Online all the time, anywhere with anything
Call Us: +46 8 50003170

SharePoint permissions guidelines

Many companies are struggling with setting correct permissions on SharePoint sites, subsites, libraries, lists and pages. Even more so with SharePoint Online that is constantly updated with new features. Some of these new features are based on the Office 365 groups, I have previously written posts on what Office 365 groups are. This creates a lot of design work for users and administrators. It is not like setting permissions in old file-based server shares. I will guide you through my experiences and hints on SharePoint permissions. Sharing is caring!

1. Do not break inheritance

SharePoint is a database stored in SQL server(even for SharePoint Online), one thing many forget is that a document library is a SQL table. From a SharePoint Site Collection to subsites, document libraries, folders and documents inherit the permissions you set for the site collection. You can have separate permissions on a subsite and its components such as libraries, lits and pages. When you set unique permissions you have to break inheritance and set own permissions. I know this by experience creates many hours of work and the risk of setting wrong permissions.

I recommend not to break inheritance, use another Site Collection or in worst case a subsite with unique permissions. If you want unique permissions for a group I strongly recommend using Office 365 groups. Using the groups you also get a SharePoint Site Collection, now even a full team site. the url for an Office 365 group would be xxx.sharpoint.com/sites/groupname.

2. Do not use personal permissions, use AD groups.

Another mistake many do is to set permissions directly to users, I have done that myself a couple of times. The times I have done it it has been unclear what possible groups of users there is. The answer to avoid user-based permissions is planning, planning and planning! The best practice for setting permissions to SharePoint Site Collections is by the use of AD groups. Yes, you do have an AD(Active Directory) in Office 365! It is named Azure AD and can be controlled by any admin of the Office 365 tennant. Try to use AD groups as much as possible, create and AD group for SharePoint Admins and even an AD group named CEO(you can actually change the CEO of a company).

3. Avoid external sharing to anonymous users

In Office 365 it is far to easy to share any document outside of the organisation, I recommend that you plan for sharing when you setup your SharePoint plan for permissions. If you set a Site Collection for full open sharing, any user with permission to share can do it. It is now even built into Outlook when a user shares a file stored in SharePoint. Use separate Site Collections for sharing, the worst thing that can happen is that company secrets are revealed to your competitors or to the media if you are a public company. If you have investors or are publicly traded on a stock exchange it would be a nightmare of your quarterly or annual report are leaked ahead of time. This is also extremely important for documents containing PII(Personal Identifiable Information) with the upcoming GDPR this can cost you revenue, resources and reputation.

4. Make use of IRM to protect sensitive information stored in SharePoint

If you do need to share documents I strongly recommend using IRM(Information Rights Management) that is a part of SharePoint Online if you at least have subscription E3 (I only recommend using E3 even for micro-companies. If you don´t have E3 you can still get IRM if you add EMS subscription that contains Azure AD Premium(can be purchased separately but is not recommended).

You can control how documents are consumed in SharePoint with IRM, the possibilty to block users from printing, editing or forwarding documents is a good feature for controlling the stored information.

5. Train your end users in handling security

You can setup as many technical security features as there is but you cannot control the user behavior, the most important security investment a company can do is train the users to be security aware. This is not just a one-time task you do when you start using SharePoint or any other collaboration tool, you need to train the users even more with SharePoint Online. During the past year many new features have been added such as ability to share Office 365 groups outside of the organisation.

 

SharePoint Online and Office 365 is an open platform that improves every week/month/year, it is an important task to be in control of the information your users are storing. The reports are extremely important to browse through.

This post is not the full guidelines for SharePoint permissions, it is in my opinion the most important lessons when planning for permissions in SharePoint Online