to stay away from boring discussions about columns that do not align 100% or the exact dimensions or rotation speed of carousels, why not make sure that I create some interesting work for myself?

So, let us make sure we all share content freely and without abandon!

In order to do that, I have collected these 7 principles for site owners.

1. Never give anyone “Read” access

This restricts the options for these people to share content. You will give them ugly words to share with (“Restricted Link”…ugh!),  and they will need your approval. Come on, these are grown ups that know what they are doing! If they want to share a document, they must have a good reason. And you, as a site owner, have better things to do than approve or decline sharing requests.
Treat everyone the same and give them Contribute permissions at the very least. Who knows, they may have some great insights to add to your policy or project statement. Added April 27, 2017: And they may even help you design your homepage and other pages! Thank you for that addition, Helena! (See comments below)

2. Always use individual permissions

Well, you know there is this site group option of Owners, Members and Visitors, but who wants to be in a group, if the only thing joining you is having an interest in a document? Why bother puzzling out which group would be the best option for a person? You know it never fits 100% – this document is interesting to Stella, Eric and Tom, while the other document is interesting to Stella, Tom and Cindy. How can you make groups if every document has their own audience?
Surely your audience consist of all individuals, with individual needs. Using individual permissions will give you the most freedom to match each document with the people who really need it.

3. Break permissions inheritance freely

When in doubt, break! Or when your boss tells you so, of course. SharePoint has the option to allow access on a granular level, so why not make use of it and enjoy this to the fullest? You can pinpoint any document library, folder or even document or list item and give exactly the right individuals access.

4. Never use the “restricted link” option

Restricted…what an ugly word, it feels so….limited! Why would you want to impose restrictions? When you want to share content, select the “Can read” link to make sure that your intended audience can read it and not bother you with requests for access. Even better, use the “Can Edit” option. After all, your audience may have great ideas to share in that document. Policies and other controlled documents are a thing of the past, let’s crowdsource them all!

5. Immediately accept any Access Request

Hit the “Accept”  button and do it quickly, or you may lose a perfectly good reader or editor of the page or document you are sharing. Be ashamed of yourself that you have excluded someone from your content! Rejoice that they go to so much trouble to see it!
Only then, but only if you have the time, find out why and to which content this person wanted access.

6. Never review your permissions

You may be tempted to add Caroline, John and Marcia into a group if you see their name appear on every document, but who are you to decide they need to be grouped? As mentioned in paragraph 2, they are all unique individuals and throwing them into a group only because they read or edit the same documents does not do justice to their uniqueness. And the excuse of “groups are easier to manage for me” is a bit selfish, don’t you think?

7. Stop managing permissions altogether

This may be the best advice anyone can give you.
After all, is it not a bit conceited to say that “you own this content” or “you are managing this site”? The other people in the site know very well what they are doing, and they will take care of ensuring that this content is available to all the right people! Together you know who needs, or is interested in, your information. Over time, your content will gravitate towards exactly the correct audience.

To make sure that your unique permissions grow fast enough, you may want to enter in a competition with other site owners. It may well be that companies like ShareGate have a tool that can measure unique permissions. If they don’t, I suggest they develop one quickly.
Let me know how it goes!

Image courtesy of digitalart at FreeDigitalPhotos.net 

Let the right one in (your SharePoint site)

AccessRequest-KnockerWhat do you do when you receive a request for access to your SharePoint site? Accept it immediately (because you want to be done with it, or you feel a bit ashamed that you have excluded someone) or find out exactly what they want because there may be more to the request than meets the eye?

Yes, I thought so. 🙂

Let’s dig a bit deeper into Access Requests. There’s quite a lot you can do with them, including creating unique permissions. You know that I hate that!

Microsoft explains this in detail  but of course they  they let you figure out all the implications by yourself. Or by me :-).

If your email address is in the Access Request Settings, you will receive access requests via email, and the requests will be replicated in the Site settings > Access Requests and Invitations page.

AccesRequests-Link
If you do not see “Access requests and invitations”, you have not received a request yet.

How does it work?

When you get the access request in your mail, you will see the link to the desired content. You can immediately click the “Accept” button from the email and give them Contribute permissions by default.

Access Requests-request
At the bottom you see the link to the document.

Yes, Contribute. That means they can edit the content.

Hmmm, perhaps clicking Accept immediately is not such a good idea after all. Perhaps Read-permissions are good enough. Or, if you have sent this link assuming they had access, it may be a good idea to give them access to the complete site.

Alternative: the Access Requests and Invitations page!

So, here comes the Access Requests and Invitations page to look at (and manage) the request.

You will see three categories: Pending requests, External user invitations and History.

Access requests - page
The page where you can take a closer look at the access request.

Here again, you can click Approve or Decline, or check first what will happen if you click Approve. So, click the … next to the name of the requester. This pop up opens:

Access Requests-open.GIF
“Bewerken”  means “Contribute”, sorry, the language settings in my tenant are a bit out of my control.

Here you see some more info:

  • What Office365 has decided about their permissions. In this case Office365 would add them as an individual to this document with Contribute permissions – most unpleasant!
    You can click the drop down to select the Contributors or Visitors group for the site.
  • Who has asked access and what exactly for. Hover over the link to see the URL.
  • Date and time of the request
  • Approval state
  • Email conversation with the person who requests access. You see I was busy writing this post, so the impatient Mystery Guest asked for permissions again 🙂

What would have happened…

If I had clicked Accept from the email or Approve from the Access Request page, this is what would have happened:

Access request - acceptwithoutchanges
You see Mystery Guest now has unique permissions and is added as an individual with Contribute permissions.

Exception: Site welcome page

There is one exception to this rule and that is when you send the link to the welcome page of the site. In that case the requester is added by default to the Members group. This also may be more than you want, though.

Access requests-sharesite
If you share the site root or welcome page, the person is by default added to the Members group.

History

After approval, the request ends up under “Show History”. This gives a nice overview of everything that has happened in your site.
If you see a name very often, it may be an idea to give them access to the whole site.

Access Request - history
The Access Request history in this site. I may need to make this Mystery Guest a permanent member 🙂

Recommendation

When you receive an Access Request it may be better to spend some time figuring out the details, than to click Accept immediately. This will cost you some time now, but will save you time fixing unique permissions later (and dealing with even more access requests because too many inheritances are broken!).

Have you found any other “interesting” behavior of the Access Request?

Title based on the movie “Let the right one in“.

Image courtesy of cbenjasuwan at FreeDigitalPhotos.net

The SharePoint survey lifecycle

survey-headerThe other day someone asked me if I could help him set up a SharePoint survey. He wanted to use our nice new intranet and did not even mention the word “Surveymonkey” 🙂

I do not have much time for individual support at the moment so I thought I’d find him some help from the internet.  I found a good article from Microsoft about creating a survey but it stopped at the creation of the survey list. All the other blogs that I found on the topic touched very briefly on other settings at most. The best one I found also included a good number of benefits and examples of how to use surveys,

In my experience most problems occur because people think a survey is ready-for-use once the questions and answers have been set up. However, there are a lot of things you have to think about, so I still had to write the complete manual myself.

What will I cover in this post?

This will be a long read, so let me inform you of the topics I will cover:

  1. Determine your needs
  2. Find a site
  3. Create questions
  4. Give your audience correct permissions
  5. Decide on “show names”
  6. Decide on one or multiple entries per person
  7. Visibility of entries
  8. Welcome page and thank you page
  9. Testing your survey
  10. Launching your survey
  11. Monitoring results
  12. Gathering and analyzing results
  13. Deactivating the survey
  14. Deleting the survey

So, here goes!

1. Determine your needs

It makes a difference if you use your survey for a fun purpose (who will win the World Football Cup?), for a neutral business purpose (to collect suggestions for a new product), or for a serious and possibly even sensitive purpose. (How do you feel about this company? What were your experiences with this project?). For the latter, you will need more thinking, more questions, more careful wording and stricter settings than for the first example.
This is beyond this post’s scope, but this article may be a good starting point.
Update April 4, 2017: And as serendipity would have it, just after I published this blog this Tweet appeared in my timeline:

2. Find a site

A SharePoint survey is a list in a SharePoint site, so you need to have a site. You also need to be a site owner since it is very likely you will be fiddling with permissions and need to monitor responses. If you have one, you may need to consider the survey audience. Is your confidential project site a good place for a survey for all employees? Is your open site a good place for a very sensitive survey for senior management only about an upcoming divestiture? It can be done, but it may be more difficult to set up and manage than if your site has an audience that sort of matches the audience of your survey.
In some cases it is better to have a special site for this purpose.

If you do not have a site, and you are on Office365, an Excel survey may be an option. I have no experience with this, and I do not know if the information below is relevant for this.

3. Create questions and answers

First of all, plan your survey. Microsoft has some help for that, including an overview of the types of questions and answers.
Secondly, create the survey, add questions and answers and change some settings.
Please be aware that you will be unable to export a Likert scale (rating scale) question/answer to Excel for further analysis.

This is what a survey will look like:

Survey-homepage
This is what you see when you access a survey from the Site Contents page. Consider it your “survey homepage” and it is the starting point for many actions.

4. Give your audience correct permissions

Many people expect that a survey is automatically  set up to receive responses from everyone, but this is a normal SharePoint list with normal SharePoint behavior. So, in most cases you will need to give your audience Contribute permissions to the survey.

If you do not give them Read access to the site, be aware that they can only access the survey via the direct link to the survey and they can not enter the site.

5. Decide on “show names”

This is a setting that you will find in “Advanced Settings” when you create the survey, or afterwards in Settings > Survey Settings > List name, description and navigation.
The default is “Yes”. If you select “No”, all names of people will be replaced with ***.
This is not really anonymous because a Site Owner will be able to switch that at will, making all names visible again. During a survey it may make sense to have the names replaced, and only make them visible when you export the results, but this is also depending on your choices for point 7.

Survey-settings1
You can decide to show names, or ***; and also to allow one or more responses

6. Decide on one or multiple entries per person

The default is “No” and in most cases that makes perfect sense.
If your survey collects information such as ideas or suggestions, it can be useful to set this to “Yes” so people can add multiple suggestions.
This setting can also be found in “Advanced Settings” when you create the survey, or afterwards in Settings > Survey Settings > List name, description and navigation.
Please note that most people get into a right panic when they want to enter a survey twice and get the error message. If they read the message, it is perfectly clear, but who reads an error message? 🙂
It may be good to tell them they can enter once only, or multiple times.

survey-error
This message will be shown when you want to respond twice to a survey when you can only enter once. Looks perfectly clear to me! 🙂

7. Visibility of entries

Do you want everyone to see each others responses? This can be a good idea if use your survey for logging issues, so people can see which issues have been submitted already. But for a survey asking for opinions about the company strategy you may want to limit visibility.
Go to your survey, click Settings > Survey Settings > Advanced Settings.

Set the first radio button to “Read responses that were created by the user”.

This way, people will only see their own item. They will still see the total number of items in Site Contents, but they will not able to see anything else.
Also check out the options below about Create and Edit access. By default people will be able to edit only their own responses. In some cases it may be good that they can edit all responses, but to be honest I have never come across the need for this settings.
Never select None because this also means that a user can not add anything, which is rather odd for a survey.

survey-responsesvisible
These are the default settings for a survey. Often it is better to select ” read responses that were created by the user”  so people only see their own items.

8. Welcome page and thank you page (optional)

I often add a page with some more information about the survey and a nice button or text which leads you to the entry form upon click. After submitting their entry, people can be led to a Thank You page, thanking them for their contribution and informing them about e.g. when the results will be published or the prize will be drawn.
The default return page is the ‘survey homepage” (screenshot above).

It is easy to create as follows:

  • Create a page and add welcome text and a link or button to the survey
  • Create a page with a thank-you-and-these-are-the-next-steps-message. Copy the link of this page to Notepad or a Word document.
  • Click “Respond to this survey” on your survey and copy the link into Notepad or a Word document. Delete all text after Source=
  • Add the URL of your thank-you-page after Source=
  • On the welcome page, add the new link to the link or button

Please be aware that your audience needs Read access to both pages, so if you have a confidential site where the audience is much larger than the site’s regular audience, I would not go this way, since it will either mean setting item level permissions (and you know I do not like unique permissions) on those pages OR a lot of error messages 🙂

survey-welcomepage
Example of a welcome page. I have used a Web Part Page for this. When I click on “Enter the survey” I will go to the page below.
survey-survey
This is my survey. When clicking on “Finish” I will  go to the page below.
survey-thankyoupage
Example of a Thank-You page. I have used a Site Page for this; strangely enough it takes my Office365 theme instead of my Site theme.

9. Testing your survey

I have created many surveys, but even I test everyone of them before they go live.  Ask one or two people, preferably from the target audience (again, depending on purpose and audience and complexity), to go through the complete process and respond to your survey. Do they understand the questions and answers? Have you missed anything obvious, or are some things redundant? Does everything work from a technical/functional perspective?

10. Launching your survey

You can inform your audience in different ways, depending on urgency, topic and audience.
If your survey needs to be executed in a certain timeframe, you will probably send a link in an email or post it as a news item.

If you have a long-term survey, you can add the web part to a (home)page, add the link as a Promoted Link, a Summary Link or in the navigation, so all users of your site are reminded on a regular basis to give their feedback.

You can use

  • the link to the survey (people will need to click “Respond to this survey”)
  • the link that you get when you click “Respond to this survey”
  • the combined link that takes people to the Thank-you page after “Finish” as in item 8 (you skip the Welcome page)
  • the link to the Welcome page as in item 8

11. Monitoring results

During the time the survey is active, you may want to keep track of the number of replies you get.  You can set an alert to keep track of new submissions, or look in Site Contents on a regular basis.
When you are on the Site Contents page, clicking on the survey and then on “Show graphical summary”  will show you an overview of the results;  clicking “View all Responses” will show you who has completed the survey and their individual contributions.
Those two options are only available for the site owner.

survey-graphical summary
Example of the Graphical Summary. Q1 is a Choice-question, Q2 is a Rating Scale.
survey-individual responses
An “individual response” . Clicking on the … will show you what I entered

12. Gathering and analyzing results

When you need a status update, or when the survey is over, you can either look at the graphical summary, or export the results into an Excel file for further analysis.
Click Actions > Export to spreadsheet.

Again, please be aware you can only make screenshots of any questions that need a response on a rating/Likert scale. These questions and answers can not be exported.

13. Deactivating the survey

Once the survey is over and you are working on the results, conclusions and next steps, you will want to stop people from making new entries. You can do this by changing the permissions from Contribute to Read and/or deleting the unique permissions, or by removing the audience from your survey or site altogether.

14. Deleting the survey

Once you have exported or captured the results and determined next steps, your survey project is completed and you can delete the survey.
Go to your survey > Settings > Survey settings > Delete this survey.

If you have used a welcome and thank-you page, you can delete those as well.

That’s it, folks!

As I said, this has become quite a long post, but I just wanted to take you through the complete process. There’s more to a survey than just creating some questions and answers!

For your next survey project, I would appreciate it if you would follow these steps and let me know if this has been sufficient information to do it yourself, or if I have overlooked something. (and if yes, what)

Good luck!

Image courtesy of fantasista at FreeDigitalPhotos.net