This page covers:
We also recommend that you read our page about how to monitor your SharePoint permissions. This gives some suggestions about how to make sure you are only sharing files with people you have
User groups in SharePoint
SharePoint Online has 2 main default sharing groups:
Site owners have 'Full control' over the site and are responsible for its administration and access. It's advisable to have at least two site owners.
Site members have 'Edit' ability over the site to create share and edit the site, and documents within.
Site visitors is a less-used group, which grants read access only.
One key difference between owners and members is that while both by default can grant access and share, only owners are able to remove access. This can be further restricted so that only owners can share access – see below.
Adding and removing member access
To quickly add and manage members, select the member's icon to the top right of the SharePoint Site:
This brings up the 'Group membership' panel, where new members can be added, and current members can be seen and their access edited or removed:
Most management of a SharePoint Online site can be done here. You can add or remove people, or promote them to 'Owner' or demote them to 'Member' as required.
Site permissions
You can access some further permission settings by selecting the settings cog at the top right of the SharePoint Site, and selecting 'Site permissions':
This opens up a 'Permissions' panel:
By default, the only two groups that will show are 'owners' and 'members', which is expected.
Important: It's possible for a site to be shared with everyone who has a University Office 365 account. You may be tempted to use the system option "Everyone except external users". We would advise against this as this would include people in the University who are not staff, students or visitors. Instead, we recommend using the group "azure-users-cam-upn". (This group includes everyone in the University Office365 tenancy who has a username in the format <crsid>@cam.ac.uk, it does not include Guest or Alumni accounts.)
Site owners should ensure that "Everyone except external users" is not present on their site if the site is intended to be private.
Site sharing permissions
Site owners can further lock down the SharePoint site so that only owners can grant access, rather than both owners and members, by selecting the 'Site Sharing' link in the 'Permissions' window:
This opens a panel to change the following options:
Site owners can choose the most appropriate settings for their site's purposes. The most locked-down setting would be for "Only site owners can share files, folders, and the site".
Owners of private sites for sharing within a team may also wish to turn off the "Allow access requests" feature.
Advanced permissions settings
Most site owners will not need to access the "Advanced permissions settings" link, but you can use it if you're confident and familiar with doing so:
