Site Types and Permissions (aka The Problem with Maggie)

Article Updated: Feb. 28, 2019

Introduction

In this article, I am hoping to demystify permissions in modern SharePoint sites. I will talk about the differences between the permissions on Communication sites (and other non O365 group-connected sites) and Modern Team sites. I’ll also outline how some of the functionality around the permissions framework changes based on the type of site you are using.

For some background, check out my articles on default groups and modifying the membership of the default groups.

Permissions for Sites that are not Connected to an O365 Group

In this section, I am referring to Communication sites and non-Office 365 Group connected Team sites. The default groups and settings of these sites are created in much the same way that they have been created since SharePoint 2013. The rest of this section will use a Communication site in the examples but the same should hold true for non-group-connected Team sites.

Note: non-Office 365 Group connected Team sites are created when a self-serve user doesn’t have access to create an O365 Group and can also be created in the recently updated SharePoint Administration interface.

Default Groups

For information on the default groups, see my articles on default groups and modifying the membership of the default groups.

Changing Default Group Permissions

Changing the default group permissions can only be done from the Advanced Permissions Page

Location: Gear > Site Permissions > Advanced permissions settings

If you change the default group permissions (select Group checkbox > Ribbon > Edit User Permissions) to anything other than the defaults, you will lose the ability to use the permissions panel to modifying site permissions.


Members group changed to Contribute

No longer shows groups in the panel

Permissions for Sites that are Connected to an O365 Group

In this section, I am referring to Office 365 Group-connected Team sites. As with the non-group-connected sites, the default SharePoint groups of these sites are created in much the same way that they have been created since SharePoint 2013. The difference with these sites is that an Office 365 Group is deployed to the site as well.

How O365 Groups Appear in the default Groups

The advanced permissions page is basically the classic Site Settings > Site Permissions page. From here you can see the default groups that have been created:

There are three important things to note here:

1. The Owners group and Visitors are empty, but the Members group will have a group called <Name of O365 Group> Members. This is somewhat confusing because the site and the group generally have the same name, so you may end up with something like My Team Site Members > My Team Site Members. This is meant to tell you that all members of the O365 group are Members of the site.

2. The permission levels for the default groups cannot be changed. This is different than the non-group-connected sites.

3. The site collection administrators will show <Name of O365 Group> Owners. Much like the members group, this is somewhat confusing because the site and the group generally have the same name, so you may think that the SharePoint Owners group is in the Site Collection Admin box. This is meant to tell you that all owners of the O365 group are Site Collection Administrators of the site.

Note: Do not remove the Owners group from this box. It is not possible to add it back without going to the SharePoint Admin interface.

If you need to restore the group, from the New SharePoint Admin center, select Active sites, select the site, and show the details panel. This message should be displayed at the top:

Click the Add the group owners as admins link.

Site Permissions Panel

The permissions panel is slightly different from the non-group-connected sites. The initial state of the panel shows an Invite People button, the three default groups, and a link to the advanced permissions page.

The Site Owners groups will be “populated” with <O365 Group Name> Owners (this isn’t a direct correlation to the SharePoint Owners group, as that group is empty, and these users are site collection administrators), and the Site Members group will be populated with <O365 Group Name> Members.

Members in the O365 Group

Users in the O365 Members group will have Edit permissions to the site. This means that they can add and delete site objects such as lists, libraries, site pages, and news articles. They are also able to modify existing structures such as adding/removing/modifying columns for a list (or library), and adding/removing/modifying a view, or adding/removing/modifying site pages and news articles.

I will be writing about ways to overcome some of these challenges in a future article.

Owners in the O365 Group

Even though the permissions panel seems to indicate that users in the O365 Owners group have full control permissions, users in the O365 Owners group will in fact have site collection administrator permissions to the site. The main difference between a user that has Full Control, and a user that has site collection administrator privileges, is that nothing can be hidden from a site collection admin. If a library is created on a site and all the permissions on that library are removed, the only users that can see that library are the site collection administrators (i.e. users with Full Control permissions will not see it).

Question: Why is it important to understand that O365 group owners are site collection administrators?

Answer: Maggie.

The Problem with Maggie

It is fairly common practice for teams (e.g. the Finance department in a company) to assign the Owner role to the head of the team (e.g. the director of Finance) AND “the most technical person” on the team (e.g. Maggie, a junior Finance employee that is “really technically savvy”. No really, she helps everyone, and she even knows Power BI).

The problem with this occurs when the director creates a folder, removes all access (except for her user) and then adds uploads all the employee performance reviews to the secure folder.

But since Maggie is an Owner (and a Site Collection Admin), nothing can be hidden from her. It may even show up in her Delve screen.

All this to say: “Think hard about who ends up in the O365 Owners group”. If you require complete lockdown of certain assets it’s probably time to think about creating another Team Site with fewer members.

Adding Users to SharePoint Groups instead of the O365 Group

If you add users directly to the default groups or the additional groups you may have added, they will not have access to other O365 group resources such as calendars, conversations, the related Team, and any related plans in Planner.

Additional Groups

Additional groups are groups can be added to any site type. They are created by an owner or administrator and are additional to the default groups that are provisioned when the site is created.

These groups will have their own permission level and can have different members from the O365 Members and Owners group.

Note: Adding additional groups can only be done in the advanced permissions page and they will not appear in the new permissions panel. You will be required to use the advanced properties page if you use these.

The steps to add an additional group from the advanced permissions page are outlined in this article from Microsoft Docs.

Example


An additional group from the Advanced Permissions page

Note that the additional group pictured above is not available in the panel

Conclusion

Non-group-connected sites are straightforward for those of us that are familiar with traditional SharePoint permissions. Microsoft have just added a new interface on top of the default groups.

Group-connected sites are the biggest change from traditional SharePoint permissions. On one hand, the group interface provides a simple-to-use, modern looking interface with nearly everything a basic team would need for permissions. I do wish the O365 groups were a bit more granular in their permission level classifications, but I understand that the groups were made to be used in more than just SharePoint. I also feel like things have changed over time (I swear that you could change the permission levels for default groups at one point) and that the interface is getting better all the time.

It does feel like Microsoft is pushing the Edit permission level. Most companies that I have worked with have insisted that Edit is just too much like Full Control, and that their users will mess up their sites. It’s very possible that MS has data that says something like, “if you lock people down to contribute permissions, they have bad experiences”. Maybe the contribute permission level is one of the contributing factors (see what I did there… Mark Kashman would be proud) to the “I hate SharePoint” / “SharePoint sucks” comments I have heard over the years.

So, I’m trying to live with the Edit permission for now. I still have clients that want it to be set to Contribute, and I’m sure others are in the same situation. I do plan on writing an article about Edit vs. Contribute soon.

Lastly, remember Maggie and be careful with the O365 Owners group. You can’t hide content from them on their Team site. That said, try to live with the out-of-the-box settings before getting fancy with permissions. Sometimes the easiest answer is a new site with a separate set of users.

Author: Mike Hatheway

I'm a husband, father of twins, and a digital transformation consultant specializing in Office 365. Generally focused on SharePoint, PowerApps, Flow, Teams, and PowerBI. I hold several Microsoft certifications including MCSD: App Builder and MCSE: Data management and Analyics. I work at Bulletproof Solutions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.