“Users can not access links”.
What a boring title, I thought when this incident was assigned to me. But, as usual, there was a twist to it.
Several users of a local site received a “you do not have access” when they clicked a link that was added to a news item on the homepage. This link directed to a pdf-document. According to the site owner, they should have access.
So I put my SharePoint Holmes Admin Hat on, and dove into the site.
The homepage contained an Announcement list in Newsletter Style. The text “read more” (I know, not the best way to name a link) led to a pdf in a document library in the same site, called News Documents.
The News Documents library contained 2 items.
The document library inherited permissions from the site.
The audience included myself, so I decided to take a look as my “normal” self.
Yes, I could access the page. But when I clicked on the link “Read more” I got a “Sorry, you don’t have access to this page”.
I looked into Site Contents and saw that the library contained 2 items, but when I opened the library, I saw no documents. Hmmm.
I went back into admin mode, and checked again.
I checked the link on the homepage – was it perhaps a broken link? No, it looked solid and led to the pdf without further ado.
Did the documents open in browser by default, which might hamper the opening of a pdf? I checked the Advanced Settings but it opened by default in the client.
Had the documents been checked out? No, I did not see the green tell-tale mark.
I wanted to take a better look at the views, to see if those could tell me more. There were rather a lot of columns in the default view, so I had to do some horizontal scrolling to get to the Views link.
“Draft” I suddenly noticed in the right-hand column.
“0.1” I saw in the column next to it. That column was called Version.
In the Versioning settings I noticed that content approval was enabled, and only people with approve permissions and the author could see drafts.
Both documents had never been approved and were therefore visible for only a few users. Everyone else got a “you do not have access” as for the majority of users, these documents were not yet accessible.
That explained why I could see it as an admin, but not as a normal user.
The site owner was not aware of the versioning as he had inherited the site. When I explained, he decided to turn of the content approval as that was not really needed for these documents.
Another issue solved! Now would you classify this as a document management issue or a permissions issue?
Image courtesy of vectorolie at FreeDigitalPhotos.net
After we moved to SharePoint online, users did not know how to find or change permissions in folders and items anymore. In general I prefer to keep it that way 🙂 but I was curious to learn how it was done now, since I provide support on permissions issues.
Permissions pages for sites and lists/libraries have not changed for ages, but in SharePoint Online you have to follow a different path than before to get to the permissions page for folders, documents and list items.
When talking about the permissions page: I am referring to a page like this:
Of course you can see the permissions page via my new BFF, the link “show items with unique permissions” on the Site Permissions page, but there are times when you do not want to see if there happens to be an exception, but what the permissions actually are for a certain folder or item.
(I recently saw a site with so many unique permissions that I completely lost track and could not figure out what was NOT in that list)
I am not very good at drawing or illustrations, but I want to learn. Here’s my attempt to show how to find the permissions page for a team site, containing a list, containing a folder, containing an item. (An item can be inside or outside a folder)
Folders and items: Details pane in list/library
Whether the item is in a folder or not, in both situations the permissions page is found via the details pane.
You need to be in the list or library (i.e. via Site Contents) to see the details pane. When you click “Change permissions” under “Has access” (this will be under the metadata) you will see this:
You can also go to the above place by using the new Share interface and clicking the … top right and then the “Manage Access” link that appears which leads to a similar pop up as the screenshot above. Click “Advanced” to go to the Permissions page.
Folders and items – Share/Get a Link in web part
If you use a list or library web part, and the … are displayed, you can use the “Share” or “Get a Link” option to get there using the “Shared with” link and then clicking “Advanced”. The web parts use the “old” Share experience, which I expect will be replaced with the new Sharing experience, above.
Have you found any more ways to go to the page with the permissions?
In my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:
Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
This will lead to unexpected access denied messages and therefore Access requests.
Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.
So, how to take back control of your site after you have changed some of the settings?
Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.
1. Process pending Access requests
Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.
2. Remediate content with unique permissions
a. Go to Site settings > Site permissions and click on this link:
b. You will get a pop-up with all lists and libraries that have different permissions.
c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.
e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item. (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.
h. Repeat steps e, f and g for the next document or list item.
a. Go to Site settings > Site permissions and click on this link:
b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
c. Remove any individual users so you are left with only the site groups.
4. Add the new users
Add the users that you noted down during steps 1, 2 and 3 to their respective groups.
5. Review the Members group
During the time that you had no restrictions, Members may have added other Members. Review your list of Members and change their roles or remove them where needed.
6. Replace any “breaking links” on your pages
Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type will generally have “guestaccess” in their link and they will cause unique permissions.
When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.
Replace every one of those links with the “Restricted Link” equivalent.
Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.
How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?
Image courtesy of artur84 at FreeDigitalPhotos.net
Additionally, you often add people with Contribute permissions while your normal Members group has Edit permissions (=Contribute + Manage Apps).
Plus your site members can add practically anyone to your site without informing you.
Why am I making such a fuss?
Maintenance and support
Unique permissions create extra issues with access, and provide extra work for the Site owner.
You may also need more support, although your support team might like that 🙂
People with Edit or Contribute permissions can share content with external users, who then are often able to share your content with others if given those permissions. Your information may be shared with your competitors in this way!
Having lots of unique and individual permissions may slow down your site.
Office365’s out-of-the-box functionality allows unlimited sharing. My own environment is like that, so all experiences that I have described before are done in the “unlimited sharing” default mode.
Fortunately, there are some options that a tenant administrator, a site collection administrator and a site owner can do to limit the potential damage.
1. Disable anonymous access
Disabling anonymous access lets you get rid of the “no sign-in required” options that you have when you get a link, or the “sign in required” when you share a folder or list item. While it may not reduce the creation of unique permissions too much, it will make it more obvious who has been given access. This will allow you to determine whether those people need to be added to a site group, or removed from your site.
Your tenant administrator can disable this at the Office365 Admin center for all Office365 applications, or at the SharePoint admin center for the SharePoint sites.
2. Disable external sharing
While this also will not prevent all unique permissions, it may limit them, because of sheer numbers. Chances are your colleagues will already have access to your site, making the chances of unique permissions during sharing a bit less.
Of course this will make it impossible to share confidential stuff with externals.
This will give the following results, depending on whether the external user is already in your site collection or not.
3. Change Sharing settings in your site
This will probably be in your control, so go to Site Settings > Site Permissions > Access Requests and look at the two check boxes on the top of the pop-up.
This will mostly influence what a Site member can do.
You have four options:
4a. Both checked: I have done my experiments with this setting. You know what that does 🙂
4b. Top checked, bottom unchecked
Member: Can share documents without approval from the site owner, but needs approval for sharing the site.
Visitor: Can share site and documents with approval from site owner.
Get a Link:
Member sees “Edit link” option
Visitor sees the “Restricted Link” option
4c. Top unchecked, bottom checked:
Member=Visitor: Can share site and documents but needs approval from site owner
Get a Link:
Member=Visitor: Restricted Link
This option brings another message to your Site Permissions page:
4d: Both unchecked:
Same as 4c.
So, this setting will help you to “tame” your site members, and give them the same sharing options as your site’s visitors. You will have more approvals to do, but are more in control.
But beware hitting the “Accept” or “Approve” button in sharing requests for documents or list items!
4. Remove access request email
If you can not get access requests, you can not break permissions when accepting them!
This can work in formal all-company sites with official content and little collaboration.
On the other side of the spectrum, it is also an option for sites with a strictly defined and controlled audience, e.g. a management team.
It will however be very clumsy in a project site!
But…your visitors will get a nasty error message when they try to share a document or site, and when you are combining this with options 4c or 4d, your members will experience that too.
Realize that all of these settings have been developed with a reason, so you may want to ponder what is really important for you and if you need to lock down everything or just a few features.
While you think about this, I will go and write how to check and fix the permissions, where needed, after you have taken your measures.
Image courtesy of winnond at FreeDigitalPhotos.net
In my most recent post I focused on sharing documents and items by the Site owner, demonstrating that the Site owner him/herself can easily create lots of unique permissions by sharing folders, documents and items.
But what happens if a another user of your team site shares? Can a Member or Visitor create unique permissions as well, and does the Site owner know what the Site members are doing?
Once again, we start out with a team site with the standard permission sets (Owner, Member with Edit permissions, Visitor with Read permissions) and no unique permissions.
Durian Grey is a Visitor and Mystery Guest is a Member. We also introduce Kimberley B, who has no access at present.
Document 1 does not change permissions since Durian already has Read access to this site.
Documents 2, 3 and 4 get unique permissions after clicking the “Share” button in the Sharing screen.
The persons are added as individuals to the document
Documents 3 and 4 have the individual added with “Contribute” while Members in this site have “Edit” permissions. (and the Share option is called “Can Edit”) So, a new role is added.
These following results were a surprise for me:
The documents shared with Kimberley B generate an External Sharing Invitation (access request) but the Site owner does not get an email notification.
Kimberley B can only share the document with existing site members when she has View permissions. but she can share the document with ANYONE, including new externals, when she has Edit permissions.
When Kimberley B shares with another external user this creates an External Sharing Invitation for the new person.
Sharing documents/items by a Visitor
Durian shares document 5 with Mystery Guest. He can not select Can View or Can Edit. When he clicks “Share”, he sees a message that this request is being sent to the Site Owner but that does not happen; the message goes straight to Mystery Guest. She can access in her normal role and no unique permissions are created. Phew!
Durian then shares document 5 with Kimberly B.
When he clicks “Share” the following things happen:
The Site owner receives the normal “someone wants to share” email, Durian gets a copy
An access request in Pending Requests appears. By default, the request is for Edit (not Contribute), as an individual. The Site Owner can not select one of the permissions groups, so has to give individual permissions. 😦
As soon as the Site owner selects a permissions set and hits Approve, the item has unique permissions.
Durian receives an email that the sharing request has been accepted.
Kimberley B receives an email that a document has been shared.
Kimberley B can share the document with only existing members or anyone, according to her permissions.
Sharing a site
Since Mystery Guest has found that Kimberley has no access, she shares the complete site with Kimberley. She is not a Site owner, so she can not select a permission set when she shares the site.
As soon as Mystery Guest clicks “Share”
Kimberley B receives an email.
She is added into the Members group (even without having accessed the site).
Durian has the same thought.
He shares the site with Kimberley B.
His request is sent to the Site Owner and an Access Request is created.
The Site Owner goes to the Access Requests list and selects the Visitors group of the site and clicks Approve. (Members is the default, btw)
A confirmation email is sent to Kimberley B and Durian.
Now Durian wants to share the site with another external person, who has never been invited before. He can not do that.
What to think of this?
It is complicated!
Although a number of things are understandable this can turn into a messy site:
Get a Link, Share and Access Requests can all very easily create unique permissions for documents (including pages), folders and list items.
Members can use Get a Link and Share, create unique permissions, and add new Members, without the Site owner knowing.
Visitors can do less and generally need approval from the Site owner; this is better for the Site owner’s overview, but can create a lot of work because of the approval requests.
External users can share your document with anyone, if they have Edit permissions.
Before you start panicking, please be aware that my tenant is almost out-of-the-box and all the sharing options are turned on by default. Tenant admins can take measures to reduce the unlimited sharing Microsoft thinks we need.
I will share those measures with you next time.
I have also found a few differences with regards to users who are mentioned in my tenant (with and without license) and who are not. When I have recovered from my current identity crisis, juggling 4 accounts and 3 browsers, I will try to find out more. 🙂
Image courtesy of marcolm at FreeDigitalPhotos.net
Sharing a site (using the Share button top right on any page of a site) is actually a faster way to add someone to your site than going to Site Settings > Site Permissions.
From the Share pop-up you can add people to a site group.
I recommend this to Site owners.
Sharing documents/items with people who do not have access
I am quite alone in my tenant, so I can only share with externals. However, externals have exactly the same options as employees so it does not really matter. My tenant allows anonymous access, so I can decide between “no sign in required” (anonymous access) and “sign in required”.
This is my test document library.
I have inherited the permissions for the Newsfeed, so I have very straightforward site permissions before I start sharing.
I share the document numbers as follows:
Can View with Durian Grey, no sign in
Can Edit with Durian Grey, sign in
Can View with Mystery Guest, sign in
Can Edit with Mystery Guest, no sign in
Without those people even accessing the documents, here’s what happens:
The permission inheritance for each document breaks as soon as you hit Share.
If you do not require sign-in, the permission inheritance is simply broken with no people added or anything.
If you require sign-in, the person who you share with is added to the permissions with Read (if you select “Can View”) or Contribute (if you select “Can Edit”), as an individual user, NOT in a group.
The persons you share with get “limited access” to your site and will show up in that yellow bar. This is as expected, but be aware that this happens.
Once they have accessed the documents, nothing changes.
So you, as the site owner, have done all the damage yourself 😦
Sharing documents/items with people who have access
Let me add Mystery Guest as Member and Durian Grey as Visitor, and share some documents with them in their new status.
5. Can View with Durian Grey
6. Can Edit with Durian Grey
7. Can View with Mystery Guest
8. Can Edit with Mystery Guest
After sending out the emails this is what the permissions looked like:
Only document 6 has unique permissions: where I shared the document as “Can Edit” with Durian Grey who can only Read. That makes sense.
Folders are documents, so I would expect folders to behave in a similar way as documents. I can indeed share a folder from the native Document library, with the new interface. And indeed, depending on the permissions that the audience has, I will either create unique permissions or not.
However, when I want to share a folder from the Document library web part on the homepage I get this error message.
After disabling that Site Feature and trying again I get the familiar older Share pop-up.
But hey, what is that, just above the “hide options”?
“Share everything in this folder, even items with unique permissions”. Checked by default, of course.
I can not even imagine what this will do to your permissions! When I can gather the courage, I will give it a test.
This is enough interesting news for now.
In my next posts, I will discuss what happens when a member or visitor shares. And then I will share some options to prevent unique permissions and clean your site.
Image courtesy of imagerymajestic at FreeDigitalPhotos.net
Some people call me “obsessed” with SharePoint permissions, and especially with breaking permission inheritance from the parent.
They are correct and I’ve got good reason (or so I think): the majority of issues and support questions have to do with non-standard permissions and people not fully understanding the consequences of creating unique permissions that they or their predecessors have done, knowingly or accidentally.
So while pondering my personal branding 🙂 I thought it might be better to embrace the options that Microsoft has created for us to share freely. After all, this thing is not called SharePoint for nothing! In Office365 everything is geared towards sharing content, without any considerations or warnings that many of these options create unique permissions, so who am I to worry, or go against that principle?
And what’s more, people who create unique permissions keep me in work! There’s nothing I like better than a complicated permissions puzzle, so if I want to stay away from boring discussions about columns that do not align 100% or the exact dimensions or rotation speed of carousels, why not make sure that I create some interesting work for myself?
So, let us make sure we all share content freely and without abandon!
In order to do that, I have collected these 7 principles for site owners.
1. Never give anyone “Read” access
This restricts the options for these people to share content. You will give them ugly words to share with (“Restricted Link”…ugh!), and they will need your approval. Come on, these are grown ups that know what they are doing! If they want to share a document, they must have a good reason. And you, as a site owner, have better things to do than approve or decline sharing requests.
Treat everyone the same and give them Contribute permissions at the very least. Who knows, they may have some great insights to add to your policy or project statement. Added April 27, 2017: And they may even help you design your homepage and other pages! Thank you for that addition, Helena! (See comments below)
2. Always use individual permissions
Well, you know there is this site group option of Owners, Members and Visitors, but who wants to be in a group, if the only thing joining you is having an interest in a document? Why bother puzzling out which group would be the best option for a person? You know it never fits 100% – this document is interesting to Stella, Eric and Tom, while the other document is interesting to Stella, Tom and Cindy. How can you make groups if every document has their own audience?
Surely your audience consist of all individuals, with individual needs. Using individual permissions will give you the most freedom to match each document with the people who really need it.
3. Break permissions inheritance freely
When in doubt, break! Or when your boss tells you so, of course. SharePoint has the option to allow access on a granular level, so why not make use of it and enjoy this to the fullest? You can pinpoint any document library, folder or even document or list item and give exactly the right individuals access.
4. Never use the “restricted link” option
Restricted…what an ugly word, it feels so….limited! Why would you want to impose restrictions? When you want to share content, select the “Can read” link to make sure that your intended audience can read it and not bother you with requests for access. Even better, use the “Can Edit” option. After all, your audience may have great ideas to share in that document. Policies and other controlled documents are a thing of the past, let’s crowdsource them all!
5. Immediatelyaccept any Access Request
Hit the “Accept” button and do it quickly, or you may lose a perfectly good reader or editor of the page or document you are sharing. Be ashamed of yourself that you have excluded someone from your content! Rejoice that they go to so much trouble to see it!
Only then, but only if you have the time, find out why and to which content this person wanted access.
6. Never review your permissions
You may be tempted to add Caroline, John and Marcia into a group if you see their name appear on every document, but who are you to decide they need to be grouped? As mentioned in paragraph 2, they are all unique individuals and throwing them into a group only because they read or edit the same documents does not do justice to their uniqueness. And the excuse of “groups are easier to manage for me” is a bit selfish, don’t you think?
7. Stop managing permissionsaltogether
This may be the best advice anyone can give you.
After all, is it not a bit conceited to say that “you own this content” or “you are managing this site”? The other people in the site know very well what they are doing, and they will take care of ensuring that this content is available to all the right people! Together you know who needs, or is interested in, your information. Over time, your content will gravitate towards exactly the correct audience.
To make sure that your unique permissions grow fast enough, you may want to enter in a competition with other site owners. It may well be that companies like ShareGate have a tool that can measure unique permissions. If they don’t, I suggest they develop one quickly.
Let me know how it goes!
Image courtesy of digitalart at FreeDigitalPhotos.net