SharePoint Holmes and the Haunted Homepage

sphomepage-thumbPart of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.
As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.

The case

“Oh, Ellen, I think I have done something terrible to my site”, the site owner said, a note of panic in her voice. “I keep getting requests for access, while this is a site for all employees, and I do not know what I have done wrong”.

We had already noticed a number of tickets where people complained that they had lost access to this important site (and it was period-closing time so many people had to upload reports).

My first thought was “I hope she has not clicked “Delete Unique Permissions” when on the site permissions page” because that inherits the permissions from the parent AND removes all unique permissions from the site.
Although I like that as a thorough cleansing option for when you do not know how your permissions are set, in this case it would have been rather disastrous.

SharePoint Holmes to the rescue! I put on my admin cap and ventured into the site.

The investigation

  1. I opened the site. No problems for me, but then I am an admin so I have permissions for everything.
  2. Gear wheel > Site Settings > Site permissions. Phew, “This web site has unique permissions” was still there. So permissions had not been inherited.
    There were a number of groups with a variety of permission sets, including a Visitors group with Read permissions, which included all company employees. That looked OK.
    Of course there were also a few items with unique permissions, but that is not unusual and it hardly ever leads to a sudden flood of support tickets.
  3. I looked at what had been set as the homepage. (Site Settings > Welcome Page). “Homepage_New”.  That made sense.

    SPHomepage-WelcomePage
    You can determine the welcome page yourself.
  4. I checked the Pages library. Yes, there was a page called Homepage_New and it was the page I had seen when I entered the site.
  5. It was time to check the permissions for the Pages library. Aha, “This library has unique permissions” and only the Owners (Full Control) and Visitors (Read) were mentioned. Good idea – you do not always want everyone with Edit or Contribute permissions to manage (and mess up) your pages.

    SPHomepage-Libraryperms
    The Pages library had limited permissions to avoid unwanted editing. But Visitors (Bezoekers) have Read (Lezen) permissions. (I have tried everything to get this page to display in English, not Dutch, but it does not work.)
  6. Then I noticed something in the yellow box: “Some items of this list may have unique permissions which are not controlled from this page”. And yes, one of the pages was “Homepage_New” to which only the Site Owners had access…

    SPHomepage-Pageperms
    The Welcome page had different permissions – in this case only the Owners had access.

The solution

I quickly deleted the unique permissions from the page so at least Visitors could access the homepage again. Then I informed the site owner what had been causing the issue.

So yes, this was a permissions issue, but everyone still had access to the site. It was only the Homepage that was restricted, leading everyone to believe that they could also no longer reach the content of the site.

Tip

When this ever happens to you or your audience, and you expect that you have access to this site (e.g. because you have always had access or you have just been invited), try checking Site Contents.
Take the root of the site (https://company.sharepoint.com/…/sitename/) and then add “_layouts/15/viewlsts.aspx?view=14” to it. Create the link and paste it in the browser.
If you still get an access denied, you likely have no permissions.
If you see the content, it means there is something wrong with the welcome page.

Has this ever happened to your users?

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Advertisements

8 Tips to avoid overwriting Excel files in SharePoint Online

Overwritten ExcelOne of the myriad changes announced at MSIgnite was the mention that all files in OneDrive will soon open in edit mode directly, so you can work faster.
I hope Microsoft  will wait a bit before rolling that out for SharePoint as, since moving to SharePoint Online, we have had a number of incidents where users have inadvertently overwritten or otherwise messed up a shared Excel Online file, resulting in incorrect data.

I do not quite get how that has happened, as Excel Online files always open in read mode (in Internet Explorer and Edge, in any case, and only very few people have another browser) and you have to specify whether you want to edit in Browser or in Client.
But it has happened more than once, also with people who are quite SharePoint-savvy, so I guess it is a thing. Perhaps it is the “autosave” option when you are in Edit mode, so your changes are saved, even if you do not intend to?

OverwriteExcel-readmode
In my experience, an Excel Online file ALWAYS opens in Read-mode.

This is a major annoyance, as we can not restore a single file from Office365. We can only restore the full site collection…
So more than ever before, prevention is key! Here are a few ideas to prevent and remediate incorrectly overwritten (Excel) files – pick the option(s) that suit your situation best:

1. Adjust permissions

Make sure only those people who really need to edit the file can do that.

How: Go to the library, folder or file and check and adjust the permissions.

2. Set mandatory check-out

If people have to consciously check out a file, they will be made aware they are going to edit it, and they can stop if they do not want that. It does not change the auto-save, however.

How: Gear Wheel > Library Settings > Versioning settings > At the bottom, check “Require documents to be checked out before they can be edited” and click OK.

OverwriteExcel-checkout
How to set mandatory check-out before editing.

This can be a pain for users, as they will have to remember to check the file in when it is finished (and preferably before they go on holiday  🙂 ). On the other hand, a checked out file can not be edited, so it may also be a blessing!
Remember that a Site Owner or site collection admin can always override the checkout or check the file in.
If many people need to edit the file in a short timeframe before a deadline (e.g. end of month), option 7 may be a better solution.

3. Always open the document in the Excel client

SharePoint Online allows you to select the opening behaviour of a file. If you set this to “Client” the file will always open in Excel desktop version, read mode, which will need a conscious effort to edit the file. (Unless you have “Autosave” enabled in your Excel client!)

How: Gear Wheel > Library settings > Advanced Settings > In the 3rd paragraph from the top, select “open in the client application” and click OK.

OverwriteExcel-clientopening
This setting will always open the file in the client application.

Please note there are differences between working in Excel Online and Excel client.

In general, the Online version is limited; it is useful when you just need to make a few simple content edits. The Client version is more powerful.

4. Set versioning

This is remediation, not prevention. Having versioning set means you can restore an older correct version if the current one has been corrupted. By default, SharePoint Online document libraries have 500 major versions already enabled, which should be sufficient. 🙂

How to set versioning: Gear Wheel > Library Settings > Versioning settings > Document Version History > make sure this is set as below (or use a smaller number) > Click OK.

OverwriteExcel-versioning
This is the default setting for all document libraries created in SharePoint Online.

How to restore a version: Select the document > Click version history from popup or command bar > Hover over date and time of version to restore and click the black triangle that appears > click Restore from the popup. Please note this version will be copied to the top as a new version.

OverwriteExcel-restoreversion
In this case, I restore version 4.

For more info about versioning:

10 things I learned about versions 

5. Create a dedicated document library

Options 2, 3 and 4 (and ideally, 1 as well) have to be set for the complete document library in which this document lives. If that is difficult or unpleasant, why not create a new document library especially for this document?

How: Gear wheel > Add an app > Document Library > Specify name > Create.

6. Use a password-protected workbook or worksheet

You can protect your Excel file with a password and only give the password to those people who need to change the data. You may need to rearrange your Excel for that, since you can view a password-protected sheet, but not a password protected workbook, in the browser.
This is never my preferred option, as I think we have SharePoint permissions for this scenario, but in some cases it can be useful.

How: Open the file > click File tab > Info > Protect Workbook > select “Encrypt with Password” (for the complete file – if you want to open in the client) or “Protect Current Sheet” > add password and options > OK.

OverwriteExcel-password
Here you can also protect your workbook or -sheet

 

7. Turn this Excel file into a SharePoint list

This can be a good option if your Excel file is relatively simple and does not contain complicated calculations or relationships between sheets etc.
You can use the SharePoint list to collect the data, export the data into Excel and do your advanced data processing in Excel.  In case of many people having to process data before a deadline, e.g. end of month, this method is preferably over mandatory check-out of a file as everyone can work on their own lines without having to wait for others or messing up other people’s data.

How: The simplest way is to use the Import Spreadsheet app.
Then create good views so your audience can view or edit their data according to their needs with the least amount of hassle.
I have streamlined a lot of processes in this way, check out my Business Examples.

8. Instruct your users

Once you have taken your measure(s) of choice, let your users know how they should work with the file. For instance, how to disable Autosave in their Excel client, or how to properly check out and check in.
Add the info on your site’s homepage, create a document that you pin to the top of the library, record a short demo, etc.

OverwriteExcel-pindocument
You can pin the instructions on top of your library so people can not miss it.

Have you had this issue as well and if yes, how are you trying to prevent it?

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Diamond Awards are a girl’s best friend!

Diamond Award

To my immense delight and surprise I have won IntranetNow’s Diamond Award for 2017!

Delight, because it is a huge shiny diamond with an inscription. Oh, and I rather like winning 🙂

Surprise, because compared to some of the nominees, my blogs are rather down-to-earth and practical, and my video collection is frankly just picking and posting and anyone could have done it. Don’t you dare, though 🙂
Other nominees publish posts with far more depth and thoughts than my “click here and check box”  posts. I would have voted for someone else, to be honest.

Not that I am complaining!

Apparently my blog has “explored SharePoint permissions, intranet features and the practice of intranet management for over six years, in an accessible and often fun manner.”

It has set me thinking: “why do I do this”?

  1. From an early age I have liked writing, but it took me a while to find my topic.
    I like shaping an idea into a post, to discover the different angles to a story, trying to find out what point I am actually trying to make, and trying to write as concisely as possible.
  2. Although everyone appears to be using SharePoint and Office365 these days, everyone has a different Office365 positioning, implementation and governance. In the admin console alone there are a ton of settings and boxes to check and make your setup just a little different from others.
    Through sharing my experiences I may be able to help others because there are so many things to know and find out.
    It is why I also like to read other people’s blogs – they help me understand things or solve user issues.
  3. It serves as my personal notebook. Sometimes I have to re-read my own blogs to avoid having to do a lot of experiments again. It must be age 🙂
  4. My video collection was supposed to be a one-time blog post, but it unexpectedly hit the sweet spot with a lot of people so I though it might be nice to expand. But seriously, it was not planned.

Thank you very much, Wedge Black, Brian Lamb and everyone who was involved in the judging!

Updated Monday October 9: Hmm…Wedge has asked me to link to the IntranetNow site which features an announcement and a video of my acceptance speech. I was actually trying to avoid that 🙂

Title inspired by…do I really have to explain that? 

SharePoint Holmes and the elusive Link

HH-header“Users can not access links”.
What a boring title, I thought when this incident was assigned to me. But, as usual, there was a twist to it.

The case

Several users of a local site received a “you do not have access” when they clicked a link that was added to a news item on the homepage. This link directed to a pdf-document.  According to the site owner, they should have access.

So I put my SharePoint Holmes Admin Hat on, and dove into the site.

The investigation

The homepage contained an Announcement list in Newsletter Style. The text “read more” (I know, not the best way to name a link) led to a pdf in a document library in the same site, called News Documents.

HH-Local News
The Local News list. “Read More” should take you to a document.

The News Documents library contained 2 items.

HH-NewsDocuments
The News Documents library
HH-NewsDocumentsLibrary
The 2 documents

The document library inherited permissions from the site.
The audience included myself, so I decided to take a look as my “normal” self.

Yes, I could access the page. But when I clicked on the link “Read more” I got a “Sorry, you don’t have access to this page”.

I looked into Site Contents and saw that the library contained 2 items, but when I opened the library, I saw no documents. Hmmm.

HH-Library-user
As a normal user, I can see the News Documents library contains 2 documents.
HH-emptylibrary
As a normal user, I do not see any documents in this library.

I went back into admin mode, and checked again.

  1. I checked the link on the homepage – was it perhaps a broken link? No, it looked solid and led to the pdf without further ado.
  2. Did the documents open in browser by default, which might hamper the opening of a pdf? I checked the Advanced Settings but it opened by default in the client.
  3. Had the documents been checked out? No, I did not see the green tell-tale mark.
  4. I wanted to take a better look at the views, to see if those could tell me more.  There were rather a lot of columns in the default view, so I had to do some horizontal scrolling to get to the Views link.
    “Draft” I suddenly noticed in the right-hand column.
    “0.1” I saw in the column next to it. That column was called Version.
HH-FullDocumentLibrary
I had not seen the “Version” and “Approval Status” columns in my earlier investigation…

AHA.

The solution

In the Versioning settings I noticed that content approval was enabled, and only people with approve permissions and the author could see drafts.

HH-ContentApproval
The Content Approval settings

Both documents had never been approved and were therefore visible for only a few users.  Everyone else got a “you do not have access” as for the majority of users, these documents were not yet accessible.

That explained why I could see it as an admin, but not as a normal user.

The site owner was not aware of the versioning as he had inherited the site. When I explained, he decided to turn of the content approval as that was not really needed for these documents.

Another issue solved! Now would you classify this as a document management issue or a permissions issue?

Image courtesy of vectorolie at FreeDigitalPhotos.net

SharePoint Holmes and the disappearing Datasheet View

SPHolmes1Part of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.
As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.

The first case is about a Datasheet View.

The case

One of the users of a site did not see the items in a list. Having access to the data was a requirement for his role and he had always been able to see this content before it was migrated to SharePoint Online.

So, I put on my SharePoint Holmes cap and rolled up my sleeves.

The investigation

  1. I logged in with my Admin account and went into the site.
  2. I saw the items perfectly well. Just items in a Datasheet view.
  3. Permissions check – the user had Read permissions to the site.
  4. Items with unique permissions check – the list had unique permissions but the user had Read access.
  5. Item-level permissions check – in the Advanced List Settings it showed that all items were visible to all users of the site.
  6. Workflow check – no workflow reducing permissions after going through a process.

Right, that was an interesting one.

  1. It was time to look through the eyes of the user, so I added myself to the same user group and checked. An empty list stared back at me.
  2. I went through the other views and found a standard one. I could see the items in there, and so could my user.
  3. One of my colleagues mentioned that issues with the latest IE update had been reported, which might have influenced the Datasheet view.  We tried different browsers. That made no difference, but there was always that difference between user and admin.

Hmmm….

The solution

Search engine to the rescue! One of the results surprised me, and I had to test that.

I created a datasheet view in my own tenant. It looked like this:

SPHolmes-Datasheet-Owner
What the Admin sees

Then I logged in with Contribute permissions. It looked like this:

SPHolmes-Datasheet-Contributor
What a Contributor sees

Then I logged in with Read permissions. It looked like this:

SPHolmes-Datasheet-Reader
What a Reader sees

You need at least Contribute permissions before you can see items in a Datasheet view.

The Datasheet view is meant for editing, so only people with edit permissions can see items in it. It makes sense and I have always told people to use the Datasheet view very sparingly as it is only too easy to change something. The many Excel-addicts in my user base however loved it and have also used it for display purposes in our SharePoint 2007 intranet.
Now they either have to elevate permissions or recreate their views.

Interestingly enough this was a permissions issue, but different from what I have ever seen before!

Image courtesy of Geerati at FreeDigitalPhotos.net

7 SharePoint permissions bloopers

Permissions bloopers 4

The other day I came across an interesting tweet:

Yes, been there, done that! And this made me think of all those other times that I, or my users, have made a mistake with permissions, either by forgetting to think and doing this on routine, or by ignorance.
Here they are, for your learning and enjoyment.  Laughing is allowed; sharing your own bloopers is encouraged!

2. Deleting a group

Did you know that deleted Groups do not go via the Recycle Bin, so they are gone for good?
So, when you want to do this, first check to which content the group has access. If that is only to your site, you can safely delete it; if is has permissions to other sites, please talk to the owner(s) of the other site(s) first!

How to check: Click on the group name on your permissions page, click Settings > View Group Permissions and you will see a pop-up like this:

accessforgroups
In this case the group only has access to one site, so it can safely be deleted if needed.

3. Removing a group from a site and forgetting its name

Good luck finding that in your site collection’s list of groups! (which likely contains at least 3 x as many groups as there are sites, and most likely many more)

A good naming convention, as well as keeping some documentation or screenshots of your permissions setup may help limit the damage. Another good idea is noting the MembershipGroupID’s of the group’s URL. These can be found in the group’s URL, e.g.

…/Share/_layouts/15/people.aspx?MembershipGroupId=165

The 3 default groups of a site are created with subsequent numbers, so if you remove one of those you can probably find them by changing the MembershipGroupID at the end of the group URL. In the screenshot above, Owners, Members and Visitors group have numbers 164, 165 and 166, respectively.

4. Clicking on “manage parent” to edit permissions

You need to change permissions of a site that has inherited permissions. Without thinking you click on “Manage parent” and start making changes, not fully realizing that you are now changing the permissions for both sites. You should have clicked on “Stop Inheriting Permissions” first!
The damage can vary.
I have once changed the top site of a site collection that way. The good news was that I finally got rid of a lot of outdated “Limited Access” users, but it was only later that I realized I had also removed everyone’s permissions from various site collection galleries.

5. Removing yourself from a group, site or library

This is generally annoying but benign, as long as you have quick access to a site collection administrator who can add you back.  I get about one call a week from someone who has locked themselves out.

6. Not clicking “Show Options” when you  share something with “Everyone”

Sharesitewitheveryone
Do click that “show options” link on the bottom of the Share screen!

This sends an email to all the company (and gives them contribute permissions if it is a site). Well, at least people know you and your site exist, but I do not know if “Everyone” will appreciate your marketing tactics! 🙂

And (in my opinion) the most disastrous of them all:

7. Inheriting the permissions from the parent site

You click “Delete unique permissions’ without realizing you are not at the document library, but at the site level. The permissions of your site will now be the same as the parent site.
You may not be the site owner of that site. Even worse, you may not even have access! An even if someone is kind enough to create unique permissions again and give you back your access, all unique permissions are gone.

An example: this site has unique permissions.

UniquePermissions
If you see “This Web Site” you are at site level!

This site has some content with different permissions

UniqueExceptions

When I click “Delete unique permissions” in the site I get a warning in a mix of English and Dutch – which is the first time I have seen this:

UniquePermissionsWarning

And if you click OK the permissions are inherited from the parent and there are no unique permissions anymore. The original groups also have no access anymore.

Uniqueafterinherit
No content with unique permissions after inheriting permissions from the parent site.

While this may be a good reset of your site if you have completely lost the overview of the permissions, it can be a nightmare if you have a well-managed site with confidential content that needs well-managed unique permissions.

General recommendations

  • Make sure you have an overview of the permissions of your site. It can be a simple mention in the description of the list or library (“this list is only accessible for the MT”), or a separate document with a detailed description.
  • Stop and think before you hit a button – if in doubt contact your help person.

Have you made any other permissions management mistakes? Do share!

Where do SharePoint permissions live?

permissions-treasuremapAfter we moved to SharePoint online, users did not know how to find or change permissions in folders and items anymore. In general I prefer to keep it that way 🙂 but I was curious to learn how it was done now, since I provide support on permissions issues.

Permissions pages for sites and lists/libraries have not changed for ages, but in SharePoint Online you have to follow a different path than before to get to the permissions page for folders, documents and list items.

When talking about the permissions page: I am referring to a page like this:

Permissions Page
The permissions page has a complete overview of groups and individuals, the ribbon, and a yellow bar with information about unique permissions in this unit, users with limited access and more.

Of course you can see the permissions page via my new BFF, the link “show items with unique permissions” on the Site Permissions page, but there are times when you do not want to see if there happens to be an exception, but what the permissions actually are for a certain folder or item.
(I recently saw a site with so many unique permissions that I completely lost track and could not figure out what was NOT in that list)

I am not very good at drawing or illustrations, but I want to learn. Here’s my attempt to show how to find the permissions page for a team site, containing a list, containing a folder, containing an item. (An item can be inside or outside a folder)

Folders and items: Details pane in list/library

Whether the item is in a folder or not, in both situations the permissions page is found via the details pane.

Details Pane
The details pane is on every list/library and is context-sensitive. When you select a folder, document or item it shows info for the selected item.

You need to be in the list or library (i.e. via Site Contents) to see the details pane. When you click “Change permissions” under “Has access” (this will be under the metadata) you will see this:

Permissions-advanced 2
Go to the permissions page via the details pane

You can also go to the above place by using the new Share interface and clicking the … top right and then the “Manage Access” link that appears which leads to a similar pop up as the screenshot above. Click “Advanced” to go to the Permissions page.

Permissions -advanced 3
The new Share interface with …

Folders and items – Share/Get a Link in web part

If you use a list or library web part, and the … are displayed, you can use the “Share” or “Get a Link” option to get there using the “Shared with” link and then clicking “Advanced”. The web parts use the “old” Share experience, which I expect will be replaced with the new Sharing experience, above.

Permissions-advanced1
Web parts still use the “old” Share interface. I expect this will change over time.

Have you found any more ways to go to the page with the permissions?

photo credit: MontyAustin Goonies Treasure Map via photopin (license)