After all the recent permissions issues it was nice to get a Document Management case for a change.
The issue was: “Every time I edit a document and save it, it is checked out and we need to check it in again and add the metadata. We have not set mandatory check-out in this library – what is going wrong?”.
I put on my SharePoint Holmes paraphernalia and set out to solve yet another case. Or so I hoped 🙂
I looked at the recently edited document. Indeed, the document was checked out with the yellow box where the metadata should have been.
I checked the Library Settings. Set to modern view, to open documents in the Client application, indeed no check out required. The “Topic” field needed a value.
I uploaded another document and edited it without any issues – the document stayed checked in and retained the metadata. I edited the properties, no problem.
I selected the checked-out document to view the properties. I quickly scrolled down the details pane to see the metadata. Yes, no topic selected, as expected.
I Googled on the check-out issue as I had no clue what happened here.
The solutions all pointed to something with “metadata” so I selected the document again to have a closer look at the metadata, and hoped that permissions and edit history would provide some extra clues.
Someone called me on Skype so I left the details pane open without scrolling down.
When I came back from my call, the answer stared me in the face.
I had seen this “No preview” message before on a password-protected Excel file. The owner confirmed this.
After some searching I came across several posts describing this behaviour. Apparently, SharePoint does not only respect the content of a password-protected document, but also the metadata. Hence, you have to re-add the metadata after each edit.
I discussed with the owner whether password protection was really needed as SharePoint has its own protection. As it turned out, the people who had the password were the same people who had access to the document and the document library, so she decided to remove the password.
I also checked what happens if this would have been a document library that opens documents in the Online version.
First, you get a warning message:
After editing in the client, you have the same result in the document library: the document is checked out and has missing metadata.
Another reason not to use password-protected documents in SharePoint!
Image courtesy of Simon Howden at FreeDigitalPhotos.net
Yes, been there, done that! And this made me think of all those other times that I, or my users, have made a mistake with permissions, either by forgetting to think and doing this on routine, or by ignorance.
Here they are, for your learning and enjoyment. Laughing is allowed; sharing your own bloopers is encouraged!
2. Deleting a group
Did you know that deleted Groups do not go via the Recycle Bin, so they are gone for good?
So, when you want to do this, first check to which content the group has access. If that is only to your site, you can safely delete it; if is has permissions to other sites, please talk to the owner(s) of the other site(s) first!
How to check: Click on the group name on your permissions page, click Settings > View Group Permissions and you will see a pop-up like this:
3. Removing a group from a site and forgetting its name
Good luck finding that in your site collection’s list of groups! (which likely contains at least 3 x as many groups as there are sites, and most likely many more)
A good naming convention, as well as keeping some documentation or screenshots of your permissions setup may help limit the damage. Another good idea is noting the MembershipGroupID’s of the group’s URL. These can be found in the group’s URL, e.g.
The 3 default groups of a site are created with subsequent numbers, so if you remove one of those you can probably find them by changing the MembershipGroupID at the end of the group URL. In the screenshot above, Owners, Members and Visitors group have numbers 164, 165 and 166, respectively.
4. Clicking on “manage parent” to edit permissions
You need to change permissions of a site that has inherited permissions. Without thinking you click on “Manage parent” and start making changes, not fully realizing that you are now changing the permissions for both sites. You should have clicked on “Stop Inheriting Permissions” first!
The damage can vary.
I have once changed the top site of a site collection that way. The good news was that I finally got rid of a lot of outdated “Limited Access” users, but it was only later that I realized I had also removed everyone’s permissions from various site collection galleries.
5. Removing yourself from a group, site or library
This is generally annoying but benign, as long as you have quick access to a site collection administrator who can add you back. I get about one call a week from someone who has locked themselves out.
6. Not clicking “Show Options” when you share something with “Everyone”
This sends an email to all the company (and gives them contribute permissions if it is a site). Well, at least people know you and your site exist, but I do not know if “Everyone” will appreciate your marketing tactics! 🙂
And (in my opinion) the most disastrous of them all:
7. Inheriting the permissions from the parent site
You click “Delete unique permissions’ without realizing you are not at the document library, but at the site level. The permissions of your site will now be the same as the parent site.
You may not be the site owner of that site. Even worse, you may not even have access! An even if someone is kind enough to create unique permissions again and give you back your access, all unique permissions are gone.
An example: this site has unique permissions.
This site has some content with different permissions
When I click “Delete unique permissions” in the site I get a warning in a mix of English and Dutch – which is the first time I have seen this:
And if you click OK the permissions are inherited from the parent and there are no unique permissions anymore. The original groups also have no access anymore.
While this may be a good reset of your site if you have completely lost the overview of the permissions, it can be a nightmare if you have a well-managed site with confidential content that needs well-managed unique permissions.
Make sure you have an overview of the permissions of your site. It can be a simple mention in the description of the list or library (“this list is only accessible for the MT”), or a separate document with a detailed description.
Stop and think before you hit a button – if in doubt contact your help person.
Have you made any other permissions management mistakes? Do share!
In my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:
Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
This will lead to unexpected access denied messages and therefore Access requests.
Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.
So, how to take back control of your site after you have changed some of the settings?
Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.
1. Process pending Access requests
Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.
2. Remediate content with unique permissions
a. Go to Site settings > Site permissions and click on this link:
b. You will get a pop-up with all lists and libraries that have different permissions.
c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.
e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item. (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.
h. Repeat steps e, f and g for the next document or list item.
a. Go to Site settings > Site permissions and click on this link:
b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
c. Remove any individual users so you are left with only the site groups.
4. Add the new users
Add the users that you noted down during steps 1, 2 and 3 to their respective groups.
5. Review the Members group
During the time that you had no restrictions, Members may have added other Members. Review your list of Members and change their roles or remove them where needed.
6. Replace any “breaking links” on your pages
Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type will generally have “guestaccess” in their link and they will cause unique permissions.
When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.
Replace every one of those links with the “Restricted Link” equivalent.
Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.
How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?
Image courtesy of artur84 at FreeDigitalPhotos.net
Additionally, you often add people with Contribute permissions while your normal Members group has Edit permissions (=Contribute + Manage Apps).
Plus your site members can add practically anyone to your site without informing you.
Why am I making such a fuss?
Maintenance and support
Unique permissions create extra issues with access, and provide extra work for the Site owner.
You may also need more support, although your support team might like that 🙂
People with Edit or Contribute permissions can share content with external users, who then are often able to share your content with others if given those permissions. Your information may be shared with your competitors in this way!
Having lots of unique and individual permissions may slow down your site.
Office365’s out-of-the-box functionality allows unlimited sharing. My own environment is like that, so all experiences that I have described before are done in the “unlimited sharing” default mode.
Fortunately, there are some options that a tenant administrator, a site collection administrator and a site owner can do to limit the potential damage.
1. Disable anonymous access
Disabling anonymous access lets you get rid of the “no sign-in required” options that you have when you get a link, or the “sign in required” when you share a folder or list item. While it may not reduce the creation of unique permissions too much, it will make it more obvious who has been given access. This will allow you to determine whether those people need to be added to a site group, or removed from your site.
Your tenant administrator can disable this at the Office365 Admin center for all Office365 applications, or at the SharePoint admin center for the SharePoint sites.
2. Disable external sharing
While this also will not prevent all unique permissions, it may limit them, because of sheer numbers. Chances are your colleagues will already have access to your site, making the chances of unique permissions during sharing a bit less.
Of course this will make it impossible to share confidential stuff with externals.
This will give the following results, depending on whether the external user is already in your site collection or not.
3. Change Sharing settings in your site
This will probably be in your control, so go to Site Settings > Site Permissions > Access Requests and look at the two check boxes on the top of the pop-up.
This will mostly influence what a Site member can do.
You have four options:
4a. Both checked: I have done my experiments with this setting. You know what that does 🙂
4b. Top checked, bottom unchecked
Member: Can share documents without approval from the site owner, but needs approval for sharing the site.
Visitor: Can share site and documents with approval from site owner.
Get a Link:
Member sees “Edit link” option
Visitor sees the “Restricted Link” option
4c. Top unchecked, bottom checked:
Member=Visitor: Can share site and documents but needs approval from site owner
Get a Link:
Member=Visitor: Restricted Link
This option brings another message to your Site Permissions page:
4d: Both unchecked:
Same as 4c.
So, this setting will help you to “tame” your site members, and give them the same sharing options as your site’s visitors. You will have more approvals to do, but are more in control.
But beware hitting the “Accept” or “Approve” button in sharing requests for documents or list items!
4. Remove access request email
If you can not get access requests, you can not break permissions when accepting them!
This can work in formal all-company sites with official content and little collaboration.
On the other side of the spectrum, it is also an option for sites with a strictly defined and controlled audience, e.g. a management team.
It will however be very clumsy in a project site!
But…your visitors will get a nasty error message when they try to share a document or site, and when you are combining this with options 4c or 4d, your members will experience that too.
Realize that all of these settings have been developed with a reason, so you may want to ponder what is really important for you and if you need to lock down everything or just a few features.
While you think about this, I will go and write how to check and fix the permissions, where needed, after you have taken your measures.
Image courtesy of winnond at FreeDigitalPhotos.net
What do you do when you receive a request for access to your SharePoint site? Accept it immediately (because you want to be done with it, or you feel a bit ashamed that you have excluded someone) or find out exactly what they want because there may be more to the request than meets the eye?
Yes, I thought so. 🙂
Let’s dig a bit deeper into Access Requests. There’s quite a lot you can do with them, including creating unique permissions. You know that I hate that!
Microsoft explains this in detail but of course they they let you figure out all the implications by yourself. Or by me :-).
If your email address is in the Access Request Settings, you will receive access requests via email, and the requests will be replicated in the Site settings > Access Requests and Invitations page.
How does it work?
When you get the access request in your mail, you will see the link to the desired content. You can immediately click the “Accept” button from the email and give them Contribute permissions by default.
Yes, Contribute. That means they can edit the content.
Hmmm, perhaps clicking Accept immediately is not such a good idea after all. Perhaps Read-permissions are good enough. Or, if you have sent this link assuming they had access, it may be a good idea to give them access to the complete site.
Alternative: the Access Requests and Invitations page!
So, here comes the Access Requests and Invitations page to look at (and manage) the request.
You will see three categories: Pending requests, External user invitations and History.
Here again, you can click Approve or Decline, or check first what will happen if you click Approve. So, click the … next to the name of the requester. This pop up opens:
Here you see some more info:
What Office365 has decided about their permissions. In this case Office365 would add them as an individual to this document with Contribute permissions – most unpleasant!
You can click the drop down to select the Contributors or Visitors group for the site.
Who has asked access and what exactly for. Hover over the link to see the URL.
Date and time of the request
Email conversation with the person who requests access. You see I was busy writing this post, so the impatient Mystery Guest asked for permissions again 🙂
What would have happened…
If I had clicked Accept from the email or Approve from the Access Request page, this is what would have happened:
Exception: Site welcome page
There is one exception to this rule and that is when you send the link to the welcome page of the site. In that case the requester is added by default to the Members group. This also may be more than you want, though.
After approval, the request ends up under “Show History”. This gives a nice overview of everything that has happened in your site.
If you see a name very often, it may be an idea to give them access to the whole site.
When you receive an Access Request it may be better to spend some time figuring out the details, than to click Accept immediately. This will cost you some time now, but will save you time fixing unique permissions later (and dealing with even more access requests because too many inheritances are broken!).
Have you found any other “interesting” behavior of the Access Request?
As I am writing help materials for our new intranet I do not only have to think about “HOW do you do this” but also “WHY would you do this” and “How can you do this BEST, without spending too much time, adding maintenance or messing things up?”
With the migration of content to the new platform, many Site Owners need to rework their publishing pages. Generally these pages contain (clickable) header images, Promoted Links, Summary Links and links in the text.
On the old platform, when you want to grab the link to a document or image, you go to the library, right click on the name and select “Copy Shortcut” from the pop up. This is no longer available in SharePoint Online.
So, how does one get a link in SharePoint Online?
I have found 3 ways to link to a document, page or image:
In Summary Links as well as the Rich Text Editor on a page (Wiki page style), you can browse for the link to a document or image that lives in your site or site collection.
You can open the item and grab the URL from the address bar.
There is the new Get a Link option, which you will see when you select a document or image from a library, in the Action Bar (is that what it’s called?) and the pop up menu.
The users in my company are all accustomed to grabbing a link when they want to share a document via email or on Yammer, so I think this “Get a Link” will appeal to them.
However, at first glance I see 5 different options. What to select?
Let’s find out how this works!
Microsoft has already written about this but it is not very detailed.
So, I have created a brand new site in my own tenant. In this site I have uploaded 5 documents, each named after the action I will take.
I assume the file type is irrelevant so I have used a mix of Excel, Word and PowerPoint.
Please note I am the tenant admin, so I am not a normal Site Owner. Some things may work differently for a regular Site Owner with Full Control.
My tenant is almost out-of-the-box and external and anonymous sharing has been enabled on all site collections.
How to use Get a Link:
Select the document and click “Get a Link”
Select one of the 5 options
Click “Create” (if the link has already been created earlier you will immediately see “copy”
Click “Copy” and the link will be added to your clipboard
Paste wherever you need it.
You can remove a link if you longer want to share. This means the link will be disabled if someone clicks on it.
For links with “no sign-in required” you can set an expiration date. This means the link will no longer work if someone clicks on it after the expiration date.
2. Using the “View” and “Edit” links will break permission inheritance for the document as soon as you hit “Create”.
Yes, you may want to read this again:
Using the “View” and “Edit” links will break permission inheritance for the document as soon as you hit “Create”.
I was a bit worried about the word “guest_access” that I saw appearing in 4 of the 5 links, so I decided to check the permissions of my site.
Microsoft mentions this in the small letters of their post, but it is easily overlooked.
4 of the 5 docs have broken permissions inheritance! The permissions have not changed yet, but the inheritance has broken. This may not appear to be a big deal now, but if you ever happen to add a new group or individual to your site, which is not unlikely, you will have to remember to give them access to these documents.
Do you seriously think any Site Owner will remember this? Or have the time for that?
More scary and inconvenient findings
As soon as someone clicks on a link they are added to the permissions of the document, regardless of their existing role in the site.
People in the Members group get all the options for “Get a Link” as well!
I have tested this in my work environment and it turns out Members can see and use the “view” and “edit” options so they can break the permission inheritance of documents without the Site Owner being aware!
You can only find out which links have been created by checking the options for each document. Click “remove” if you see that an unwanted link has already been created. Now go find out which of your links (In a text, in Summary Links etc.) used this link 😦
You can remove the link, but the permission inheritance is still broken.
You can only “delete unique permissions” per document, so you have to go to Site settings > Site permissions > Show items with different permissions > View Exceptions > Manage permissions > Delete unique permissions.
This is a tedious process.
I think this can turn into a serious issue. I have found that many Site Owners do not fully understand the consequences of broken permission inheritance, and do not understand the extra maintenance and support issues involved. I have tried to tell them NOT to break permission inheritance unless it is really needed, and to never do this on a document or item level.
And even if they know, it is a time-consuming job to reset the permissions.
Also, why all this complexity for just getting a link? I think only the “Restricted link” would be sufficient. Who would ever want to use the “edit” options when linking to an image? Why would you use the “Get a Link” option to share via email if there is also a “Share” option which sends an email? (and which, in some cases, asks permissions to the Site Owner first?)
What would I recommend if you need a link?
Use the “Insert > Link > From SharePoint” option to link to a document or image when working in the text editor of a page
Use the “Browse” option when creating Summary Links
Use “Get a Link > Restricted View” when you want to get a link otherwise. This respects the permissions of your library.
Instruct your site Members about the dangers of Get a Link and ask them to use the Restricted Link.
What are your experiences with the Get a Link functionality? Have you been able to reduce the scope and if yes, how? I would appreciate to hear and learn from you!
Kitten image courtesy of Top Photo Engineer at FreeDigitalPhotos.net. Text added by myself.
It is a really good list of why you should avoid folders on SharePoint.
My own planned post on this topic is now completely redundant 🙂 . But I would like to illustrate his point 4: why maintaining permissions on folders can be a nightmare.
What are the issues with folder permissions?
If you break permissions and add “Different permissions!” to the folder name, as I always suggest to do, the URL of the folder and all its documents changes. People who have this link in their Favorites and use it after the change, will get an error. That is another reason why folders are a bad idea: Links to folder, sub-folders and all documents in the hierarchy change when you change the name of the folder. Libraries and lists have a description field for that type of info, folders have not.
Broken permissions are not easily visible, so unless you add something to the folder name (causing issue 1), you will not know what permissions your folders have. The only way to find out is by going to each folder and finding out. If you have a deep nest, you will have to start at the bottom of the hierarchy. Not a fun job 🙂
People often are in a hurry to give someone access, without thinking about a sustainable setup, or writing down what the permissions are exactly.
Having many folders with broken permissions, especially with individual permissions, may cause performance issues.
Now let us zoom in to one document library (the yellow block) in a site. What if it has 4 folders, 2 with inherited permissions (yellow) and 2 with broken permissions, each differently?
OK, this is getting complicated, right? Now what if one of the folders has 4 sub-folders with different broken permissions? And sub-sub-folders? Or if the folder and sub-folder inherit permissions from the site or the library, but the sub-sub-folder has broken permissions? The potential issues multiply with each sub-folder.
You can imagine that managing and supporting that kind of setup becomes a difficult task – if a new person enters the team, where do you have to add him or her? And where do you need to remove their predecessor?
In one of my next posts, I will share some examples where breaking permissions in folders has led to misunderstandings, problems, urgent phone calls and me having to spend lots of time on cleaning the mess that someone else had made 🙂 .
Image courtesy of Suat Eman / FreeDigitalPhotos.net