Article Updated: June 26, 2019
Hub sites are a newer concept in SharePoint that use a central site to tie together SharePoint sites into a hub and spoke model. They provide common branding and navigation, assist with aggregation and rollup, and help to scope search.
When I introduce the concept of the hub and spoke site model to a client, I generally get a standard question:
“If this is the replacement for subsites, then how do the hub site permissions work on the spoke sites?”
As I have stated above, the answer is simple, “They don’t.”
I was not in the room when the engineers at Microsoft developed the hub and spoke model, but I can guess that the conversation went something like, “SharePoint permissions are confusing, how can we address that? Maybe we just simplify them by removing the complexity?”.
From my experience with SharePoint permissions, I can say this:
Regular people do not understand SharePoint permissions.
Even some seasoned SharePoint professionals don’t fully understand SharePoint permissions.Mike Hatheway
So How Should We Manage Permissions in Hub and Spoke?
There is no silver bullet here. I’ll pull out the ol’ “It depends” line that consultants love to throw around. That said, there is a pattern I have been following that seems to help. This pattern seems to work best when the hub based is around units or functions.
I have been promoting hub models that contain at least one Team site. I call this team site the “Main Team Site”. It is created as the main place for the team (unit or function) to collaborate. It also comes with a handy O365 security group.
Along with this, I also promote attaching other Team sites (e.g. subsets of the main team), non-group connected Team Sites, Communication sites, and even classic sites (just give them a modern homepage).
The result is something like this:
From this example, we end up with two O365 groups:
- HR Team
- HR Managers
And we have four other sites that have default SharePoint group permissions.
The bonus is that we can use these O365 groups to define permissions on the hub (and other sites).
So maybe the HR Managers will be the owners of the entire Hub. If that’s the case, we can use the O365 group created on the managers team site in the Owners group for the hub site. And maybe the entire HR Team needs to be able to post news articles and create pages on the hub. Then we can just add the HR Team O365 group to the members group on the hub site.
In the end, we might end up with something like this:
- HR Hub Owners
- HR Managers Members (O365 Group)
- HR Hub Members
- HR Team Members (O365 Group)
- HR Hub Visitors
- Everyone except external users (built in-group)
We can reuse these groups on any site. Even Team sites. We can easily add the O365 groups to the SharePoint groups on Team sites. Maybe we want the HR Manages site to be a place where the HR Managers create content, but the rest of the HR Team should be able to view that content. We simply add the HR Team O365 group to the Visitors group on the HR Managers team site.
When you define an O365 Group, you can assign Owners and Members (and Guests) to that group. However, we can’t use these “sub-permission groupings” from the O365 Groups elsewhere in SharePoint. E.g. We can’t say that we want the owners of the HR Hub to be the owners of the HR Managers O365 group.
The hub and spoke model really isn’t about permissions at all, but with some planning, you can get some re-use out of the groups you put in place.
Thanks for this! We’re building this model out right now and I was pulling my hair trying to figure out the model of how we should deploy hub sites. Microsoft does not make this easy it all. Hub site permissions should just cascade, but they don’t. Frustrating–just one of many frustrating things with SharePoint.
thank you very much for the explanation!! Do you know where I can define the Hub-Owners, Hub-Visitors and members?
Thanks a lot in advance and kind regards,
Great Post! Keep it up!!!
Thank You ! Would you know if there any way to accomplish centralized security in the new sharepoint 365 or do we need to create the same user 6 times if they should only have access to 6 out of 10 hubs ? Not finding a simple way to centralize with the new sharepoint structure.
The only way to (that I know of) centralize this is to take advantage of m365 groups and Security groups.
Once you have the group’s, use these groups inside the SharePoint groups for the sites.
Then you are managing users in central groups.