Limiting unwanted sharing and unique permissions

Preventsharing-fenceIn my recent posts you have seen that you can create unique permissions for list items and documents very easily, with

Additionally, you often add people with Contribute permissions while your normal Members group has Edit permissions (=Contribute + Manage Apps).
Plus your site members can add practically anyone to your site without informing you.

Why am I making such a fuss?

  • Maintenance and support
    Unique permissions create extra issues with access, and provide extra work for the Site owner.
    You may also need more support, although your support team might like that 🙂
  • Information security
    People with Edit or Contribute permissions can share content with external users, who then are often able to share your content with others if given those permissions. Your information may be shared with your competitors in this way!
  • Performance
    Having lots of unique and individual permissions may slow down your site.

Office365’s out-of-the-box functionality allows unlimited sharing. My own environment is like that, so all experiences that I have described before are done in the “unlimited sharing” default mode.

Fortunately, there are some options that a tenant administrator, a site collection administrator and a site owner can do to limit the potential damage.

1. Disable anonymous access

Disabling anonymous access lets you get rid of the “no sign-in required” options that you have when you get a link, or the “sign in required” when you share a folder or list item. While it may not reduce the creation of unique permissions too much, it will make it more obvious who has been given access. This will allow you to determine whether those people need to be added to a site group, or removed from your site.

Your tenant administrator can disable this at the Office365 Admin center for all Office365 applications, or at the SharePoint admin center for the SharePoint sites.

Preventsharing-GetaLink
This is Get a Link after I have disabled anonymous sharing. Only 3 options left for the Site owner instead of 5.

2. Disable external sharing

While this also will not prevent all unique permissions, it may limit them, because of sheer numbers. Chances are your colleagues will already have access to your site, making the chances of unique permissions during sharing a bit less.
Of course this will make it impossible to share confidential stuff with externals.

It is a good practice to reserve one or some site collections for sharing with externals, so you can keep the other site collections for purely internal content.
Your tenant admin can disable external sharing on various aspects at the Office365 tenant and the SharePoint admin level.  Gregory Zelfond has already documented how to do that.
By the way, Gregory has written more useful posts on external sharing.

This will give the following results, depending on whether the external user is already in your site collection or not.

preventsharing-noexternalsharing-indirectoy
This message will appear when you want to share with an external user who has been added to another (external) site collection in the tenant earlier.

 

preventsharing-noexternal-usernotindirectory
And this message I received when I wanted to share with a completely new person.

3. Change Sharing settings in your site

This will probably be in your control, so go to Site Settings > Site Permissions > Access Requests and look at the two check boxes on the top of the pop-up.

preventsharing-defaultsharingsettings
By default the access request and sharing settings are like this. Read the explanation carefully!

This will mostly influence what a Site member can do.

You have four options:

4a. Both checked: I have done my experiments with this setting. You know what that does 🙂

4b. Top checked, bottom unchecked

Share:
Member: Can share documents without approval from the site owner, but needs approval for sharing the site.
Visitor: Can share site and documents with approval from site owner.

Get a Link:
Member sees “Edit link” option
Visitor sees the “Restricted Link” option

4c. Top unchecked, bottom checked:

Share:
Member=Visitor: Can share site and documents but needs approval from site owner

Get a Link:
Member=Visitor: Restricted Link

This option brings another message to your Site Permissions page:

prebensharing-tiredofapprovals
If you get tired of approvals, you can change the settings again. (But look: no item with unique permissions…until you approve a request)

4d: Both unchecked:

Same as 4c.

So, this setting will help you to “tame” your site members, and give them the same sharing options as your site’s visitors. You will have more approvals to do, but are more in control.
But beware hitting the “Accept” or “Approve” button in sharing requests for documents or list items!

4. Remove access request email

If you can not get access requests, you can not break permissions when accepting them!

Preventsharing-noaccessrequest
You can uncheck the “Allow access requests” box and no email will be sent.

This can work in formal all-company sites with official content and little collaboration.
On the other side of the spectrum, it is also an option for sites with a strictly defined and controlled audience, e.g. a management team.
It will however be very clumsy in a project site!

But…your visitors will get a nasty error message when they try to share a document or site, and when you are combining this with options 4c or 4d, your members will experience that too.

preventsharing-noemail
Not a very nice message, and also not exactly correct. It should say “There is no email address to send the request to”,

Realize that all of these settings have been developed with a reason, so you may want to ponder what is really important for you and if you need to lock down everything or just a few features.

While you think about this, I will go and write how to check and fix the permissions, where needed, after you have taken your measures.

Image courtesy of winnond at FreeDigitalPhotos.net

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s