The SharePoint document collaboration tool has many features to control who can access parts of a site and who can grant permissions.
Our advice is to setup the smallest and simplest set of permissions.
Complicated permissions can be hard to manage. You might accidentally share documents with people who should not have access. This could include people who do not even have access to the SharePoint site.
We have some tips on how to ensure your SharePoint site permissions are set up correctly.
Always have at least 2 Site Owners
SharePoint sites must always have at least 2 site owners. The site owners not only have full control over the site, but they are the people responsible for the site’s contents and permissions.
Multiple people can be assigned the Site Owner role.
Think about your permissions settings before moving any files
Review your data and think about what groups of people need to access what files and folders. This is especially important if you are migrating existing data from another source. The permissions and hierarchy that are in use in the existing system may not be appropriate to the way SharePoint works.
We recommend that you keep your permissions and data hierarchy as simple as possible.
Do not nest SharePoint sites
Microsoft no longer recommends the nesting of sites. If you have a group of related sites, the recommendation is to use a Hub Site to link a group of SharePoint sites together.
Read Microsoft’s best practices on SharePoint sites.
Only use SharePoint groups that have been created by Toolkit
With SharePoint, you can either use groups created and managed by Toolkit, or you can create and manage groups within SharePoint. Toolkit gives authorised users local administration access to Blue and Azure Active Directories and Exchange Online to create distribution lists, manage groups and shared mailboxes.
We recommend that you only use groups that are created and managed by Toolkit.
Your local IT staff will be able to set up new groups in Toolkit. We have information on how to manage groups with Toolkit for them to refer to.
Follow the naming convention for groups
We recommend that you adopt a naming convention for groups to make it easier to identify their intended function. Consider including the site name in the group name. You could also use the prefix "spo" to indicate that the group has been created for SharePoint Online. For example, “spo-<SITE_NAME>-<FUNCTION>”.
Here are some example group names:
- spo-social-fantasy-football
- spo-admin-recruitment
You can nest groups but do not go overboard with this.
Do not set permissions at the folder or file level in a Document Library
A document Library is the place in SharePoint that you can use to upload, store and collaborate on files
We recommend that you only set permissions at the root of a Document Library.
We do not encourage the practice of setting permissions or restrictions at the folder or file level within a Document Library. If you have groups of documents that need different permissions, consider either a separate Document Library or even a separate SharePoint site entirely.
Restrict site sharing permissions
By default, SharePoint allows any member of the site to share files and folders. People could mistakenly share a file that was not intended for wider access.
We recommend that only site owners can share folders and files.
See the instructions on how to restrict sharing permissions.
Do not break inheritance on any of your files or folders
In SharePoint, there is a feature called “Breaking Inheritance”.
We do not advise use of this feature.
Incorrect use of this feature can cut you off from part of the site. You can also break the site and lock users out who need to access the data.
Do not use the OneDrive client to sync a SharePoint site
You can use the OneDrive client to sync the contents of a SharePoint site to your local computer.
We do not advise use of this feature.
We have seen data loss issues with this set up.