Inheriting something is a mixed pleasure.
You can become the proud owner of your uncle’s lovely old-timer, or be able to wear your grandmother’s diamond necklace and matching earrings at grand events, but you generally receive those treasures only after a dear one has passed away.
But you can also inherit debts, a house with an expensive mortgage, a nephew or other “things” that you have never wanted.
Inheriting permissions in SharePoint can also be a curse rather than a blessing.
“I have suddenly lost access” has been the title of many recent incidents. No need to blame this on Microsoft, SharePoint or the support team, because in 99% of cases this is a human error:
The Site Owner accidentally removed their own permissions while cleaning up a document library’s or site’s permissions. The support team can easily fix this.
The Site Owner accidentally inherits the permissions from the parent site. That is pretty serious and has happened alarmingly often!
I have already mentioned in many of our instruction materials: “if you see “this web site has unique permissions” in the yellow bar, DO NOT CLICK “Delete unique permissions” as you will
Inherit the permissions from the parent site
Lock yourself out of your site if you have insufficient permissions on the parent site
Remove all unique permissions in your site (and there is no “undo” or “restore” option)
The warning message appears not to be informative enough to keep people from proceeding.
Recently I have guided a few people through “permissions stuff” via screenshare and I notice that they always want to click ‘Delete unique permissions” when they want to remove users. In several cases these users were individuals who were not in a group and therefore were seen as having unique permissions.
On those occasions I have been just in time to guide their mouse pointers to the right button: “Remove User Permissions”.
This has now happened so often, with such serious consequences, that I have added a suggestion to Microsoft SharePoint Uservoice to rename “Delete Unique Permissions” into “Inherit permissions from parent” as this is probably easier to understand for the user than the current wording. If you agree, please support my request. (Happy to return the favour, of course)
You know, like in SharePoint 2007:
And if you have taken any measures that successfully prevent this accidental inheritance, please share!
Image courtesy of Phil_Bird at FreeDigitalPhotos.net
No, I am not going to bash the SharePoint Most Valuable Professionals! I have received help, feedback and support from many MVP’s including Veronique Palmer, Jasper Oosterveld and Gregory Zelfond, and I have read and used the posts and presentations of many others.
Let’s celebrate the unsung heroes: “The @MVPAward recognizes individuals who, over the past 12 months, have demonstrated superior knowledge, leadership and passion, combined with a desire to help and accelerate other’s learning, careers, and abilities.” https://t.co/R0eebaLcz5
This blog will be about another MVP – the Minimum Viable Product, a common word in Agile development, meaning you will launch a product that meets the basic requirements (as defined at the start of the project) and will be improved incrementally over time.
I think I have been woking somewhat agile when I was configuring solutions, and met with my business counterparts on a very regular basis to discuss the proof of concept/prototype and checked if this met their expectations.
I only created a very small list of requirements, as I knew that many business partners only had a vague idea of what they were really looking for, and when confronted with my interpretation of their requirements all kinds of unexpected, or in any case, unspoken, things came up.
Is there an option to leave this field blank?
Yes, but that means that we either leave this non-mandatory (which may lead to more blanks than you want) or we add a dummy value such as “please select”. What do you think is best?
Can we have a multiple choice for this field?
Ofcourse, but that means you will be unable to group on this in the views, so we will have to resort to a connection for filtering. Oh and then it is better to make this field a look-up field instead of a choice field. Let me rework that.
What if someone forgets to act on the email?
We may want to create a view that allows the business process owner to see quickly which items are awaiting action.
And more of those things. I generally met with my business partner once every fortnight, if not more often.
So I am all in favour of especially the short development cycles of Agile.
“Users” does not mean “end users”, exclusively!
I also think that “user stories” are much more realistic and human than “requirements”, although they sometimes look a little artificial.
By the way, I would recommend any team to think not only of “end user stories” but also of “tenant owner” stories or “support user stories” as other people involved have their own needs or requirements.
I also like the idea of launching a Minimum Viable Product and doing small, rapid improvements on that, based on feedback and experiences, because
You can show users that you are listening to them
You can show that you are not neglecting your intranet after launch
It gives you something new to communicate on a regular basis
So, when we were launching our intranet I was quite interested to be part of the project and to work towards an MVP.
When we finally launched our MVP we also published the roadmap with intended improvements, and shared the process of adding items to the roadmap. That way users could see that we had plans to improve and that we would be able to spend time and attention on meeting the needs of the business.
When launching an MVP with a promise to make ongoing improvements you are more vulnerable than when you do a Big Bang Launch & Leave introduction. What about the following events?
Cuts in the improvement budget.
Those can be a blessing or a curse, but they may happen.
People who leave before they have documented what they have created.
I have never liked the extensive Requirements Documents and Product Descriptions that go with traditional development, but if you are handing over your product to the Support organization, you really need documentation of what you are handing over. End users can have the weirdest questions and issues! 🙂
Reorganizations which turn your product team or even your company upside down.
Microsoft changes that mess up your customizations. We have a webpart that shows your Followed Sites – it suddenly and without warning changed from displaying the first 5 sites you had followed to the last 5 sites. Most annoying!
So before you know it, you end up with a below-minimum viable product. ☹
What can be done?
So before you start singing the praises of Agile development and put on your rose-tinted glasses
Make sure you have a safe development budget that can not be taken away from you.
Ensure you have an alternative no-cost optimization plan, such as webinars, Q&A sessions, surveys, configuration support, content changes etc. to make the most of the launch of your MVP and to get feedback for improvements for when better times arrive.
Insist that everyone documents their configurations, codes, processes, work instructions etc. as quickly as possible. It is not sexy but will save you a lot of hassle in case your team changes.
If you are in need of extracting knowledge from leaving experts, here are some tips for handing over to a successor, and some tips for when there is no successor in place yet.
Be prepared for changes in processes, data or organization. You do not have to have a ready-made plan, but it is wise to think about possible implications for your product or process if the Comms team is being reorganized, someone wants to rename all business units, or you need to accomodate an acquired company in your setup.
Keep customizations to a minimum. Use existing templates and simple configurations.
Personally I would be totally content without a customized homepage. The SharePoint landing page or, even better, the Office365 landing page as the start page to my day would work perfectly well for me, but I have learned not many people share that feeling.
Any experiences to share?
Have you had similar experiences? Have you found a good way to handle budget cuts, a way to develop budget-neutrally, how to deal with people changes or another way to deal with unexpected events that endanger your MVP? I am sure there are many people (including myself) who would like to learn from your stories!
Now that we have launched our intranet we constantly receive questions and support tickets from our users. That is not exactly a surprise, as we know that our current intranet is vastly different from our old one. We have SharePoint Online versus SharePoint 2007 and a completely new governance.
We learn a great deal about our users and our environment from these tickets and the discussions in our dedicated Yammer group.
Of course my team knows that I am into KM, so I am currently in a small “Virtual Expert” group on knowledge sharing. Our goals is to “translate experiences into knowledge”.
That sounds pretty formal, but it is quite simple really. And you know, I like simple, especially when it is about KM.
How it works
Whenever we receive an incident, we assign it according to the type of incident. This allows every one of our team to learn about a specific topic or process, and to improve the process or generate knowledge about this topic.
For instance, for a time all incidents dealing with permissions were assigned to me.
When I had gained sufficient knowledge of common permission issues, either by searching online or by doing experiments, I wrote work instructions for the rest of the team. Permissions issues (provided we recognize them when the tickets come in 🙂 ) can now also be assigned to others as we have a common procedure.
Yammer questions that can not be answered by the community receive similar treatment: we do online search and experiments where needed. (Although we ask people to submit a ticket when it looks like something in their site is broken)
We have a regular call to discuss any new and interesting issues.
When we run into a problem that we can not solve by searching online or doing an experiment, we ask our very knowledgeable tenant admins. They show or tell us when they know the answer. My colleague and myself then turn this knowledge into documentation – be it a work instruction for the support team, a manual or a tip for end users, or sometimes a suggestion for extra communication or even a change to the system settings.
Most materials are stored on SharePoint: in our own team site or in the site we have created for end users.
Love all around!
I love this structured approach. Our manger, who is very much into service delivery, formal processes and stuff like ITIL, appreciates the process we are going through.
Our tenant admins like to share their knowledge, knowing this will free them up to do tenant admin stuff.
My colleague and I have great pleasure in capturing knowledge and turning it into something tangible that helps us do our work faster.
The rest of the team is happy to have good work instructions.
It may be a small process, but it works for us and we enjoy the benefits. And you…you see the SharePoint Holmes cases! 🙂
Part of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.
As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.
The first case is about a Datasheet View.
One of the users of a site did not see the items in a list. Having access to the data was a requirement for his role and he had always been able to see this content before it was migrated to SharePoint Online.
So, I put on my SharePoint Holmes cap and rolled up my sleeves.
I logged in with my Admin account and went into the site.
I saw the items perfectly well. Just items in a Datasheet view.
Permissions check – the user had Read permissions to the site.
Items with unique permissions check – the list had unique permissions but the user had Read access.
Item-level permissions check – in the Advanced List Settings it showed that all items were visible to all users of the site.
Workflow check – no workflow reducing permissions after going through a process.
Right, that was an interesting one.
It was time to look through the eyes of the user, so I added myself to the same user group and checked. An empty list stared back at me.
I went through the other views and found a standard one. I could see the items in there, and so could my user.
One of my colleagues mentioned that issues with the latest IE update had been reported, which might have influenced the Datasheet view. We tried different browsers. That made no difference, but there was always that difference between user and admin.
Search engine to the rescue! One of the results surprised me, and I had to test that.
I created a datasheet view in my own tenant. It looked like this:
Then I logged in with Contribute permissions. It looked like this:
Then I logged in with Read permissions. It looked like this:
Yes, been there, done that! And this made me think of all those other times that I, or my users, have made a mistake with permissions, either by forgetting to think and doing this on routine, or by ignorance.
Here they are, for your learning and enjoyment. Laughing is allowed; sharing your own bloopers is encouraged!
2. Deleting a group
Did you know that deleted Groups do not go via the Recycle Bin, so they are gone for good?
So, when you want to do this, first check to which content the group has access. If that is only to your site, you can safely delete it; if is has permissions to other sites, please talk to the owner(s) of the other site(s) first!
How to check: Click on the group name on your permissions page, click Settings > View Group Permissions and you will see a pop-up like this:
3. Removing a group from a site and forgetting its name
Good luck finding that in your site collection’s list of groups! (which likely contains at least 3 x as many groups as there are sites, and most likely many more)
A good naming convention, as well as keeping some documentation or screenshots of your permissions setup may help limit the damage. Another good idea is noting the MembershipGroupID’s of the group’s URL. These can be found in the group’s URL, e.g.
The 3 default groups of a site are created with subsequent numbers, so if you remove one of those you can probably find them by changing the MembershipGroupID at the end of the group URL. In the screenshot above, Owners, Members and Visitors group have numbers 164, 165 and 166, respectively.
4. Clicking on “manage parent” to edit permissions
You need to change permissions of a site that has inherited permissions. Without thinking you click on “Manage parent” and start making changes, not fully realizing that you are now changing the permissions for both sites. You should have clicked on “Stop Inheriting Permissions” first!
The damage can vary.
I have once changed the top site of a site collection that way. The good news was that I finally got rid of a lot of outdated “Limited Access” users, but it was only later that I realized I had also removed everyone’s permissions from various site collection galleries.
5. Removing yourself from a group, site or library
This is generally annoying but benign, as long as you have quick access to a site collection administrator who can add you back. I get about one call a week from someone who has locked themselves out.
6. Not clicking “Show Options” when you share something with “Everyone”
This sends an email to all the company (and gives them contribute permissions if it is a site). Well, at least people know you and your site exist, but I do not know if “Everyone” will appreciate your marketing tactics! 🙂
And (in my opinion) the most disastrous of them all:
7. Inheriting the permissions from the parent site
You click “Delete unique permissions’ without realizing you are not at the document library, but at the site level. The permissions of your site will now be the same as the parent site.
You may not be the site owner of that site. Even worse, you may not even have access! An even if someone is kind enough to create unique permissions again and give you back your access, all unique permissions are gone.
An example: this site has unique permissions.
This site has some content with different permissions
When I click “Delete unique permissions” in the site I get a warning in a mix of English and Dutch – which is the first time I have seen this:
And if you click OK the permissions are inherited from the parent and there are no unique permissions anymore. The original groups also have no access anymore.
While this may be a good reset of your site if you have completely lost the overview of the permissions, it can be a nightmare if you have a well-managed site with confidential content that needs well-managed unique permissions.
Make sure you have an overview of the permissions of your site. It can be a simple mention in the description of the list or library (“this list is only accessible for the MT”), or a separate document with a detailed description.
Stop and think before you hit a button – if in doubt contact your help person.
Have you made any other permissions management mistakes? Do share!
Update March 2018:
Via Twitter I received some more gems from Stefan S:
8. Renaming a SP group that is used in the Target Audiences setting of a webpart; it will disappear. You should re-enter the group.
9. Forgetting that Members groups have the permission level Edit instead of what used to be Contribute.
“There’s plenty of SharePoint Online help, blogs and videos around” I boasted some months ago, when I set off to execute the training plan for the SharePoint Online intranet that we have launched recently.
I expected to “curate” most of the learning materials, and to create only a few.
We set off with a number of company and project criteria:
The company’s learning strategy is the 70/20/10 model. This means people learn new skills and knowledge in different ways: 10 % in formal training, 20% in peer-to-peer learning and 70% in their daily work.
Learning is based on the 5 moments-of-need model, so we have to make sure the right materials are available at the right moment.
We have made some customizations, such as a limited permission set for Site owners (less than Full Control), and a custom display on Promoted Links. We knew beforehand we would have to create materials for those topics.
I would focus on learning materials for Site owners.
The 10% formal training now consists of an e-learning program providing a high-level overview of purpose, concepts and functionalities of the new intranet, including the Critical Skills. (The “how-to-click” details are in the “on-the-job learning materials” which are referred to in the e-learning). It takes between 1 and 1 1/2 hour.
I created several modules in PowerPoint, and recorded voice-overs. This means we can replace any module (e.g. Permissions, or Custom Site Templates) easily without having to redo it all. Some inconsistencies are still being fine tuned as I write, new functionality developed, and Microsoft may change some things as well 🙂
I then created a number of test questions with multiple-choice answers, and added a Site Owner agreement (rights & responsibilities) which all trainees have to sign off (using a SharePoint survey).
Our e-learning specialist turned this all into an e-learning programme. It looked very easy but he has obviously done this before 🙂 (He also does freelance work if you are looking for someone!)
This e-learning is mandatory for all existing and new Site owners.
And before you ask how we are going to enforce that: content migration from the old into the new platform is still going on, and a Site owner can not start working in their SharePoint Online site until they have completed the training.
The 20% was easy to set up: a Yammer group to ask peers or the intranet support team about all kinds of intranet- and SharePoint Online-related questions.
With the platform being launched recently and the migration of content in full swing, it will be no surprise that this channel is currently very active.
In the e-learning and in all communications we invite people to share their questions in this Yammer group, and we make it a point to have all questions answered quickly.
For issues, such as things not working as they should, or errors, we have a more formal support channel.
The 70% would be the “curated content” I envisaged. I set off enthusiastically in the Microsoft support pages, as well as in many other blogs by people who write for Site owners, such as Let’s Collaborate, SharePointMaven, Sharegate and icansharepoint. Oh, and my own blog of course. My posts are often inspired by “my users” and my daily work.
Well, that was a bit of a disappointment.
As it turns out, the majority of the available information is not 100% applicable to us.
Our customized Site owner role made it hard to use anything that has to do with permissions. But also materials that tell you how to customize your site are not appropriate because the new role also has limited design options. So I could not use Gregory Zelfond’s Power User Training, for instance – it starts with creating a site and changing the look.
Our custom Promoted Links display needs some extra steps for certain page templates.
Many of the materials were not 100% current – with document libraries being managed with Tabs instead of the Modern look-and-feel, for instance. I wanted things to be 100% applicable when we launched – the correct look-and-feel and correct functionalities. The difference between the old and the new platform is too large otherwise.
Most of the materials have NOT been written in a “life cycle” format
What it is and when to use it
Create and configure “app”
Add to and configure web part on page
Add item to app
Edit or delete item in app
Modify something in app and/or web part (views)
Delete web part
Tips & tricks & troubleshooting
So, I have done a lot of writing, and my colleague has made tons of videos to accompany that. I have used Microsoft materials and some of the blogs I mentioned – often as “additional information” or “good practice”.
I will continue to adjust my own materials and scout for other good stuff. I hope that over time, people will learn to deal with the ever-changing look-and-feel and not be confused by a video of a document library that has “last years style”. Then we will be able to use more materials created by others.
We are also working on a plan to make sure the Yammer channel keeps being active when everyone will be in the “business as usual” mode again.
I will also have to adjust the e-learning on a regular basis.
It has been quite an interesting project to create all this, but it is strange to be doing that while there are so many materials already available on the internet. It feels as if I am reinventing wheels, which I hate!
Have you created learning materials yourself or have you borrowed with pride?
Multiple choice image courtesy of Becris at FreeDigitalPhotos.net
About once a month I get a panicky phone call about “an important document that has suddenly disappeared”. Quite often SharePoint or even myself are blamed for this.
The reality is always different, of course: a user of the library has deleted the document, but who has done it is impossible to find out (for the Site Owner) and many people do not know how they can restore deleted documents.
I am therefore very happy with the new Document Library experience in SharePoint Online, where the “details pane” tells you what has happened in the library. (And even with each document!)
From now on, you can see who has deleted or modified a document by clicking he little “ï” icon on top right of your library to see what has happened.
Let me show you how this works with a few common scenarios that may lead people to think their document has been deleted.
This is a library in the “All Documents” view.
1. The document has been deleted.
Deleting a document shows up in the pane.
Oh dear, you can see who has deleted the document! 🙂
I am always the bad guy in my one-person tenant, but please note everyone’s actions are visible to everyone in a more “normal” environment!
If you see this message, contact the person who has deleted the document and ask him/her to restore it. The Recycle Bin still only shows the items you have deleted.
If you restore the document from the Recycle Bin, the details pane will show you this:
2. The properties of the document have been changed.
This may move the document to a different view, and may lead people to think the document has been deleted. (Depending on the views in your library)
I have a view for “Video”. It contains 3 files.
If I change the Topic property for one document, this is what happens:
The document moves out of this view
The details pane shows this message:
“Edited” can mean various things, but in any case you will know that someone has done something to this document, and it was not a deletion.
3. The name of the document has been changed.
This will leave the document where it is, but people may no longer recognize it and may think it has been deleted.
This is what the details pane shows when you change the file name:
Interestingly, you will see two actions mentioned:
“Edited” the old name
“Renamed or Moved” the new name
This will tell you where to look, and again shows you the file has not been deleted.
4. The document has been moved to a folder.
This will move the document out of the view, so people may think it has been deleted.
In this case, nothing new shows up in the details pane for your library.
However, if you open a folder and click on the details pane icon, you will see an action:
This means you will have to go to each folder and check if the document has been moved there. That is another reason to use metadata rather than folders to group your documents into meaningful clusters.:-)
I always suggest to create a “Monitor” view that shows all documents, sorted on “modified descending”, without folders, to keep track of latest changes.
If you move the document back to the “All Documents” view, you will see it mentioned in the details pane of the document library again as “renamed or moved”.
Good to know:
If you edit the content of the document, it will also show as “edited”.
When you select a document and open the details pane, you can also see and edit the document properties, see the document history, and a lot more, but that is not the scope of this post. (December 2016: I wrote this post about that)
All changes will remain visible for at least 2 months, but I do not yet know if there is a limit on time or number of actions.
If the same person performs a number of actions, they will be grouped as “<person name> made edits”. You can click the arrow to see them all:
I think this is very useful functionality to help any Site Owner. It will make the Site Owner less dependent of their site collection admin.
“Edited” and “renamed or moved” may mean various things, but they at least indicate that a document has changed, but not been deleted.
What do you think of the details pane? Has it helped you?
Image courtesy of imagerymajestic at FreeDigitalPhotos.net
Title inspired by the movie “Bad Santa” with Billy-Bob Thornton.