In my most recent post I focused on sharing documents and items by the Site owner, demonstrating that the Site owner him/herself can easily create lots of unique permissions by sharing folders, documents and items.
But what happens if a another user of your team site shares? Can a Member or Visitor create unique permissions as well, and does the Site owner know what the Site members are doing?
Once again, we start out with a team site with the standard permission sets (Owner, Member with Edit permissions, Visitor with Read permissions) and no unique permissions.
Durian Grey is a Visitor and Mystery Guest is a Member. We also introduce Kimberley B, who has no access at present.
Sharing documents/items by a Member
Now, Mystery Guest shares as follows:
- Durian, Can View
- Kimberley, Can View
- Durian, Can Edit
- Kimberley, Can Edit
The following results are as expected:
- Document 1 does not change permissions since Durian already has Read access to this site.
- Documents 2, 3 and 4 get unique permissions after clicking the “Share” button in the Sharing screen.
- The persons are added as individuals to the document
- Documents 3 and 4 have the individual added with “Contribute” while Members in this site have “Edit” permissions. (and the Share option is called “Can Edit”) So, a new role is added.
These following results were a surprise for me:
- The documents shared with Kimberley B generate an External Sharing Invitation (access request) but the Site owner does not get an email notification.
- Kimberley B can only share the document with existing site members when she has View permissions. but she can share the document with ANYONE, including new externals, when she has Edit permissions.
- When Kimberley B shares with another external user this creates an External Sharing Invitation for the new person.
Sharing documents/items by a Visitor
Durian shares document 5 with Mystery Guest. He can not select Can View or Can Edit. When he clicks “Share”, he sees a message that this request is being sent to the Site Owner but that does not happen; the message goes straight to Mystery Guest. She can access in her normal role and no unique permissions are created. Phew!
Durian then shares document 5 with Kimberly B.
When he clicks “Share” the following things happen:
- The Site owner receives the normal “someone wants to share” email, Durian gets a copy
- An access request in Pending Requests appears. By default, the request is for Edit (not Contribute), as an individual. The Site Owner can not select one of the permissions groups, so has to give individual permissions. 😦
- As soon as the Site owner selects a permissions set and hits Approve, the item has unique permissions.
- Durian receives an email that the sharing request has been accepted.
- Kimberley B receives an email that a document has been shared.
- Kimberley B can share the document with only existing members or anyone, according to her permissions.
Sharing a site
Since Mystery Guest has found that Kimberley has no access, she shares the complete site with Kimberley. She is not a Site owner, so she can not select a permission set when she shares the site.
As soon as Mystery Guest clicks “Share”
- Kimberley B receives an email.
- She is added into the Members group (even without having accessed the site).
Durian has the same thought.
- He shares the site with Kimberley B.
- His request is sent to the Site Owner and an Access Request is created.
- The Site Owner goes to the Access Requests list and selects the Visitors group of the site and clicks Approve. (Members is the default, btw)
- A confirmation email is sent to Kimberley B and Durian.
Now Durian wants to share the site with another external person, who has never been invited before. He can not do that.
What to think of this?
It is complicated!
Although a number of things are understandable this can turn into a messy site:
- Get a Link, Share and Access Requests can all very easily create unique permissions for documents (including pages), folders and list items.
- Members can use Get a Link and Share, create unique permissions, and add new Members, without the Site owner knowing.
- Visitors can do less and generally need approval from the Site owner; this is better for the Site owner’s overview, but can create a lot of work because of the approval requests.
- External users can share your document with anyone, if they have Edit permissions.
Before you start panicking, please be aware that my tenant is almost out-of-the-box and all the sharing options are turned on by default. Tenant admins can take measures to reduce the unlimited sharing Microsoft thinks we need.
I will share those measures with you next time.
I have also found a few differences with regards to users who are mentioned in my tenant (with and without license) and who are not. When I have recovered from my current identity crisis, juggling 4 accounts and 3 browsers, I will try to find out more. 🙂
Image courtesy of marcolm at FreeDigitalPhotos.net