We are now at the point where RTO (Return to Office) policies are in full swing. The concept of a hybrid work environment is the new norm for businesses around the world. One of the things that many non-IT professionals find themselves having to deal with now is understanding how SharePoint Online security works. You do not want to accidentally have everyone in your company see a document that should be for your Senior Leadership’s eyes only. It is recommended to use the share feature built into SharePoint/OneDrive primarily, but in some cases, it may not be the correct solution. This post is to help you understand, (at least a little bit better) how SharePoint Online security works and how to make changes that you understand.
High Level SharePoint Security Understanding
Each SharePoint site has its own Security Schema, created by Microsoft Teams, Viva Engage (f.k.a. Yammer), M365 Planner, or a standard security schema with a lone standing classic SharePoint site. Each site has three primary security groups on creation that you should know along with the permissions they are given. (See Table 1) When the site is first created, every part of the site will have the same security. Every library, list, page, and item will inherit the same security of the site.
| SharePoint Security Group | Permissions Initially Given |
| <team name> Owners | Full Control Permissions |
| <team name> Members | Contributor Permissions |
| <team name> Visitors | Read Only Permissions |
Table 1
When a business case requires for you to share the site, library, list, or item with everyone in the organization, you can use the group Everyone except external users. You must be cautious about using this group as it will allow all employees in your tenant to be able to view/contribute to every object that falls under the level you give the permission at. (See Image 1) If you give permission at the site level, every other square within the Site square will also get the same permissions. Use this image to understand how your giving permission to a SharePoint object at different levels can also unlock many other areas for one person or everyone in your tenant. Everything inside the object you give permission to will also get the same permissions. Be cautious when breaking inheritance as it will make your job maintaining the security schema more difficult by N + 1 (N = number of inheritance breaks).
Image 1
How to Add/Remove a User to SharePoint Site Directly
If you want to add/remove people from a Microsoft Team, do so through Microsoft Teams. These instructions are specific to adding/removing users who interact with just your SharePoint site, whether based off a Microsoft Team or a classic SharePoint site. Getting to the appropriate page will depend if you are on a Modern Team Site or Classic. I will provide instructions for both.
- Go to Advanced Site Permissions.
- On a Modern Site (i.e., Microsoft Teams SharePoint site, Communication site)
- Click on the gear in the top right corner of the page near your profile picture (See Image 2)
Image 2 - In the drop-down menu, select “Site Permissions.” If you do not see this, you may not have the right permission to go further.
- At the bottom of slide out, click the Advanced permissions settings Link (See Image 3)
Image 3
- Click on the gear in the top right corner of the page near your profile picture (See Image 2)
- On a Classic Site
- Click on the gear in the top right corner of the page near your profile picture (See Image 4)
Image 4 - In the drop-down menu, select “Site Settings” If you do not see this, you may not have the right permission to go further.
- Under the Users and Permissions group, select Site Permissions (See Image 5)
Image 5
- Click on the gear in the top right corner of the page near your profile picture (See Image 4)
- On a Modern Site (i.e., Microsoft Teams SharePoint site, Communication site)
- Click on the appropriate Group you want to add the individual(s) you want to add them to. (Note: It is good to have 2-3 owners)
- Click on New and add the individual(s) to the group by finding them with name or email address. (See Image 6)
Image 6 - Once selected, decide if you want to send an email to the site you are sharing or click show options and uncheck the email checkbox.
- Click the Share button.
How to Add/Remove Users to a List or Library
Giving a user(s) access to a list or library should be done using the Share button when possible. These instructions are used to give direct access to the list or library instead. To get to the appropriate page will depend if you are on a Modern Team Site or Classic. I will provide instructions for both.
- Go to List/Library Settings
- On a Modern List/Libraries (i.e., Microsoft Teams SharePoint site, Communication site)
- Click on the gear in the top right corner of the page near your profile picture (See Image 7)
Image 7 - Select List/Library Settings in the flyout menu.
- Click on the gear in the top right corner of the page near your profile picture (See Image 7)
- On a Classic List/Library
- Click on the List/Library Tab in the top left of the page (See Image 8 #1)
- Click on List/Library Settings button to the far right of the ribbon (See Image 8 #2)
Image 8
- On a Modern List/Libraries (i.e., Microsoft Teams SharePoint site, Communication site)
- Under Permissions and Management -> Click Permissions for this document library (See Image 9)
Image 9 - Click the Stop Inheriting Permissions button in the ribbon at the top of the page (See Image 10)
Image 10 - Click on the appropriate Group link you want to add the individual(s) to.
- Click on New and add the individual(s) to the group by finding them with name or email address. (See Image 11)
Image 11 - Once selected, decide if you want to send an email to the site you are sharing or click show options and uncheck the email checkbox.
- Click the Share button.
How to Add/Remove Users to a Folder, Document, Item
Giving a user(s) access to a folder, document, or item should be done using the Share button when possible. These instructions are used to give direct access directly to a folder, document, or item instead. To get to the appropriate page will depend if you are on a Modern Team Site or Classic. I will provide instructions for both.
- In a Modern Library/List
- Select the folder, document, or item you want to give direct permission to (See Image 12)
Image 12 - Click the ellipses (…) just to the right of the document/item Name/Title
- Click Manage Access in the drop-down menu (See Image 13)
Image 13 - In the manage Access popup window, click the ellipses (…) in the upper right corner and select Advanced Settings. (See Image 14)
Image 14
- Select the folder, document, or item you want to give direct permission to (See Image 12)
- In a Classic List/Library
- Select the folder, document, or item you want to give direct permission to (See Image 15)
Image 15 - Click the ellipses (…) just to the right of the document/item Name/Title
- Click Share in the bottom left corner of the popup (See Image 16)
Image 16 - Another Popup will appear, on the left click the Shared with button (See Image 17)
Image 17 - Click Advanced in the bottom right corner of the popup window.
- Select the folder, document, or item you want to give direct permission to (See Image 15)
- Click the Stop Inheriting Permissions button in the ribbon at the top of the page (See Image 18)
Image 18 - Click on the appropriate Group you want to add the individual(s) who should see the document.
- Click on New and add the individual(s) to the group by finding them with name or email address. (See Image 19)
Image 19 - Once selected, decide if you want to send an email to the site you are sharing or click show options and uncheck the email checkbox.
- Click the Share button.
0 Comments