7 SharePoint permissions bloopers

Permissions bloopers 4

The other day I came across an interesting tweet:

Yes, been there, done that! And this made me think of all those other times that I, or my users, have made a mistake with permissions, either by forgetting to think and doing this on routine, or by ignorance.
Here they are, for your learning and enjoyment.  Laughing is allowed; sharing your own bloopers is encouraged!

2. Deleting a group

Did you know that deleted Groups do not go via the Recycle Bin, so they are gone for good?
So, when you want to do this, first check to which content the group has access. If that is only to your site, you can safely delete it; if is has permissions to other sites, please talk to the owner(s) of the other site(s) first!

How to check: Click on the group name on your permissions page, click Settings > View Group Permissions and you will see a pop-up like this:

accessforgroups
In this case the group only has access to one site, so it can safely be deleted if needed.

3. Removing a group from a site and forgetting its name

Good luck finding that in your site collection’s list of groups! (which likely contains at least 3 x as many groups as there are sites, and most likely many more)

A good naming convention, as well as keeping some documentation or screenshots of your permissions setup may help limit the damage. Another good idea is noting the MembershipGroupID’s of the group’s URL. These can be found in the group’s URL, e.g.

…/Share/_layouts/15/people.aspx?MembershipGroupId=165

The 3 default groups of a site are created with subsequent numbers, so if you remove one of those you can probably find them by changing the MembershipGroupID at the end of the group URL. In the screenshot above, Owners, Members and Visitors group have numbers 164, 165 and 166, respectively.

4. Clicking on “manage parent” to edit permissions

You need to change permissions of a site that has inherited permissions. Without thinking you click on “Manage parent” and start making changes, not fully realizing that you are now changing the permissions for both sites. You should have clicked on “Stop Inheriting Permissions” first!
The damage can vary.
I have once changed the top site of a site collection that way. The good news was that I finally got rid of a lot of outdated “Limited Access” users, but it was only later that I realized I had also removed everyone’s permissions from various site collection galleries.

5. Removing yourself from a group, site or library

This is generally annoying but benign, as long as you have quick access to a site collection administrator who can add you back.  I get about one call a week from someone who has locked themselves out.

6. Not clicking “Show Options” when you  share something with “Everyone”

Sharesitewitheveryone
Do click that “show options” link on the bottom of the Share screen!

This sends an email to all the company (and gives them contribute permissions if it is a site). Well, at least people know you and your site exist, but I do not know if “Everyone” will appreciate your marketing tactics! 🙂

And (in my opinion) the most disastrous of them all:

7. Inheriting the permissions from the parent site

You click “Delete unique permissions’ without realizing you are not at the document library, but at the site level. The permissions of your site will now be the same as the parent site.
You may not be the site owner of that site. Even worse, you may not even have access! An even if someone is kind enough to create unique permissions again and give you back your access, all unique permissions are gone.

An example: this site has unique permissions.

UniquePermissions
If you see “This Web Site” you are at site level!

This site has some content with different permissions

UniqueExceptions

When I click “Delete unique permissions” in the site I get a warning in a mix of English and Dutch – which is the first time I have seen this:

UniquePermissionsWarning

And if you click OK the permissions are inherited from the parent and there are no unique permissions anymore. The original groups also have no access anymore.

Uniqueafterinherit
No content with unique permissions after inheriting permissions from the parent site.

While this may be a good reset of your site if you have completely lost the overview of the permissions, it can be a nightmare if you have a well-managed site with confidential content that needs well-managed unique permissions.

General recommendations

  • Make sure you have an overview of the permissions of your site. It can be a simple mention in the description of the list or library (“this list is only accessible for the MT”), or a separate document with a detailed description.
  • Stop and think before you hit a button – if in doubt contact your help person.

Have you made any other permissions management mistakes? Do share!

Advertisements

7 steps to clean up unique permissions

cleanup-headerIn my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:

  • Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
  • This will lead to unexpected access denied messages and therefore Access requests.
  • Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
  • Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.

So, how to take back control of your site after you have changed some of the settings?

Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.

1. Process pending Access requests

Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.

2. Remediate content with unique permissions

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show items
Show the items with unique permissions, intended and accidental. Very useful functionality!

b. You will get a pop-up with all lists and libraries that have different permissions.

Cleanup-showitemsiwhtuniquepermissions
Focus on the lists with “View exceptions”. Those contain the items where you have created unique permissions by accident.

c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.

Cleanup-Documentswithuniquepermissions
List of documents (or items) that have unique permissions. Rightclick “manage permissions” and open the link in a new tab.

e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item.  (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.

Cleanup-deleteuniquepermissions
After noting down Kimberley B as a potential Visitor click “Delete Unique Permissions” to bring the document’s permissions in line with the rest of the document library and site.

h. Repeat steps e, f and g for the next document or list item.

3. Weed out “limited access”

Limited access is an annoying thing that tells you that there are, or have been, unique permissions – or it may mean nothing at all.
If this site has existed for some time and you do not know it very well, you can skip this step for now because you might remove people who are there for a good reason.

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show users
Show people with limited access. This can be caused by Sharing, Get a Link or accepting an Access request.

b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.

Cleanup-RemoveKimB
You can remove Kimberley B from this page. (“Beperkte toegang” means “Limited Access”)

c. Remove any individual users so you are left with only the site groups.

4. Add the new users

Add the users that you noted down during steps 1, 2 and 3 to their respective groups.

5. Review the Members group

During the time that you had no restrictions, Members may have added other Members.  Review your list of Members and change their roles or remove them where needed.

6. Replace any “breaking links” on your pages

Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type  will generally have  “guestaccess”  in their link and they will cause unique permissions.

When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.

Cleanup-GetaLink
Link “”Document 5″has been created with “Get a Link”. The URL is: …../Team/Share/_layouts/15/guestaccess.aspx?/….

Replace every one of those links with the “Restricted Link” equivalent.

7. Monitor

Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.

How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?

Image courtesy of artur84 at FreeDigitalPhotos.net

Limiting unwanted sharing and unique permissions

Preventsharing-fenceIn my recent posts you have seen that you can create unique permissions for list items and documents very easily, with

Additionally, you often add people with Contribute permissions while your normal Members group has Edit permissions (=Contribute + Manage Apps).
Plus your site members can add practically anyone to your site without informing you.

Why am I making such a fuss?

  • Maintenance and support
    Unique permissions create extra issues with access, and provide extra work for the Site owner.
    You may also need more support, although your support team might like that 🙂
  • Information security
    People with Edit or Contribute permissions can share content with external users, who then are often able to share your content with others if given those permissions. Your information may be shared with your competitors in this way!
  • Performance
    Having lots of unique and individual permissions may slow down your site.

Office365’s out-of-the-box functionality allows unlimited sharing. My own environment is like that, so all experiences that I have described before are done in the “unlimited sharing” default mode.

Fortunately, there are some options that a tenant administrator, a site collection administrator and a site owner can do to limit the potential damage.

1. Disable anonymous access

Disabling anonymous access lets you get rid of the “no sign-in required” options that you have when you get a link, or the “sign in required” when you share a folder or list item. While it may not reduce the creation of unique permissions too much, it will make it more obvious who has been given access. This will allow you to determine whether those people need to be added to a site group, or removed from your site.

Your tenant administrator can disable this at the Office365 Admin center for all Office365 applications, or at the SharePoint admin center for the SharePoint sites.

Preventsharing-GetaLink
This is Get a Link after I have disabled anonymous sharing. Only 3 options left for the Site owner instead of 5.

2. Disable external sharing

While this also will not prevent all unique permissions, it may limit them, because of sheer numbers. Chances are your colleagues will already have access to your site, making the chances of unique permissions during sharing a bit less.
Of course this will make it impossible to share confidential stuff with externals.

It is a good practice to reserve one or some site collections for sharing with externals, so you can keep the other site collections for purely internal content.
Your tenant admin can disable external sharing on various aspects at the Office365 tenant and the SharePoint admin level.  Gregory Zelfond has already documented how to do that.
By the way, Gregory has written more useful posts on external sharing.

This will give the following results, depending on whether the external user is already in your site collection or not.

preventsharing-noexternalsharing-indirectoy
This message will appear when you want to share with an external user who has been added to another (external) site collection in the tenant earlier.

 

preventsharing-noexternal-usernotindirectory
And this message I received when I wanted to share with a completely new person.

3. Change Sharing settings in your site

This will probably be in your control, so go to Site Settings > Site Permissions > Access Requests and look at the two check boxes on the top of the pop-up.

preventsharing-defaultsharingsettings
By default the access request and sharing settings are like this. Read the explanation carefully!

This will mostly influence what a Site member can do.

You have four options:

4a. Both checked: I have done my experiments with this setting. You know what that does 🙂

4b. Top checked, bottom unchecked

Share:
Member: Can share documents without approval from the site owner, but needs approval for sharing the site.
Visitor: Can share site and documents with approval from site owner.

Get a Link:
Member sees “Edit link” option
Visitor sees the “Restricted Link” option

4c. Top unchecked, bottom checked:

Share:
Member=Visitor: Can share site and documents but needs approval from site owner

Get a Link:
Member=Visitor: Restricted Link

This option brings another message to your Site Permissions page:

prebensharing-tiredofapprovals
If you get tired of approvals, you can change the settings again. (But look: no item with unique permissions…until you approve a request)

4d: Both unchecked:

Same as 4c.

So, this setting will help you to “tame” your site members, and give them the same sharing options as your site’s visitors. You will have more approvals to do, but are more in control.
But beware hitting the “Accept” or “Approve” button in sharing requests for documents or list items!

4. Remove access request email

If you can not get access requests, you can not break permissions when accepting them!

Preventsharing-noaccessrequest
You can uncheck the “Allow access requests” box and no email will be sent.

This can work in formal all-company sites with official content and little collaboration.
On the other side of the spectrum, it is also an option for sites with a strictly defined and controlled audience, e.g. a management team.
It will however be very clumsy in a project site!

But…your visitors will get a nasty error message when they try to share a document or site, and when you are combining this with options 4c or 4d, your members will experience that too.

preventsharing-noemail
Not a very nice message, and also not exactly correct. It should say “There is no email address to send the request to”,

Realize that all of these settings have been developed with a reason, so you may want to ponder what is really important for you and if you need to lock down everything or just a few features.

While you think about this, I will go and write how to check and fix the permissions, where needed, after you have taken your measures.

Image courtesy of winnond at FreeDigitalPhotos.net

Let the right one in (your SharePoint site)

AccessRequest-KnockerWhat do you do when you receive a request for access to your SharePoint site? Accept it immediately (because you want to be done with it, or you feel a bit ashamed that you have excluded someone) or find out exactly what they want because there may be more to the request than meets the eye?

Yes, I thought so. 🙂

Let’s dig a bit deeper into Access Requests. There’s quite a lot you can do with them, including creating unique permissions. You know that I hate that!

Microsoft explains this in detail  but of course they  they let you figure out all the implications by yourself. Or by me :-).

If your email address is in the Access Request Settings, you will receive access requests via email, and the requests will be replicated in the Site settings > Access Requests and Invitations page.

AccesRequests-Link
If you do not see “Access requests and invitations”, you have not received a request yet.

How does it work?

When you get the access request in your mail, you will see the link to the desired content. You can immediately click the “Accept” button from the email and give them Contribute permissions by default.

Access Requests-request
At the bottom you see the link to the document.

Yes, Contribute. That means they can edit the content.

Hmmm, perhaps clicking Accept immediately is not such a good idea after all. Perhaps Read-permissions are good enough. Or, if you have sent this link assuming they had access, it may be a good idea to give them access to the complete site.

Alternative: the Access Requests and Invitations page!

So, here comes the Access Requests and Invitations page to look at (and manage) the request.

You will see three categories: Pending requests, External user invitations and History.

Access requests - page
The page where you can take a closer look at the access request.

Here again, you can click Approve or Decline, or check first what will happen if you click Approve. So, click the … next to the name of the requester. This pop up opens:

Access Requests-open.GIF
“Bewerken”  means “Contribute”, sorry, the language settings in my tenant are a bit out of my control.

Here you see some more info:

  • What Office365 has decided about their permissions. In this case Office365 would add them as an individual to this document with Contribute permissions – most unpleasant!
    You can click the drop down to select the Contributors or Visitors group for the site.
  • Who has asked access and what exactly for. Hover over the link to see the URL.
  • Date and time of the request
  • Approval state
  • Email conversation with the person who requests access. You see I was busy writing this post, so the impatient Mystery Guest asked for permissions again 🙂

What would have happened…

If I had clicked Accept from the email or Approve from the Access Request page, this is what would have happened:

Access request - acceptwithoutchanges
You see Mystery Guest now has unique permissions and is added as an individual with Contribute permissions.

Exception: Site welcome page

There is one exception to this rule and that is when you send the link to the welcome page of the site. In that case the requester is added by default to the Members group. This also may be more than you want, though.

Access requests-sharesite
If you share the site root or welcome page, the person is by default added to the Members group.

History

After approval, the request ends up under “Show History”. This gives a nice overview of everything that has happened in your site.
If you see a name very often, it may be an idea to give them access to the whole site.

Access Request - history
The Access Request history in this site. I may need to make this Mystery Guest a permanent member 🙂

Recommendation

When you receive an Access Request it may be better to spend some time figuring out the details, than to click Accept immediately. This will cost you some time now, but will save you time fixing unique permissions later (and dealing with even more access requests because too many inheritances are broken!).

Have you found any other “interesting” behavior of the Access Request?

Title based on the movie “Let the right one in“.

Image courtesy of cbenjasuwan at FreeDigitalPhotos.net

Get a Link – Get a Break!

getalink-brokenchocolate2As I am writing help materials for our new intranet I do not only have to think about “HOW do you do this” but also “WHY would you do this” and “How can you do this BEST, without spending too much time, adding maintenance or messing things up?”

With the migration of content to the new platform, many Site Owners need to rework their publishing pages. Generally these pages contain (clickable) header images, Promoted Links, Summary Links and links in the text.

On the old platform, when you want to grab the link to a document or image, you go to the library, right click on the name and select “Copy Shortcut” from the pop up. This is no longer available in SharePoint Online.

So, how does one get a link in SharePoint Online?

I have found 3 ways to link to a document, page or image:

  1. In Summary Links as well as the Rich Text Editor on a page (Wiki page style), you can browse for the link to a document or image that lives in your site or site collection.
    getalink-insertlink
    Insert > Link > From SharePoint will allow you to browse the libraries and lists in your site and link to the desired content.

    getalink-summarylinks
    When creating Summary Links you can browse for the content in your site.
  2. You can open the item and grab the URL from the address bar.
  3. There is the new Get a Link option, which you will see when you select a document or image from a library, in the Action Bar (is that what it’s called?) and the pop up menu.
    getalink-actionbar
    The Action Bar shows the Get a Link option when you select an item

    getalink-actionbar-gif-popup
    When you click the … behind an item name, you will see this in the pop up

The users in my company are all accustomed to grabbing a link when they want to share a document via email or on Yammer, so I think this “Get a Link” will appeal to them.

However, at first glance I see 5 different options. What to select?

getalink-options
5 options to Get a Link? Please note that the “no sign-in required” options can be disabled by the tenant administrator. This allows you to share links with anyone, in and outside of your company.

Let’s find out how this works!

Microsoft has already written about this but it is not very detailed.
So, I have created a brand new site in my own tenant. In this site I have uploaded 5 documents, each named after the action I will take.

getalink-documents

I assume the file type is irrelevant so I have used a mix of Excel, Word and PowerPoint.

Please note I am the tenant admin, so I am not a normal Site Owner. Some things may work differently for a regular Site Owner with Full Control.

My tenant is almost out-of-the-box and external and anonymous sharing has been enabled on all site collections.

How to use Get a Link:

  1. Select the document and click “Get a Link”
  2. Select one of the 5 options
  3. Click “Create” (if the link has already been created earlier you will immediately see “copy”
  4. Click “Copy” and the link will be added to your clipboard
  5. Paste wherever you need it.

You can remove a link if you longer want to share. This means the link will be disabled if someone clicks on it.

For links with “no sign-in required” you can set an expiration date. This means the link will no longer work if someone clicks on it after the expiration date.

getalink-expirationdate
For “anonymous sharing” you can set an expiration time.

Results

  1. The links look as follows:

Restricted link:

https://company.com/Sharing/Shared%20Documents/GetLink-RestrictedLink.pptx?d=wa1065f209e79474cb70b1d349a3d5c1c

View Link – account required:

https://company.com/Sharing/_layouts/15/guestaccess.aspx?guestaccesstoken=g5GzCR4X%2bSQeQkoUVxhvy6ObgkIgAOAwWPxUubf%2bNlY%3d&docid=2_061f40460a0bb4a509b5f126109e2f28e&rev=1

View Link – no sign-in required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?docid=0d7dc303b58164d169fe1e15c05981740&authkey=Acc4tb7-2Nb5GYqUQPj4Oy0

Edit Link – account required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?guestaccesstoken=OygCzI%2f3Nkr8YKUhpYNPucCNr3H7x4zTfJowLrST0lI%3d&docid=2_17f6bad80545a42428c32907a3503e6f4&rev=1

Edit Link – no sign-in required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?docid=11bf22e7919224e2987caf7ea39f9f4f5&authkey=AReBJ-AIIrhwFnuFeCqR1e

2. Using the “View” and “Edit” links will break permission inheritance for the document as soon as you hit “Create”.

getalink-what
Pardon my French, but what did you just write there?

Yes, you may want to read this again:

Using the “View” and “Edit” links will break permission inheritance for the document as soon as you hit “Create”.

I was a bit worried about the word “guest_access” that I saw appearing in 4 of the 5 links, so I decided to check the permissions of my site.
Microsoft mentions this in the small letters of their post, but it is easily overlooked.

You know you can now see immediately if you have items with different permissions in your site. That is very convenient. Normally, only the Microfeed has different permissions, but now my Documents have too!

getalink-brokenpermissions
The document library has “exceptions”. That means: some items have different permissions.
getalink-4outof5
Only the “Restricted Link” does not break permission inheritance!

4 of the 5 docs have broken permissions inheritance! The permissions have not changed yet, but the inheritance has broken. This may not appear to be a big deal now, but if you ever happen to add a new group or individual to your site, which is not unlikely, you will have to remember to give them access to these documents.
Do you seriously think any Site Owner will remember this? Or have the time for that?

More scary and inconvenient findings

  • As soon as someone clicks on a link they are added to the permissions of the document, regardless of their existing role in the site.
getalink-added-after-clicking
I am the tenant admin, and have Full Control of this site, yet I am added as soon as I click the link.
  • People in the Members group get all the options for “Get a Link” as well!
    I have tested this in my work environment and it turns out Members can see and use the “view” and “edit” options so they can break the permission inheritance of documents without the Site Owner being aware!
  • You can only find out which links have been created by checking the options for each document. Click “remove” if you see that an unwanted link has already been created. Now go find out which of your links (In a text, in Summary Links etc.) used this link 😦
  • You can remove the link, but the permission inheritance is still broken.
  • You can only “delete unique permissions”  per document, so you have to go to Site settings > Site permissions > Show items with different permissions > View Exceptions > Manage permissions > Delete unique permissions.
    This is a tedious process.

I think this can turn into a serious issue. I have found that many Site Owners do not fully understand the consequences of broken permission inheritance, and do not understand the extra maintenance and support issues involved. I have tried to tell them NOT to break permission inheritance unless it is really needed, and to never do this on a document or item level.
And even if they know, it is a time-consuming job to reset the permissions.

Also, why all this complexity for just getting a link? I think only the “Restricted link” would be sufficient. Who would ever want to use the “edit” options when linking to an image? Why would you use the “Get a Link” option to share via email if there is also a “Share” option which sends an email? (and which, in some cases, asks permissions to the Site Owner first?)

What would I recommend if you need a link?

  • Use the “Insert > Link > From SharePoint” option to link to a document or image when working in the text editor of a page
  • Use the “Browse” option when creating Summary Links
  • Use “Get a Link > Restricted View” when you want to get a link otherwise. This respects the permissions of your library.
  • Instruct your site Members about the dangers of Get a Link and ask them to use the Restricted Link.

What are your experiences with the Get a Link functionality? Have you been able to reduce the scope and if yes, how? I would appreciate to hear and learn from you!

Kitten image courtesy of Top Photo Engineer at FreeDigitalPhotos.net. Text added by myself.

Site Permissions Breaking Bad, episode 3

The Folders.

BrokenGlassNow and then you read a blog post that makes you think: “I wish I had written that”. Veronique Palmer has done it often, Dan Adams has done it a few times, and now I have found

Gregory Zelfond’s “12 reasons folders in SharePoint are a bad idea”.

It is a really good list of why you should avoid folders on SharePoint.

My own planned post on this topic is now completely redundant 🙂 . But I would like to illustrate his point 4: why maintaining permissions on folders can be a nightmare.

What are the issues with folder permissions?

  1. If you break permissions and add “Different permissions!” to the folder name, as I always suggest to do, the URL of the folder and all its documents changes. People who have this link in their Favorites and use it after the change, will get an error.
    That is another reason why folders are a bad idea: Links to folder, sub-folders and all documents in the hierarchy change when you change the name of the folder.
    Libraries and lists have a description field for that type of info, folders have not.
  2. Broken permissions are not easily visible, so unless you add something to the folder name (causing issue 1), you will not know what permissions your folders have. The only way to find out is by going to each folder and finding out. If you have a deep nest, you will have to start at the bottom of the hierarchy. Not a fun job 🙂
  3. People often are in a hurry to give someone access, without thinking about a sustainable setup, or writing down what the permissions are exactly.
  4. Having many folders with broken permissions, especially with individual permissions, may cause performance issues.

 Time for an illustration!

We have already seen the default permission setup, and what happens if you break permissions for one library. Here they are again:

This is the default permission setup of a site - the site and all lists and libraries have exactly the same permissions.
This is the default permission setup of a site – the site and all lists and libraries have exactly the same permissions.
Broken permissions- one library has different permissions.
One library has different permissions, and Visitors no longer see or have access to the library.

Now let us zoom in to one document library (the yellow block) in a site. What if it has 4 folders, 2 with inherited permissions (yellow) and 2 with broken permissions, each differently?

This is a site with one document library with folders. The individual users are also in the Visitors group, so they have access to the site.
This is a site with one document library with folders. The individual users are also in the Visitors group, so they have access to the site.

OK, this is getting complicated, right? Now what if one of the folders has 4 sub-folders with different broken permissions? And sub-sub-folders? Or if the folder and sub-folder inherit permissions from the site or the library, but the sub-sub-folder has broken permissions?  The potential issues multiply with each sub-folder.
You can imagine that managing and supporting that kind of setup becomes a difficult task – if a new person enters the team, where do you have to add him or her? And where do you need to remove their predecessor?

In one of my next posts, I will share some examples where breaking permissions in folders has led to misunderstandings, problems, urgent phone calls and me having to spend lots of time on cleaning the mess that someone else had made 🙂 .

Image courtesy of Suat Eman / FreeDigitalPhotos.net

Site Permissions Breaking Bad, episode 2

The Invisible Library.

Broken eggSome time ago, a Team Site Owner asked me if I could help her move some content from one site to another. Since she had Full Control in both sites, she had the right to ask and I helped her transfer some large libraries and lists.

I then asked her what to do with the rest of the content. There was another library with a large number of documents in there, and the usual array of semi-empty Calendars, Task Lists etc.

She said she did not need anything else and that the site could be removed after some time. So we agreed that I would add a message to the site’s homepage, informing people of the new location for the content, and the date when the site would be removed.

At the agreed date I removed the site.

Several months later…

…another person from that department asked me about a certain library that he could not find anymore. He sent me the link and I saw it was the large library in the site I had deleted…

It was too late for a restore so the content was lost. Of course we all felt devastated, and I made a short analysis of what had gone wrong. As with most major accidents, it was a combination of several mistakes.

What had happened?

  • One content owner had removed all other people with Full Control from the library, and made it accessible for himself and a few other people only. So, the other people with Full Control did not see the library anymore, including the person I had worked with.
  • They used only the direct link to the library to check the documents. They never went via the homepage, so they never saw the message that the site was about to be deleted.
  • There was no message in the description of the library, so I had no reason to assume that there were any different permissions in that library.

What have we learned?

  1. Never remove the  Owners/Full Control group from a library. The Owners should be able to manage their site properly. If they do not see all their content, they may make incorrect assumptions.
  2. Add information about different permissions to the description field of the list or library .
  3. Ask the SharePoint administrator for a screenshot of the “View site content” page before you decide to delete a site. The administrator sees all content, and you can compare that with what you see.

This was the situation:

Library where Site Owners have been removed.

As always, your comments, suggestions and shared experiences are welcome!

Image courtesy of artur84 / FreeDigitalPhotos.net