Dear user of our intranet

DearUserbyStuartMilesThis morning I received your support ticket.

Many thanks for enclosing the complete email chain with all your colleagues. Apart from a good permissions puzzle, there is nothing I like more than going through a 40-message email chain, and find the hidden clues between the “FYI” and “Can you help” forwards. I am really pleased that you have tried to get help from so many people before logging a call in our incident system, and it is heartwarming to see your colleagues’ empathy and desire to help.

From this wonderful meandering narrative I understand that “editing the Monthly Forecast in the Marketing site does not work”. That narrows down the possibilities, because only 938 of our approximately 15.000 sites have Marketing in the title, so it will save me going through 14.062 sites which are definitely not called Marketing.

Now of course I assume the Marketing site has “Marketing” in its title 🙂

From the company address book I see that you work in the Dairy division, which has 297 Marketing sites, so I can increase the odds even further.

Then it is only a matter of finding a Monthly Forecast document in one of these sites and checking which one does not work. That should not be too difficult: I did a Search and found 6274 hits on Monthly Forecast – it is matter of checking URL’s against the Marketing sites to see which are eligible.

I assume you wanted to edit a recent document so will start from the most recent.

In conclusion, I will check the cross of Dairy Marketing sites and Monthly Forecast docs from the last 2 months, and see which one of them “does not work”. Now of course there are many ways of “does not work”, but do not worry, I will check them all, from permissions to document library opening behavior, checkout, and workflows to corrupted documents.

I have planned about two weeks to go through this and I am quite looking forward to this challenging quest!

However, should you be in a sort of hurry, or have a deadline, please let me know. After all it is the 21st already and I can imagine you will need to update this document before the end of the month. Sending me the URL of the site, the name of the document and the document library/folder it lives in, as well as a description of what you were trying to do and what happened, possibly even with a screenshot of the error message, will reduce the quest to an hour or so. Of course this will rob me of the fun of exploring this all by myself, but I know that this is business-critical content so I can not be selfish.

Looking forward to your information,

Best regards,

The Helpdesk.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Advertisements

The Intranet Treasure Hunt

Treasure Hunt - PongWhen we launched our new intranet at the beginning of 2017, we also set up a Treasure Hunt to make people familiar with the new look and feel and setup. After all, moving to SharePoint Online has been quite a large step from our old SharePoint 2007 environment.

Many intranet folks have talked about doing treasure hunts, but as far as I know nobody has ever explained what they have done in detail, so let me share our recipe.

The ingredients and preparation

  1. A News article to introduce the Treasure Hunt
  2. A News article with clues and a direction to the next place of the hunt
  3. More News articles or intranet pages with clues and directions – as many as you need
  4. Emailaccount of our Founding Father
  5. Autoreply message from Founding Father
  6. Yammer message
  7. A page where people are instructed how to enter their solution
  8. A survey to collect the solutions
  9. The solution: in our case a sentence that people had to create with the clue words
  10. A thank-you page with information about the next steps
  11. Prizes

 The mechanics

A few days after launch, a News article (1) appeared on the new intranet homepage. It explained the treasure hunt and the mechanics. You were to look for clues to the next place and for words that were written in a certain way, e.g. <word>.
The words you would find during your search would form a sentence.

Treasure Hunt Announcement
The first announcement about the Treasure Hunt

The first clue was to find the oldest News post on the intranet. As we had not migrated older News articles that was not so hard to find. The oldest post (2) turned out to be a post written by our Founding Father.  It was full of hope for the future and predicted with remarkable accuracy some inventions we would do later 🙂

Treasure Hunt - all news
It was easy to find the oldest News item!

Of course there was another <word> in his post. At the end he asked to send him an email asking for guidance. As his contact details were on the page (as is the case for all News items) (3) it could be done with the click of a button.

Treasure Hunt Oldest News
This is SharePoint News, slightly different than our own custom News setup, so I can not show you the Author button + email link (but I trust you will get it)

When you sent him the email you received an autoreply (5). He sent you to the “modern watering hole Yammer”, where we were to look for a post from one of our senior management about a certain topic.

Treasure Hunt Email
The email message – I quite liked the “Eternity Leave” that our Comms people came up with 🙂

On Yammer, it was easy to look for that certain person (once you knew how to search) and the message (6) in question. Once again, it contained a <word> or two and a link to the next clue.

Treasure Hunt - Yammer
This Yammer message sent people to the new Policies & Procedures site, where you were asked to follow the IM page for later reference. (When will Yammer have a proper text editor?)

After sending you to a few other important new sites (with <words>) and asking you to follow those pages, the last link led to a page (7) which welcomed you to the Treasure hunt and asked you to

  1. Set your News preferences
  2. Make sure you had uploaded your profile picture
  3. Click on a link
Treasure Hunt- entry page
The last part of the journey

The link led to a survey (8) with two questions:

  • Create a sentence (9) with the <words> you have found. The sentence was one of the company values, so not too hard to compose once you had the words.
  • Describe why you should get the prize. (That was an easy one for me: I said this treasure hunt would not have been possible without me – as I created the pages & survey).
Treasure Hunt Survey
The survey

After clicking Finish you would go to a thank-you page (10) with more information about the publication of the winners.

Treasure Hunt-Thank you page
The Thank-you page – I like to use this with surveys

All in all, by doing the treasure hunt people have been exposed to:

  • Finding News
  • Setting their News preferences
  • Going to Yammer and finding a person’s conversations
  • A number of new sites with important company-wide information
  • Following sites
  • Adding a picture to your profile

This was a very simple setup, but of course you can extend it as you like.

(Disclaimer: I have replicated this on my own tenant in a schematic way. Our real Treasure Hunt looked much better and the texts were created by communication professionals)

BTW, Sadly I did not win any prize as I was part of the organizing committee 😦

The <words>  in my screenshots form a sentence as well…please add it to the comments if you have found it! (again, exclude <word>)

Image courtesy of Pong at FreeDigitalPhotos.net

350 intranet promotion videos!

350 videosRecently I passed the 350 mark in my collection of intranet and Yammer promotion videos. Time for another modest celebration!

New trends

More and more intranets are promoting a section for video content, so I guess this is a new trend.
Otherwise, “simplification” and “user feedback” still play an important role in every relaunch, and so they should 🙂 .
Also, more and more intranets (but not all!) are social, and “usable on all devices” is starting to be the norm, rather than the exception.

Of course my collection is meant for your information and amusement, but I occasionally hear that people are using it as a serious starting point for their own video. In general, I can suggest the following steps:

1. Check what related organizations have done

Use the filter and see what your industry peers are doing, and what their intranets look like, if the video shows that. Most selections contains a variety of styles (talking heads, animations, demo’s, stories, serious, funny, etc. ) that may give you ideas about the sort of video you would like to create.

2. Determine your boundaries

Watch my list of rather extreme videos. Do you also want to create a full movie, a very silly video, have a hysterical voice-over, or would you rather stay on safer ground?

3. Watch metaphors for solving common business issues

If you are looking for metaphors of solving common business problems such as too many emails, or not knowing where the expertise is in your company, this selection may help you on your way.

4. When in doubt, create a demo

A well-made demo is always worth the investment, so if you have no other needs or wishes, a demo may be the best way moving forward.

  • you can show employees how to work with the intranet, reducing the need for extensive classroom or webinar training
  • you can show employees how they are supposed to work, if a new way of working is among your goals for the new intranet. In a demo video it can be done subtly and matter-of-fact.
  • it can be used for onboarding new employees for a long time after the launch
  • if you share it, we can see your intranet! 🙂

This is my selection of good demos.

I hope you can use these tips to create your own video. And please remember to put it online for others to enjoy!

It never ceases to amaze and delight me that so many people enjoy my videos. I even got sort of suggested for the Diamond Award of IntranetsNow 2017!

Treat!

And finally, to celebrate, I have a very special video: the one that was made to celebrate the launch of the new intranet of my former employer Sara Lee, in 2005. It has not been added to my collection yet – you saw it here first! It is “vintage”, so please ignore the bad quality 🙂

And then to think this all started as a whimsical blog post!

Image courtesy of vectorolie at FreeDigitalPhotos.net (“350” added by me)

7 steps to clean up unique permissions

cleanup-headerIn my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:

  • Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
  • This will lead to unexpected access denied messages and therefore Access requests.
  • Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
  • Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.

So, how to take back control of your site after you have changed some of the settings?

Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.

1. Process pending Access requests

Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.

2. Remediate content with unique permissions

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show items
Show the items with unique permissions, intended and accidental. Very useful functionality!

b. You will get a pop-up with all lists and libraries that have different permissions.

Cleanup-showitemsiwhtuniquepermissions
Focus on the lists with “View exceptions”. Those contain the items where you have created unique permissions by accident.

c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.

Cleanup-Documentswithuniquepermissions
List of documents (or items) that have unique permissions. Rightclick “manage permissions” and open the link in a new tab.

e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item.  (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.

Cleanup-deleteuniquepermissions
After noting down Kimberley B as a potential Visitor click “Delete Unique Permissions” to bring the document’s permissions in line with the rest of the document library and site.

h. Repeat steps e, f and g for the next document or list item.

3. Weed out “limited access”

Limited access is an annoying thing that tells you that there are, or have been, unique permissions – or it may mean nothing at all.
If this site has existed for some time and you do not know it very well, you can skip this step for now because you might remove people who are there for a good reason.

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show users
Show people with limited access. This can be caused by Sharing, Get a Link or accepting an Access request.

b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.

Cleanup-RemoveKimB
You can remove Kimberley B from this page. (“Beperkte toegang” means “Limited Access”)

c. Remove any individual users so you are left with only the site groups.

4. Add the new users

Add the users that you noted down during steps 1, 2 and 3 to their respective groups.

5. Review the Members group

During the time that you had no restrictions, Members may have added other Members.  Review your list of Members and change their roles or remove them where needed.

6. Replace any “breaking links” on your pages

Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type  will generally have  “guestaccess”  in their link and they will cause unique permissions.

When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.

Cleanup-GetaLink
Link “”Document 5″has been created with “Get a Link”. The URL is: …../Team/Share/_layouts/15/guestaccess.aspx?/….

Replace every one of those links with the “Restricted Link” equivalent.

7. Monitor

Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.

How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?

Image courtesy of artur84 at FreeDigitalPhotos.net

Limiting unwanted sharing and unique permissions

Preventsharing-fenceIn my recent posts you have seen that you can create unique permissions for list items and documents very easily, with

Additionally, you often add people with Contribute permissions while your normal Members group has Edit permissions (=Contribute + Manage Apps).
Plus your site members can add practically anyone to your site without informing you.

Why am I making such a fuss?

  • Maintenance and support
    Unique permissions create extra issues with access, and provide extra work for the Site owner.
    You may also need more support, although your support team might like that 🙂
  • Information security
    People with Edit or Contribute permissions can share content with external users, who then are often able to share your content with others if given those permissions. Your information may be shared with your competitors in this way!
  • Performance
    Having lots of unique and individual permissions may slow down your site.

Office365’s out-of-the-box functionality allows unlimited sharing. My own environment is like that, so all experiences that I have described before are done in the “unlimited sharing” default mode.

Fortunately, there are some options that a tenant administrator, a site collection administrator and a site owner can do to limit the potential damage.

1. Disable anonymous access

Disabling anonymous access lets you get rid of the “no sign-in required” options that you have when you get a link, or the “sign in required” when you share a folder or list item. While it may not reduce the creation of unique permissions too much, it will make it more obvious who has been given access. This will allow you to determine whether those people need to be added to a site group, or removed from your site.

Your tenant administrator can disable this at the Office365 Admin center for all Office365 applications, or at the SharePoint admin center for the SharePoint sites.

Preventsharing-GetaLink
This is Get a Link after I have disabled anonymous sharing. Only 3 options left for the Site owner instead of 5.

2. Disable external sharing

While this also will not prevent all unique permissions, it may limit them, because of sheer numbers. Chances are your colleagues will already have access to your site, making the chances of unique permissions during sharing a bit less.
Of course this will make it impossible to share confidential stuff with externals.

It is a good practice to reserve one or some site collections for sharing with externals, so you can keep the other site collections for purely internal content.
Your tenant admin can disable external sharing on various aspects at the Office365 tenant and the SharePoint admin level.  Gregory Zelfond has already documented how to do that.
By the way, Gregory has written more useful posts on external sharing.

This will give the following results, depending on whether the external user is already in your site collection or not.

preventsharing-noexternalsharing-indirectoy
This message will appear when you want to share with an external user who has been added to another (external) site collection in the tenant earlier.

 

preventsharing-noexternal-usernotindirectory
And this message I received when I wanted to share with a completely new person.

3. Change Sharing settings in your site

This will probably be in your control, so go to Site Settings > Site Permissions > Access Requests and look at the two check boxes on the top of the pop-up.

preventsharing-defaultsharingsettings
By default the access request and sharing settings are like this. Read the explanation carefully!

This will mostly influence what a Site member can do.

You have four options:

4a. Both checked: I have done my experiments with this setting. You know what that does 🙂

4b. Top checked, bottom unchecked

Share:
Member: Can share documents without approval from the site owner, but needs approval for sharing the site.
Visitor: Can share site and documents with approval from site owner.

Get a Link:
Member sees “Edit link” option
Visitor sees the “Restricted Link” option

4c. Top unchecked, bottom checked:

Share:
Member=Visitor: Can share site and documents but needs approval from site owner

Get a Link:
Member=Visitor: Restricted Link

This option brings another message to your Site Permissions page:

prebensharing-tiredofapprovals
If you get tired of approvals, you can change the settings again. (But look: no item with unique permissions…until you approve a request)

4d: Both unchecked:

Same as 4c.

So, this setting will help you to “tame” your site members, and give them the same sharing options as your site’s visitors. You will have more approvals to do, but are more in control.
But beware hitting the “Accept” or “Approve” button in sharing requests for documents or list items!

4. Remove access request email

If you can not get access requests, you can not break permissions when accepting them!

Preventsharing-noaccessrequest
You can uncheck the “Allow access requests” box and no email will be sent.

This can work in formal all-company sites with official content and little collaboration.
On the other side of the spectrum, it is also an option for sites with a strictly defined and controlled audience, e.g. a management team.
It will however be very clumsy in a project site!

But…your visitors will get a nasty error message when they try to share a document or site, and when you are combining this with options 4c or 4d, your members will experience that too.

preventsharing-noemail
Not a very nice message, and also not exactly correct. It should say “There is no email address to send the request to”,

Realize that all of these settings have been developed with a reason, so you may want to ponder what is really important for you and if you need to lock down everything or just a few features.

While you think about this, I will go and write how to check and fix the permissions, where needed, after you have taken your measures.

Image courtesy of winnond at FreeDigitalPhotos.net

Sharing = scaring (part 2)

Sharing2-imageIn my most recent post I focused on sharing documents and items by the Site owner, demonstrating that the Site owner him/herself can easily create lots of unique permissions by sharing folders, documents and items.

But what happens if a another user of your team site shares? Can a Member or Visitor create unique permissions as well, and does the Site owner know what the Site members are doing?

Once again, we start out with a team site with the standard permission sets (Owner, Member with Edit permissions, Visitor with Read permissions) and no unique permissions.

Durian Grey is a Visitor and Mystery Guest is a Member. We also introduce Kimberley B, who has no access at present.

Sharing documents/items by a Member

Now, Mystery Guest shares as follows:

  1. Durian, Can View
  2. Kimberley, Can View
  3. Durian, Can Edit
  4. Kimberley, Can Edit

The following results are as expected:

  • Document 1 does not change permissions since Durian already has Read access to this site.
  • Documents 2, 3 and 4 get unique permissions after clicking the “Share” button in the Sharing screen.
  • The persons are added as individuals to the document
  • Documents 3 and 4 have the individual added with “Contribute” while Members in this site have “Edit” permissions. (and the Share option is called “Can Edit”) So, a new role is added.

These following results were a surprise for me:

  • The documents shared with Kimberley B generate an External Sharing Invitation (access request) but the Site owner does not get an email notification.
  • Kimberley B can only share the document with existing site members when she has View permissions. but she can share the document with ANYONE, including new externals, when she has Edit permissions.
  • When Kimberley B shares with another external user this creates an External Sharing Invitation for the new person.
SharingbyexternalCanEdit
Kimberley B can share the Edit permissions for this document with everyone, even though she has no permissions on site level. Scary!

 

Sharing documents/items by a Visitor

Durian shares document 5 with Mystery Guest. He can not select Can View or Can Edit. When he clicks “Share”, he sees a message that this request is being sent to the Site Owner but that does not happen; the message goes straight to Mystery Guest. She can access in her normal role and no unique permissions are created. Phew!

Durian then shares document 5 with Kimberly B.

SharingbyVisitor
A Visitor can share but always needs approval from the Site owner.

 

When he clicks “Share” the following things happen:

  • The Site owner receives the normal “someone wants to share” email, Durian gets a copy
  • An access request in Pending Requests appears. By default, the request is for Edit (not Contribute), as an individual. The Site Owner can not select one of the permissions groups, so has to give individual permissions. 😦
  • As soon as the Site owner selects a permissions set and hits Approve, the item has unique permissions.
  • Durian receives an email that the sharing request has been accepted.
  • Kimberley B receives an email that a document has been shared.
  • Kimberley B can share the document with only existing members or anyone, according to her permissions.

Sharing a site

Since Mystery Guest has found that Kimberley has no access, she shares the complete site with Kimberley. She is not a Site owner, so she can not select a permission set when she shares the site.

As soon as Mystery Guest clicks “Share”

  • Kimberley B receives an email.
  • She is added into the Members group (even without having accessed the site).
Sharing2-KimBisaddedasmember
Uh…how does Kimberley B suddenly end up in this group?

 

Durian has the same thought.

  • He shares the site with Kimberley B.
  • His request is sent to the Site Owner and an Access Request is created.
  • The Site Owner goes to the Access Requests list and selects the Visitors group of the site and clicks Approve. (Members is the default, btw)
  • A confirmation email is sent to Kimberley B and Durian.

Now Durian wants to share the site with another external person, who has never been invited before. He can not do that.

Sharing2-Durianshareswithnsomeoneelse

What to think of this?

It is complicated!

Although a number of things are understandable this can turn into a messy site:

  • Get a Link, Share and Access Requests can all very easily create unique permissions for documents (including pages), folders and list items.
  • Members can use Get a Link and Share, create unique permissions, and add new Members, without the Site owner knowing.
  • Visitors can do less and generally need approval from the Site owner; this is better for the Site owner’s overview, but can create a lot of work because of the approval requests.
  • External users can share your document with anyone, if they have Edit permissions.

Don’t panic!

Before you start panicking, please be aware that my tenant is almost out-of-the-box and all the sharing options are turned on by default.  Tenant admins can take measures to reduce the unlimited sharing Microsoft thinks we need.
I will share those measures with you next time.

I have also found a few differences with regards to users who are mentioned in my tenant (with and without license) and who are not. When I have recovered from my current identity crisis, juggling 4 accounts and 3 browsers, I will try to find out more. 🙂

Image courtesy of marcolm at FreeDigitalPhotos.net

Looking at myself all day in Office365

LookingatMyselfLong ago

Around 2005 I was involved with creating a new SharePoint-based intranet.

At that time we had “Knowledge Areas” on our old custom-built intranet. The Knowledge Areas contained information for a specific region, function, topic or country.
They were an early version of team sites, containing a combination of FrontPage Webs, “Document Cabinets” and Forums.
Each Knowledge Area had an owner, whose name was mentioned on the homepage.

The Knowledge Areas were to be replaced with SharePoint team sites. We wanted to brighten up the design of our new intranet and made a few prototypes to show the Knowledge Area managers.

They all went berserk.

How dared we propose to add their pictures to their name? They did not want to be on public display!
HR and privacy officers stampeded into our offices or called us with questions and concerns. We could not do such an unheard of thing without approvals from all kinds of senior officers!

Of course we had a company directory where all employees could find each other, search for expertise and create organigrams. Of course there was an option to add a picture, but few people did that. I often asked people why they walked on the company’s premises freely, without a paper bag on their head, yet were afraid to show their face to other employees. For some reason this did not have the desired effect 🙂

I have have always liked seeing pictures of my colleagues, especially if they are not in my location. It helps to know what they look like, especially when you may meet them in another office or while travelling to other locations, which I did frequently in those days. But not everyone is an early adopter and some people rather wait until they have seen that no harm befalls those who have shared their looks in the directory.

The only person with an acceptable excuse (in my book) was the Director for Mergers and Acquisitions. If you saw him in your location, you could bet that an acquisition or divestiture  was in the works, with all the speculations, gossip and general unrest that go with a big organizational change. So I understood that he did not want to become too well-known.

Recently

Since 2005 we have all gotten used to seeing our own and other people’s pictures in various places on the intranet: as a contact person for a team site, in permission settings, in the enterprise social network, etc. And now that Office365 uses People Cards, it is more and more important that your profile is uptodate – with a picture to match.

BTW, if your people directory is lagging behind, these tactics may help.  And if you think your people directory is awesome, please take this test.

Now

With Office365  we have switched to the other side and suddenly I am looking at myself ALL DAY.
Not only do I see my face in the details pane in document libraries or list, in Delve, on Yammer, in Search results, but I am also displayed in the Office365 top bar.
A new Office365 profile “experience” has just been announced. I do not know yet if that exposes my face to myself even more 🙂
I find that a bit weird and disconcerting.  Does anyone else feel that this is a bit too much?

Office365bar
OK, it is a small picture on the top right, but still…

Narcissus image courtesy of franky242 at FreeDigitalPhotos.net