Let the right one in (your SharePoint site)

AccessRequest-KnockerWhat do you do when you receive a request for access to your SharePoint site? Accept it immediately (because you want to be done with it, or you feel a bit ashamed that you have excluded someone) or find out exactly what they want because there may be more to the request than meets the eye?

Yes, I thought so. 🙂

Let’s dig a bit deeper into Access Requests. There’s quite a lot you can do with them, including creating unique permissions. You know that I hate that!

Microsoft explains this in detail  but of course they  they let you figure out all the implications by yourself. Or by me :-).

If your email address is in the Access Request Settings, you will receive access requests via email, and the requests will be replicated in the Site settings > Access Requests and Invitations page.

AccesRequests-Link
If you do not see “Access requests and invitations”, you have not received a request yet.

How does it work?

When you get the access request in your mail, you will see the link to the desired content. You can immediately click the “Accept” button from the email and give them Contribute permissions by default.

Access Requests-request
At the bottom you see the link to the document.

Yes, Contribute. That means they can edit the content.

Hmmm, perhaps clicking Accept immediately is not such a good idea after all. Perhaps Read-permissions are good enough. Or, if you have sent this link assuming they had access, it may be a good idea to give them access to the complete site.

Alternative: the Access Requests and Invitations page!

So, here comes the Access Requests and Invitations page to look at (and manage) the request.

You will see three categories: Pending requests, External user invitations and History.

Access requests - page
The page where you can take a closer look at the access request.

Here again, you can click Approve or Decline, or check first what will happen if you click Approve. So, click the … next to the name of the requester. This pop up opens:

Access Requests-open.GIF
“Bewerken”  means “Contribute”, sorry, the language settings in my tenant are a bit out of my control.

Here you see some more info:

  • What Office365 has decided about their permissions. In this case Office365 would add them as an individual to this document with Contribute permissions – most unpleasant!
    You can click the drop down to select the Contributors or Visitors group for the site.
  • Who has asked access and what exactly for. Hover over the link to see the URL.
  • Date and time of the request
  • Approval state
  • Email conversation with the person who requests access. You see I was busy writing this post, so the impatient Mystery Guest asked for permissions again 🙂

What would have happened…

If I had clicked Accept from the email or Approve from the Access Request page, this is what would have happened:

Access request - acceptwithoutchanges
You see Mystery Guest now has unique permissions and is added as an individual with Contribute permissions.

Exception: Site welcome page

There is one exception to this rule and that is when you send the link to the welcome page of the site. In that case the requester is added by default to the Members group. This also may be more than you want, though.

Access requests-sharesite
If you share the site root or welcome page, the person is by default added to the Members group.

History

After approval, the request ends up under “Show History”. This gives a nice overview of everything that has happened in your site.
If you see a name very often, it may be an idea to give them access to the whole site.

Access Request - history
The Access Request history in this site. I may need to make this Mystery Guest a permanent member 🙂

Recommendation

When you receive an Access Request it may be better to spend some time figuring out the details, than to click Accept immediately. This will cost you some time now, but will save you time fixing unique permissions later (and dealing with even more access requests because too many inheritances are broken!).

Have you found any other “interesting” behavior of the Access Request?

Title based on the movie “Let the right one in“.

Image courtesy of cbenjasuwan at FreeDigitalPhotos.net

The SharePoint survey lifecycle

survey-headerThe other day someone asked me if I could help him set up a SharePoint survey. He wanted to use our nice new intranet and did not even mention the word “Surveymonkey” 🙂

I do not have much time for individual support at the moment so I thought I’d find him some help from the internet.  I found a good article from Microsoft about creating a survey but it stopped at the creation of the survey list. All the other blogs that I found on the topic touched very briefly on other settings at most. The best one I found also included a good number of benefits and examples of how to use surveys,

In my experience most problems occur because people think a survey is ready-for-use once the questions and answers have been set up. However, there are a lot of things you have to think about, so I still had to write the complete manual myself.

What will I cover in this post?

This will be a long read, so let me inform you of the topics I will cover:

  1. Determine your needs
  2. Find a site
  3. Create questions
  4. Give your audience correct permissions
  5. Decide on “show names”
  6. Decide on one or multiple entries per person
  7. Visibility of entries
  8. Welcome page and thank you page
  9. Testing your survey
  10. Launching your survey
  11. Monitoring results
  12. Gathering and analyzing results
  13. Deactivating the survey
  14. Deleting the survey

So, here goes!

1. Determine your needs

It makes a difference if you use your survey for a fun purpose (who will win the World Football Cup?), for a neutral business purpose (to collect suggestions for a new product), or for a serious and possibly even sensitive purpose. (How do you feel about this company? What were your experiences with this project?). For the latter, you will need more thinking, more questions, more careful wording and stricter settings than for the first example.
This is beyond this post’s scope, but this article may be a good starting point.
Update April 4, 2017: And as serendipity would have it, just after I published this blog this Tweet appeared in my timeline:

2. Find a site

A SharePoint survey is a list in a SharePoint site, so you need to have a site. You also need to be a site owner since it is very likely you will be fiddling with permissions and need to monitor responses. If you have one, you may need to consider the survey audience. Is your confidential project site a good place for a survey for all employees? Is your open site a good place for a very sensitive survey for senior management only about an upcoming divestiture? It can be done, but it may be more difficult to set up and manage than if your site has an audience that sort of matches the audience of your survey.
In some cases it is better to have a special site for this purpose.

If you do not have a site, and you are on Office365, an Excel survey may be an option. I have no experience with this, and I do not know if the information below is relevant for this.

3. Create questions and answers

First of all, plan your survey. Microsoft has some help for that, including an overview of the types of questions and answers.
Secondly, create the survey, add questions and answers and change some settings.
Please be aware that you will be unable to export a Likert scale (rating scale) question/answer to Excel for further analysis.

This is what a survey will look like:

Survey-homepage
This is what you see when you access a survey from the Site Contents page. Consider it your “survey homepage” and it is the starting point for many actions.

4. Give your audience correct permissions

Many people expect that a survey is automatically  set up to receive responses from everyone, but this is a normal SharePoint list with normal SharePoint behavior. So, in most cases you will need to give your audience Contribute permissions to the survey.

If you do not give them Read access to the site, be aware that they can only access the survey via the direct link to the survey and they can not enter the site.

5. Decide on “show names”

This is a setting that you will find in “Advanced Settings” when you create the survey, or afterwards in Settings > Survey Settings > List name, description and navigation.
The default is “Yes”. If you select “No”, all names of people will be replaced with ***.
This is not really anonymous because a Site Owner will be able to switch that at will, making all names visible again. During a survey it may make sense to have the names replaced, and only make them visible when you export the results, but this is also depending on your choices for point 7.

Survey-settings1
You can decide to show names, or ***; and also to allow one or more responses

6. Decide on one or multiple entries per person

The default is “No” and in most cases that makes perfect sense.
If your survey collects information such as ideas or suggestions, it can be useful to set this to “Yes” so people can add multiple suggestions.
This setting can also be found in “Advanced Settings” when you create the survey, or afterwards in Settings > Survey Settings > List name, description and navigation.
Please note that most people get into a right panic when they want to enter a survey twice and get the error message. If they read the message, it is perfectly clear, but who reads an error message? 🙂
It may be good to tell them they can enter once only, or multiple times.

survey-error
This message will be shown when you want to respond twice to a survey when you can only enter once. Looks perfectly clear to me! 🙂

7. Visibility of entries

Do you want everyone to see each others responses? This can be a good idea if use your survey for logging issues, so people can see which issues have been submitted already. But for a survey asking for opinions about the company strategy you may want to limit visibility.
Go to your survey, click Settings > Survey Settings > Advanced Settings.

Set the first radio button to “Read responses that were created by the user”.

This way, people will only see their own item. They will still see the total number of items in Site Contents, but they will not able to see anything else.
Also check out the options below about Create and Edit access. By default people will be able to edit only their own responses. In some cases it may be good that they can edit all responses, but to be honest I have never come across the need for this settings.
Never select None because this also means that a user can not add anything, which is rather odd for a survey.

survey-responsesvisible
These are the default settings for a survey. Often it is better to select ” read responses that were created by the user”  so people only see their own items.

8. Welcome page and thank you page (optional)

I often add a page with some more information about the survey and a nice button or text which leads you to the entry form upon click. After submitting their entry, people can be led to a Thank You page, thanking them for their contribution and informing them about e.g. when the results will be published or the prize will be drawn.
The default return page is the ‘survey homepage” (screenshot above).

It is easy to create as follows:

  • Create a page and add welcome text and a link or button to the survey
  • Create a page with a thank-you-and-these-are-the-next-steps-message. Copy the link of this page to Notepad or a Word document.
  • Click “Respond to this survey” on your survey and copy the link into Notepad or a Word document. Delete all text after Source=
  • Add the URL of your thank-you-page after Source=
  • On the welcome page, add the new link to the link or button

Please be aware that your audience needs Read access to both pages, so if you have a confidential site where the audience is much larger than the site’s regular audience, I would not go this way, since it will either mean setting item level permissions (and you know I do not like unique permissions) on those pages OR a lot of error messages 🙂

survey-welcomepage
Example of a welcome page. I have used a Web Part Page for this. When I click on “Enter the survey” I will go to the page below.
survey-survey
This is my survey. When clicking on “Finish” I will  go to the page below.
survey-thankyoupage
Example of a Thank-You page. I have used a Site Page for this; strangely enough it takes my Office365 theme instead of my Site theme.

9. Testing your survey

I have created many surveys, but even I test everyone of them before they go live.  Ask one or two people, preferably from the target audience (again, depending on purpose and audience and complexity), to go through the complete process and respond to your survey. Do they understand the questions and answers? Have you missed anything obvious, or are some things redundant? Does everything work from a technical/functional perspective?

10. Launching your survey

You can inform your audience in different ways, depending on urgency, topic and audience.
If your survey needs to be executed in a certain timeframe, you will probably send a link in an email or post it as a news item.

If you have a long-term survey, you can add the web part to a (home)page, add the link as a Promoted Link, a Summary Link or in the navigation, so all users of your site are reminded on a regular basis to give their feedback.

You can use

  • the link to the survey (people will need to click “Respond to this survey”)
  • the link that you get when you click “Respond to this survey”
  • the combined link that takes people to the Thank-you page after “Finish” as in item 8 (you skip the Welcome page)
  • the link to the Welcome page as in item 8

11. Monitoring results

During the time the survey is active, you may want to keep track of the number of replies you get.  You can set an alert to keep track of new submissions, or look in Site Contents on a regular basis.
When you are on the Site Contents page, clicking on the survey and then on “Show graphical summary”  will show you an overview of the results;  clicking “View all Responses” will show you who has completed the survey and their individual contributions.
Those two options are only available for the site owner.

survey-graphical summary
Example of the Graphical Summary. Q1 is a Choice-question, Q2 is a Rating Scale.
survey-individual responses
An “individual response” . Clicking on the … will show you what I entered

12. Gathering and analyzing results

When you need a status update, or when the survey is over, you can either look at the graphical summary, or export the results into an Excel file for further analysis.
Click Actions > Export to spreadsheet.

Again, please be aware you can only make screenshots of any questions that need a response on a rating/Likert scale. These questions and answers can not be exported.

13. Deactivating the survey

Once the survey is over and you are working on the results, conclusions and next steps, you will want to stop people from making new entries. You can do this by changing the permissions from Contribute to Read and/or deleting the unique permissions, or by removing the audience from your survey or site altogether.

14. Deleting the survey

Once you have exported or captured the results and determined next steps, your survey project is completed and you can delete the survey.
Go to your survey > Settings > Survey settings > Delete this survey.

If you have used a welcome and thank-you page, you can delete those as well.

That’s it, folks!

As I said, this has become quite a long post, but I just wanted to take you through the complete process. There’s more to a survey than just creating some questions and answers!

For your next survey project, I would appreciate it if you would follow these steps and let me know if this has been sufficient information to do it yourself, or if I have overlooked something. (and if yes, what)

Good luck!

Image courtesy of fantasista at FreeDigitalPhotos.net

Get a Link – Get a Break!

getalink-brokenchocolate2As I am writing help materials for our new intranet I do not only have to think about “HOW do you do this” but also “WHY would you do this” and “How can you do this BEST, without spending too much time, adding maintenance or messing things up?”

With the migration of content to the new platform, many Site Owners need to rework their publishing pages. Generally these pages contain (clickable) header images, Promoted Links, Summary Links and links in the text.

On the old platform, when you want to grab the link to a document or image, you go to the library, right click on the name and select “Copy Shortcut” from the pop up. This is no longer available in SharePoint Online.

So, how does one get a link in SharePoint Online?

I have found 3 ways to link to a document, page or image:

  1. In Summary Links as well as the Rich Text Editor on a page (Wiki page style), you can browse for the link to a document or image that lives in your site or site collection.
    getalink-insertlink
    Insert > Link > From SharePoint will allow you to browse the libraries and lists in your site and link to the desired content.

    getalink-summarylinks
    When creating Summary Links you can browse for the content in your site.
  2. You can open the item and grab the URL from the address bar.
  3. There is the new Get a Link option, which you will see when you select a document or image from a library, in the Action Bar (is that what it’s called?) and the pop up menu.
    getalink-actionbar
    The Action Bar shows the Get a Link option when you select an item

    getalink-actionbar-gif-popup
    When you click the … behind an item name, you will see this in the pop up

The users in my company are all accustomed to grabbing a link when they want to share a document via email or on Yammer, so I think this “Get a Link” will appeal to them.

However, at first glance I see 5 different options. What to select?

getalink-options
5 options to Get a Link? Please note that the “no sign-in required” options can be disabled by the tenant administrator. This allows you to share links with anyone, in and outside of your company.

Let’s find out how this works!

Microsoft has already written about this but it is not very detailed.
So, I have created a brand new site in my own tenant. In this site I have uploaded 5 documents, each named after the action I will take.

getalink-documents

I assume the file type is irrelevant so I have used a mix of Excel, Word and PowerPoint.

Please note I am the tenant admin, so I am not a normal Site Owner. Some things may work differently for a regular Site Owner with Full Control.

My tenant is almost out-of-the-box and external and anonymous sharing has been enabled on all site collections.

How to use Get a Link:

  1. Select the document and click “Get a Link”
  2. Select one of the 5 options
  3. Click “Create” (if the link has already been created earlier you will immediately see “copy”
  4. Click “Copy” and the link will be added to your clipboard
  5. Paste wherever you need it.

You can remove a link if you longer want to share. This means the link will be disabled if someone clicks on it.

For links with “no sign-in required” you can set an expiration date. This means the link will no longer work if someone clicks on it after the expiration date.

getalink-expirationdate
For “anonymous sharing” you can set an expiration time.

Results

  1. The links look as follows:

Restricted link:

https://company.com/Sharing/Shared%20Documents/GetLink-RestrictedLink.pptx?d=wa1065f209e79474cb70b1d349a3d5c1c

View Link – account required:

https://company.com/Sharing/_layouts/15/guestaccess.aspx?guestaccesstoken=g5GzCR4X%2bSQeQkoUVxhvy6ObgkIgAOAwWPxUubf%2bNlY%3d&docid=2_061f40460a0bb4a509b5f126109e2f28e&rev=1

View Link – no sign-in required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?docid=0d7dc303b58164d169fe1e15c05981740&authkey=Acc4tb7-2Nb5GYqUQPj4Oy0

Edit Link – account required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?guestaccesstoken=OygCzI%2f3Nkr8YKUhpYNPucCNr3H7x4zTfJowLrST0lI%3d&docid=2_17f6bad80545a42428c32907a3503e6f4&rev=1

Edit Link – no sign-in required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?docid=11bf22e7919224e2987caf7ea39f9f4f5&authkey=AReBJ-AIIrhwFnuFeCqR1e

2. Using the “View” and “Edit” links will break permission inheritance for the document as soon as you hit “Create”.

getalink-what
Pardon my French, but what did you just write there?

Yes, you may want to read this again:

Using the “View” and “Edit” links will break permission inheritance for the document as soon as you hit “Create”.

I was a bit worried about the word “guest_access” that I saw appearing in 4 of the 5 links, so I decided to check the permissions of my site.
Microsoft mentions this in the small letters of their post, but it is easily overlooked.

You know you can now see immediately if you have items with different permissions in your site. That is very convenient. Normally, only the Microfeed has different permissions, but now my Documents have too!

getalink-brokenpermissions
The document library has “exceptions”. That means: some items have different permissions.
getalink-4outof5
Only the “Restricted Link” does not break permission inheritance!

4 of the 5 docs have broken permissions inheritance! The permissions have not changed yet, but the inheritance has broken. This may not appear to be a big deal now, but if you ever happen to add a new group or individual to your site, which is not unlikely, you will have to remember to give them access to these documents.
Do you seriously think any Site Owner will remember this? Or have the time for that?

More scary and inconvenient findings

  • As soon as someone clicks on a link they are added to the permissions of the document, regardless of their existing role in the site.
getalink-added-after-clicking
I am the tenant admin, and have Full Control of this site, yet I am added as soon as I click the link.
  • People in the Members group get all the options for “Get a Link” as well!
    I have tested this in my work environment and it turns out Members can see and use the “view” and “edit” options so they can break the permission inheritance of documents without the Site Owner being aware!
  • You can only find out which links have been created by checking the options for each document. Click “remove” if you see that an unwanted link has already been created. Now go find out which of your links (In a text, in Summary Links etc.) used this link 😦
  • You can remove the link, but the permission inheritance is still broken.
  • You can only “delete unique permissions”  per document, so you have to go to Site settings > Site permissions > Show items with different permissions > View Exceptions > Manage permissions > Delete unique permissions.
    This is a tedious process.

I think this can turn into a serious issue. I have found that many Site Owners do not fully understand the consequences of broken permission inheritance, and do not understand the extra maintenance and support issues involved. I have tried to tell them NOT to break permission inheritance unless it is really needed, and to never do this on a document or item level.
And even if they know, it is a time-consuming job to reset the permissions.

Also, why all this complexity for just getting a link? I think only the “Restricted link” would be sufficient. Who would ever want to use the “edit” options when linking to an image? Why would you use the “Get a Link” option to share via email if there is also a “Share” option which sends an email? (and which, in some cases, asks permissions to the Site Owner first?)

What would I recommend if you need a link?

  • Use the “Insert > Link > From SharePoint” option to link to a document or image when working in the text editor of a page
  • Use the “Browse” option when creating Summary Links
  • Use “Get a Link > Restricted View” when you want to get a link otherwise. This respects the permissions of your library.
  • Instruct your site Members about the dangers of Get a Link and ask them to use the Restricted Link.

What are your experiences with the Get a Link functionality? Have you been able to reduce the scope and if yes, how? I would appreciate to hear and learn from you!

Kitten image courtesy of Top Photo Engineer at FreeDigitalPhotos.net. Text added by myself.

Congratulations! You have inherited a teamsite!

TeamSiteinheritanceThere have been many organizational changes in my company recently and many sites have changed hands, not always with a proper handover.

A new “heiress” approached me and asked if I could help with getting her started in her sites. She is now managing all sites for her business, and although she is not responsible for all content, she is the go-between for her business and my team. She has managed a site before, so she knows her way around SharePoint, but not on this scale.

Since I get this type of request quite often, I thought I’d note down the actions we took, so I do not have to reinvent the wheel next time. It may help others as well.

Step 1: the Site Collection Admin provides information

  1. Provide her with a list of all the sites and Owners for her business.
  2. Adjust people in the top Owners permissions group to the new situation.
    Since Owners never own their own group in our setup, they can not add any new people in that role. It has to be done by a group that is more senior in the site collection; generally the Business Owner of the site collection or the IM team.
  3. Check to which sites this Owners group has access, and make sure that this group has access to all sites in this business.
    This helps with getting an overview of the content, and will enable her to provide support where needed.

    BevOwners
    Checking to which items this group has access.
  4. Check ownership of the Owners groups in all relevant subsites and change ownership where needed to the top Owners group.
    Group Ownership
    Group Ownership settings

    That way they have control over the Owner groups in the subsites.

  5. Send screenshots of the “Site Contents” of every site to the new owner, so she can compare what the SCA sees (everything) and what she sees.
    There may be list and libraries that have not been shared with the Owner and that can lead to problems.

Step 2: The new Site Owner checks and adjusts content and permissions

  1. Open every site and check permissions. Is the Owner a group? Are there many individual permissions? Do you see “Limited Access”? That may mean that document libraries or lists have broken permissions. (=different from the rest of the site)
    Note the sites with apparent complications and investigate and ask your IM team for help if you do not understand something.
  2. Open each list and library and check permissions. If they have broken permissions, check if this is necessary for this content.
    If you see no reason to have broken permissions, inherit permissions again.
    If it is necessary to have different permissions, adjust permissions where needed and add “different permissions” to the description of the list or library.
    This will make it easier to support – if people report an Access Denied you can see immediately why this may occur.
  3. Follow the instructions in “12 things to do in your teamsite after organizational change”

It was a lot of work, but doing this upfront helped her understand the content and setup she had inherited. She now feels more confident.

What else you do to help your new site owners get started?

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Where have all permissions gone?

Permissions-imageSometimes people tell me that “permissions to their site have just disappeared”. They always sound angry as if SharePoint is to blame.
But permissions do not disappear by themselves, unless there is a major issue in the SharePoint setup, and I would have heard about it had that been the case.

Whether you like it or not, in most cases it is a result of human action. However there are more human actions that can mess up site permissions than you may think.

So here’s a list:

1. Could someone else have done it?

You may not be the only one managing permissions. And if there are no other people with Full Control on your site permissions level, there may be people with Full Control in lists or libraries, as in this case:

What a library with broken permissions looks like.
In this library  permissions are different from the rest of the site and there is an additional person with Full Control in the library. (“Volledig beheer” is Dutch for “Full Control”. My site has some weird language settings)

Also check people with Manage Hierarchy, because they can do that as well.
There may even be some specific permission levels which have “manage site permissions” in their role.
Additionally, there are site collection and system admins who, in theory, have the power to make changes. They should never edit permissions unless explicitly requested by the Site Owner and only when the Site Owner can not do it, such as restoring access if a Site Owner has accidentally removed him- or herself from a site.

2. Does your site have inherited permissions?

I once experienced an issue with a few sites with inherited permissions and different Site Owners. When one person removed a number of people from her site the other sites suddenly had “Access Denied” messages all over the place.  Ofcourse, she had switched to the parent site without noticing.
Fortunately, in Office365 it is hard to miss the information about inherited permissions.

This site has inherited permissions
It is hard to miss that this website inherits permissions.


3. Have you removed people with “Limited Access” from the site?

“Limited access” is a tricky thing.
It is a result of broken permissions elsewhere in the site, but it does not tell you where it occurs (in older versions of SharePoint) and which set of permissions this person or group has exactly.

You, as a Site Owner, should know that, but when you have taken over a site, or if there are several people with Full Control, you may not always realize. The only way (in older versions of SharePoint) to find out is to go through each and every library or list (In the ribbon: Library > Library Settings > Permissions for this library)
You may even have folders and sub folders with different permissions, and you will have to go through those as well to find out what permissions which folder has. 😦

To make matters worse, “Limited Access” in a site may also mean nothing, as I have explained in my earlier post.

If you think that all that “Limited Access” looks messy, you may be tempted to remove them. But that will  remove the special permissions they have! Wendy Neal has found out the hard way.

Since writing my earlier post I found that Nathalie Jard has written a very good post about Limited Access.

4. Has someone deleted a site with permission groups that you have re-used in your site?

When you create a subsite that does not inherit permissions, by default 3 groups will be created and added to your site. You can reuse these groups in other sites.
But…if you delete the original site, those 3 groups will be deleted with the site. So people in those groups will no longer have access to the other sites!

Deleting groups when you delete the site.
If you delete a site, you will delete the groups that were created for it.

Now, before I delete a site, I check if the groups have any permissions elsewhere, as follows:

Site Actions > Site Settings > Site Permissions > Click on group > Settings > View Group Permissions.

Check if group has permissions for other content
How to check if a group has permissions for other content
This group only has permissions for this site.
Fortunately this group only has access to this site and not to others.

If they have, I strip the site of all content, remove additional permissions and add a warning to the description not to delete this site.

5. Has someone deleted a permission group that you used in your site?

Someone can also delete a permission group without deleting the complete site, and without checking if that group has access to other sites or content. Always check, as under 4.

So, these are a few reasons why your site permissions may appear to have disappeared “without reason”.
If you want to lower the risk of strange things happening to your site, please read my post on good practices when breaking permissions.

Have you ever found another reason why permissions “disappeared”?

Post title inspired by folksong “Where have all the flowers gone” by Peter, Paul & Mary.

Image courtesy of iosphere at FreeDigitalPhotos.net

No more limited visibility of “Limited Access”!

Permissions-mynewbestfriendProviding support for permissions issues, especially broken permissions within a site, is a big chunk of my daily work. That is why I wrote a series of posts on (broken) Permissions .

It is very hard to see if a site has different permissions for certain lists or libraries and many people do not know how it works, where to look or what to do about it.

An indication is the occurrence of people or groups with “Limited Access”. In general it means there are different permissions on certain lists or libraries in your site, but it does not tell you where, nor which permissions they have. You have to go to each document library and list, and sometimes even to folders, subfolders and documents, to see if any permissions have been broken. That is: in older versions of SharePoint.

But having people or groups with “Limited Access” in your site may also mean nothing. If you have created a subsite from a site that has users with “Limited Access”, and you have inherited permissions during creation, those users will be inherited while not having any special access to content in the subsite.

So the whole “Limited Access” is a tricky thing.

Now when I was researching something for a new post, I ventured into my Office365’s Site Permissions for the first time. I never do that, because I am the only person in my environment. There I saw something that I have wanted for ages.

The Site Owner can now easily see which lists and libraries have different permissions!!!

Time for a happy dance!!!

In this document library I have broken permissions.

What a library with broken permissions looks like.
In this case, permissions are different from the rest of the site and there is additional person with Full Control in the library. (“Volledig beheer” is Dutch for “Full Control”. My site has some weird language settings)

If I look at the Site Permissions I see this:

See which elements have different permissions and which users have limited access.
You can see which elements in the site have different permissions AND which users have “Limited Access”!

That yellow bar is my new best friend:

Informative bar on Site Permissions page

It says 4 things:

  • There are items with different permissions and I can get an overview what they are. This is the overview:
Items with different permissions
These are the items with different permissions.
  • It explains what Limited Access is.
  • There are people with Limited Access and I can see who they are.
Site permissions including people with limited access
Showing people with “Limited Access” and an explanation of what it means. (“Beperkte toegang” is Dutch for “Limited access”)
  • The site has different permissions from its parent. This information is also available on older versions.

Perhaps this has been in Office365 forever, but I saw this for the first time. This  will save my Site Owners and myself tons of puzzling when we start working with O365!

Site Permissions Breaking Good

BreakingGoodIn my earlier posts, so nicely combined by Veronique Palmer, I tried to visualize how SharePoint permissions work, and show and tell you what can go wrong when you break permissions. So how can you, as a site owner, prevent issues with site permissions?

Do not break permissions if there is no real need

  • Stick to default permissions (= the same permissions throughout your site) where possible.
  • Challenge any request to break permissions within your site. Your manager may ask the question, but (s)he may not realize what the consequences are: extra work for you, in maintaining an extra set of permissions, and coming to the rescue when someone has been locked out. And if they do not mind your extra work, but it still does not make sense to you to deviate from default,  ask them to read an earlier post: Frankly my dear, they’re just not that into your content.
  • If you do not know how permissions work, or you do not feel comfortable with it, stick to default. Perhaps a subsite for this content is a better option.

If you break permissions, take these precautions

  • Use and re-use groups where possible. It saves time in maintenance, and will give fewer errors than adding people as individuals. This picture may remind you why:
Adding an indivudal to a site with broken permissions.
When you add an individual or group to the site, they do not automaticaly get access to all content. Permissions have been broken.
  • Always add a description to your library or list as a reminder that the permissions are different. Just mentioning the fact is enough, but you can also specify who has access.
    I have also seen an * behind the library name, but that will only work if your team knows what this means.
Document Library with permissions details in description
Document Library with permissions details in description
  • If you have many broken permissions in your site, document the setup and store this in your site. You may think you will remember, but the reality is that you will quickly forget. This format would work:
This is a good way to remember (and hand over) the permissions for your site.
This is a good way to remember (and hand over) the permissions for your site.

Do you have any tips to share on how to avoid problems with permissions?

Image courtesy of Kamnuan / FreeDigitalPhotos.net