7 steps to clean up unique permissions

cleanup-headerIn my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:

  • Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
  • This will lead to unexpected access denied messages and therefore Access requests.
  • Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
  • Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.

So, how to take back control of your site after you have changed some of the settings?

Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.

1. Process pending Access requests

Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.

2. Remediate content with unique permissions

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show items
Show the items with unique permissions, intended and accidental. Very useful functionality!

b. You will get a pop-up with all lists and libraries that have different permissions.

Cleanup-showitemsiwhtuniquepermissions
Focus on the lists with “View exceptions”. Those contain the items where you have created unique permissions by accident.

c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.

Cleanup-Documentswithuniquepermissions
List of documents (or items) that have unique permissions. Rightclick “manage permissions” and open the link in a new tab.

e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item.  (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.

Cleanup-deleteuniquepermissions
After noting down Kimberley B as a potential Visitor click “Delete Unique Permissions” to bring the document’s permissions in line with the rest of the document library and site.

h. Repeat steps e, f and g for the next document or list item.

3. Weed out “limited access”

Limited access is an annoying thing that tells you that there are, or have been, unique permissions – or it may mean nothing at all.
If this site has existed for some time and you do not know it very well, you can skip this step for now because you might remove people who are there for a good reason.

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show users
Show people with limited access. This can be caused by Sharing, Get a Link or accepting an Access request.

b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.

Cleanup-RemoveKimB
You can remove Kimberley B from this page. (“Beperkte toegang” means “Limited Access”)

c. Remove any individual users so you are left with only the site groups.

4. Add the new users

Add the users that you noted down during steps 1, 2 and 3 to their respective groups.

5. Review the Members group

During the time that you had no restrictions, Members may have added other Members.  Review your list of Members and change their roles or remove them where needed.

6. Replace any “breaking links” on your pages

Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type  will generally have  “guestaccess”  in their link and they will cause unique permissions.

When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.

Cleanup-GetaLink
Link “”Document 5″has been created with “Get a Link”. The URL is: …../Team/Share/_layouts/15/guestaccess.aspx?/….

Replace every one of those links with the “Restricted Link” equivalent.

7. Monitor

Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.

How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?

Image courtesy of artur84 at FreeDigitalPhotos.net

Organizational change and your SharePoint sites

OrgChangePawnsSharePoint” or “the intranet” is generally not the first thing people think of when an organization changes. But there will always be a moment when people are looking to align their teamsites to the new organization structure.

If you are supporting SharePoint users in your organization, this may be a good “toolkit” to support site owners who are confronted with a major change.
I wrote the following posts earlier, but I have now ordered them t
from overview to detail, which suits the process better.

1. Handover

TeamSiteinheritanceFirst, the new owner should know what (s)he is the owner of.
Which site(s) are in scope, how are they related, what do they contain and who can access what?
Of course this should ideally be done by the former owner, but in real life this is not always feasible, since the former owner has generally left their position by the time the new owner arrives. I have to step in quite often.

In “Congratulations, you have inherited a teamsite!” you can find the first steps toward new ownership. 

2. Review and adjust

OrgchangeWhen the new site owner knows what (s)he has inherited, it is time to review the content. Is all content still relevant, do subsites or documents have to be moved to another place, can stuff be archived, does content have to be updated or new content have to be created?

In “12 things to do in your team sites after organizational change” I have listed a number of items to review regarding Content, People and Pages.

3. Change

While the new owner will probably make the first adjustments during review , there are some more detailed changes that need careful investigation and planning beforehand. When changes in metadata are required, for instance, you have to understand how your list or library has been set up, and how a change is going to affect your content. There is a big difference in behaviour of a library that picks metadata from a Choice field compared to a Lookup List.

Change-PictureIn “Ch-ch-ch-ch-changes part 1” you will find info on changing

  • Site name/URL

  • List or library name/URL
  • View name/URL

Changes-image2And in “Ch-ch-ch-ch-changes part 2” I have listed how to change

  • Columns

  • Folders

  • Documents and List items

Do you have other suggestions to help new site owners on their way?

Top Image courtesy of Graphics Mouse at FreeDigitalPhotos.net

Congratulations! You have inherited a teamsite!

TeamSiteinheritanceThere have been many organizational changes in my company recently and many sites have changed hands, not always with a proper handover.

A new “heiress” approached me and asked if I could help with getting her started in her sites. She is now managing all sites for her business, and although she is not responsible for all content, she is the go-between for her business and my team. She has managed a site before, so she knows her way around SharePoint, but not on this scale.

Since I get this type of request quite often, I thought I’d note down the actions we took, so I do not have to reinvent the wheel next time. It may help others as well.

Step 1: the Site Collection Admin provides information

  1. Provide her with a list of all the sites and Owners for her business.
  2. Adjust people in the top Owners permissions group to the new situation.
    Since Owners never own their own group in our setup, they can not add any new people in that role. It has to be done by a group that is more senior in the site collection; generally the Business Owner of the site collection or the IM team.
  3. Check to which sites this Owners group has access, and make sure that this group has access to all sites in this business.
    This helps with getting an overview of the content, and will enable her to provide support where needed.

    BevOwners
    Checking to which items this group has access.
  4. Check ownership of the Owners groups in all relevant subsites and change ownership where needed to the top Owners group.
    Group Ownership
    Group Ownership settings

    That way they have control over the Owner groups in the subsites.

  5. Send screenshots of the “Site Contents” of every site to the new owner, so she can compare what the SCA sees (everything) and what she sees.
    There may be list and libraries that have not been shared with the Owner and that can lead to problems.

Step 2: The new Site Owner checks and adjusts content and permissions

  1. Open every site and check permissions. Is the Owner a group? Are there many individual permissions? Do you see “Limited Access”? That may mean that document libraries or lists have broken permissions. (=different from the rest of the site)
    Note the sites with apparent complications and investigate and ask your IM team for help if you do not understand something.
  2. Open each list and library and check permissions. If they have broken permissions, check if this is necessary for this content.
    If you see no reason to have broken permissions, inherit permissions again.
    If it is necessary to have different permissions, adjust permissions where needed and add “different permissions” to the description of the list or library.
    This will make it easier to support – if people report an Access Denied you can see immediately why this may occur.
  3. Follow the instructions in “12 things to do in your teamsite after organizational change”

It was a lot of work, but doing this upfront helped her understand the content and setup she had inherited. She now feels more confident.

What else you do to help your new site owners get started?

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Minimizing minor versions

versions-pinchIn my earlier post I talked about minor versions (drafts) in SharePoint. Since the concept is not well understood and you can not limit the number of minor versions, they can cause issues in your team sites.

How to know you have many minor versions?

First of all, your Site Collection Usage Summary > Documents will show you if there are documents that use a lot of space because of their versions. You will need to check the document library settings, and/or create a view including the “version” column, to know if this could be caused by many minor versions.

Next to that, there are reporting tools that can check all libraries for their settings, including versioning settings, or can give you a report of documents with many versions.

How to check if minor versions can be removed?

Talk to the content owner. I have found that the content owner is not always aware that versioning has been enabled, does not always know how it works, or that versions eat storage space. Once they understand, they will generally be cooperative.
(Microsoft, it would be nice if you would show “versioning enabled” in the document library tile – remember? )

For site (home)pages, keeping many versions does not make much sense. Most issues occur with site owners who can not edit their page (because it has been checked out) or with web parts that have been accidentally closed. I have never needed to restore a page.
Limiting versions to 5 major and  minors on 1 major version is usually sufficient. (I call that 5/1)

Good settings for versioning
Good settings for versions when there is a process. This setup keeps 5 major versions, and drafts only on the latest major version. As soon as you create a new major version, the old drafts will be removed.

If you have a formal document publishing process things may be different, but again it helps to talk to the content owner about the exact process. Quite often it is not necessary to keep old drafts of documents once a new version is published. Especially if nobody adds comments about the changes, old drafts add no value.
Setting the minor versions to “on 1 major only” can often be done easily without too much resistance once the content owner knows what the versioning settings mean.

How to remove minor versions?

  1. Automatic – The best way is to limit the number on the 2nd box to 1. This will remove the earlier minor versions on earlier majors whenever you publish the latest draft.
  2. Manual – All minors for the document.  Look at the Version history of the document and select “Delete all minor versions”. The versions will go to the Recycle Bin.
  3. Manual – Individual versions. Look at the version history of the document and remove minor versions one by one if you only want to remove a few.
  4. Workflow – Run a workflow that removes minor versions.

You are allowed to remove minor versions  – how to proceed?

When you have established that you can change the versioning settings from unlimited to e.g. 5/1, you may want to do the following cleanup next to free up space. You can also wait until all documents have been edited, but that may take more time than you have.
This is the manual method because you will do a selective cleanup:

  1. In the document library, create a view that includes file size, version and modified date.
  2. Identify documents that are large, documents that have many versions (generally, having a version “20.11” is a clue for more minor versions) and documents that have not been modified for a year or longer.
  3. Delete minor versions for large documents.
  4. Delete minor versions for reasonably sized files that have many minor versions.
  5. Delete minor versions for old final documents. These are unlikely to be edited anymore so the drafts will no longer be necessary.
  6. Switch versioning settings to limit the minors to 1.
Deleting all minor versions for a file.
Deleting all minor versions for a file. This is shown in “version history” for each document.

Please note that switching to “only major versions” does NOT remove the minor versions that are already there, not even when you edit the document.  You have to remove the superfluous versions from each document first.  So if you come from a situation of unlimited major and minor versions, always set the minor versions to “on 1 major only”.

See also my earlier post about versions.

This all may seem like a lot of hassle, but if you, like me, have been struggling with freeing up storage space, every little bit helps!

Image courtesy of marcolm at FreeDigitalPhotos.net

Minor versions, major problems

minorversionsmajorprobems

“Hey, do you see that? We can keep versions.”

“Oh nice, that is useful.”

“Apparently we can do major and minor versions.”

“What does that mean?”

“I don’t know, but let us select them both.”

“I see you can also set a limit.”

“Nah…let us not do that. Let’s keep them all, just in case. Better safe than sorry.”

And that is one of the reasons why you, dear site collection administrator, are faced with a site collection that is bursting at the seams, if you are using an older version of SharePoint. Each version consumes the space of the document.
Office 365 saves versions in a different way. Dan Adams has described that well.

There is a time and place when versions should be used. This is my take on things:

When to use major versions?

For document libraries that are highly collaborative, I recommend to use 2 or 3 major versions to prevent accidents with online editing. I have had to ask for a backup and restore several times, because someone messed up an Excel file and they did not have an earlier version to restore.

For document libraries that need to keep track of version history for audit reasons you will probably need to keep more than 3 versions, but major versions should be sufficient.

For lists, I would suggest to enable versioning if your lists facilitates a process or regular updates and you want to keep track of history.

When to use major and minor versions?

Minor versions or drafts are useful if there is a publishing procedure in place:

  • The current official document is online.
  • Someone needs to review and update the document on a regular basis, or can propose a change while the existing document is still the official one.
  • This reviewed, updated or changed document version is added to the library (via online editing of the official document), and kept invisible to the general audience until it has been reviewed, approved and published as the new official document.

This is a common scenario for policies, procedures and lots of other formal documents.

In publishing sites, the Pages library has unlimited major and minor versioning enabled by default. This is useful for sharing a page edit with other contrubutors before publishing the new version of the page. Although page versions do not add much to the consumed storage space,  I always limit the versioning whenever I create such a site.

However, there are some things you need to know before you start working with minor versions.

1. It is not immediately obvious IF versioning has been enabled, and if so, if it is major only or major and minor. You need to go to Library settings > Versioning settings to find out. I wish there was an indication on the tile!
If you have a formal publishing process, I would encourage you use the visibility settings as shown in the screenshot, and please read all texts well.
Content approval is optional. If you enable that, you can further limit visibility to approvers only.

Versioning settings for a publishing process
Suggested settings for versioning if you have a publishing process in place.

2. It is impossible to limit the number of minor versions for a file. You limit the number of major versions that can have minor versions. The number below should therefore always be smaller than the number on top. But that means that there is no limit on the number of minor versions.

Major and minor versioning setting.
Major and minor versioning setting. Read well what it says!

3. Allowing minor versions makes the user interface more complicated.  Users have to choose between major or minor version, and I have experienced that not everyone knows the difference. (I once noticed a final project proposal with version 0.59. When I asked the project manager he said he always did it this way because he did not know what it meant.)

Dialog box to choose minor or major version
This dialog box can be confusing if you do not know the difference between minor and major versions.

4. It takes some effort to get rid of minor versions. That will be the topic of my next post.

Have you read my earlier post about versions?

Do you have other scenarios where you use major and minor versions? Please let me know!

Image courtesy of stockimages at FreeDigitalPhotos.net

 

Where have all permissions gone?

Permissions-imageSometimes people tell me that “permissions to their site have just disappeared”. They always sound angry as if SharePoint is to blame.
But permissions do not disappear by themselves, unless there is a major issue in the SharePoint setup, and I would have heard about it had that been the case.

Whether you like it or not, in most cases it is a result of human action. However there are more human actions that can mess up site permissions than you may think.

So here’s a list:

1. Could someone else have done it?

You may not be the only one managing permissions. And if there are no other people with Full Control on your site permissions level, there may be people with Full Control in lists or libraries, as in this case:

What a library with broken permissions looks like.
In this library  permissions are different from the rest of the site and there is an additional person with Full Control in the library. (“Volledig beheer” is Dutch for “Full Control”. My site has some weird language settings)

Also check people with Manage Hierarchy, because they can do that as well.
There may even be some specific permission levels which have “manage site permissions” in their role.
Additionally, there are site collection and system admins who, in theory, have the power to make changes. They should never edit permissions unless explicitly requested by the Site Owner and only when the Site Owner can not do it, such as restoring access if a Site Owner has accidentally removed him- or herself from a site.

2. Does your site have inherited permissions?

I once experienced an issue with a few sites with inherited permissions and different Site Owners. When one person removed a number of people from her site the other sites suddenly had “Access Denied” messages all over the place.  Ofcourse, she had switched to the parent site without noticing.
Fortunately, in Office365 it is hard to miss the information about inherited permissions.

This site has inherited permissions
It is hard to miss that this website inherits permissions.


3. Have you removed people with “Limited Access” from the site?

“Limited access” is a tricky thing.
It is a result of broken permissions elsewhere in the site, but it does not tell you where it occurs (in older versions of SharePoint) and which set of permissions this person or group has exactly.

You, as a Site Owner, should know that, but when you have taken over a site, or if there are several people with Full Control, you may not always realize. The only way (in older versions of SharePoint) to find out is to go through each and every library or list (In the ribbon: Library > Library Settings > Permissions for this library)
You may even have folders and sub folders with different permissions, and you will have to go through those as well to find out what permissions which folder has. 😦

To make matters worse, “Limited Access” in a site may also mean nothing, as I have explained in my earlier post.

If you think that all that “Limited Access” looks messy, you may be tempted to remove them. But that will  remove the special permissions they have! Wendy Neal has found out the hard way.

Since writing my earlier post I found that Nathalie Jard has written a very good post about Limited Access.

4. Has someone deleted a site with permission groups that you have re-used in your site?

When you create a subsite that does not inherit permissions, by default 3 groups will be created and added to your site. You can reuse these groups in other sites.
But…if you delete the original site, those 3 groups will be deleted with the site. So people in those groups will no longer have access to the other sites!

Deleting groups when you delete the site.
If you delete a site, you will delete the groups that were created for it.

Now, before I delete a site, I check if the groups have any permissions elsewhere, as follows:

Site Actions > Site Settings > Site Permissions > Click on group > Settings > View Group Permissions.

Check if group has permissions for other content
How to check if a group has permissions for other content
This group only has permissions for this site.
Fortunately this group only has access to this site and not to others.

If they have, I strip the site of all content, remove additional permissions and add a warning to the description not to delete this site.

5. Has someone deleted a permission group that you used in your site?

Someone can also delete a permission group without deleting the complete site, and without checking if that group has access to other sites or content. Always check, as under 4.

So, these are a few reasons why your site permissions may appear to have disappeared “without reason”.
If you want to lower the risk of strange things happening to your site, please read my post on good practices when breaking permissions.

Have you ever found another reason why permissions “disappeared”?

Post title inspired by folksong “Where have all the flowers gone” by Peter, Paul & Mary.

Image courtesy of iosphere at FreeDigitalPhotos.net

12 things to do in your teamsite after organizational change

OrgchangeAn organizational change can have many consequences. Business parts, names, focus, responsibilities and people change.
The team site you work in needs to reflect the current situation, so this is always a good moment to take a critical look at your site.

If you are taking or handing over ownership of a team site as a result of a change, arrange a handover meeting to discuss the content and processes that this site facilitates, and the permission setup.

Sometimes I advise people to start with a new team site altogether. But if you want to keep that site that everyone has come to know and love (and has in their Favourites), read on for the check points for an up-to-date site.

CONTENT
While I would not advise to change all content to fit with the new organization, you may need to make a few changes.

1. Review and adjust List and Library names, Folder names and metadata.
2. Review and clean up the content.

  • Do you have content with a legally required retention time? Transfer that to a formal document management system now, while you still know what this content is about. In a few years, new people will not know the old organization structure and may not recognize this content.
  • Do you have pictures of team outings, dinners or other company events that have taken place longer than 6 months ago? Select a few nice ones from each event, give them a good descriptive name (not “DSC345”) and organize them in a picture library. Move the rest to a USB stick, an external hard drive or another place. These old pictures may come in useful when someone leaves or retires, but they should not clutter your team site or search results on a day-to-day basis.
  • Does content need to be moved to another place, e.g. from a local to a global site or vice versa, or to another business unit?
  •  Can some content be archived or deleted?

PEOPLE
With organizational change comes people change, so many sites will have a different audience and a different owner.
Things to check:

3. Site Contact person
4. Permissions
While you are checking and adjusting (simplifying if possible) permissions, you may want to make an overview of the permissions in your site, and add any exceptions to the description of lists and libraries. (this post tells you how to properly manage in-site permissions)
5. Access requests
Adjust the email address where appropriate. I still come across email addresses of people who have left the company a long time ago.

HOMEPAGE (and other pages)
Your site’s homepage may contain a lot of organizational elements that need to be updated. First impressions count and if you are still referring to old data, visitors will wonder if your content is being maintained at all.

6. Site Title and Logo
As mentioned in an earlier post, you can easily change the name, but do not change the URL because you will break all links to your site.
7. Page image and content
Do you need to replace that extra header or logo?

Items that need to be changed
If I change my business from “Drinks” to “Beverages”, here are some of the items I need to change in my site.
Site Logo and Site Title can be changed in Site Settings.
Page Image and Page content can be edited on the (home)page.

8. Pictures and videos
Check if all pictures and videos still refer to the correct names, units and people and replace or remove them if they don’t.
9. Welcome message
Do you really need to explain to visitors of “The Sales Hub” that they will find Sales information here? You can free up homepage real estate by removing this message altogether.  You may have more relevant and dynamic content than a message that has been there for years.
If you really need a welcome message, keep it short and scannable.
10. Quick launch menu
Do all items still need to be there? Check if names of lists and libraries have to change, and if items need to be added or deleted from the quick launch.
11. Main content
For which information or processes does your audience visit your site? Put that on the homepage. Show the 5 or 10 most recent items from the most relevant lists or libraries on your homepage so your audience can find that quickly.
Remove content that has become outdated, and make sure the still relevant content has updated labels.
12. Links, buttons and other navigational items
Check that all these are still relevant and working. With so many changes in your organization, chances are that other sites are reorganizing too and your links may no longer be correct.

This may seem like a lot of work but you will end up with a team site that shows its owner is taking care of things!

Have I forgotten something? Let me know!