Office 365 – SharePoint Online ‘Sharer’ Beware

The short story:

Beware of using the ‘Share Site’ or ‘Share this site’ links in Office 365 – SharePoint Online without knowing exactly what it is doing: you are potentially granting users access to more content than you intend to. 

The longer explanation:

In my opinion, security is one of the most confusing things in SharePoint for users to manage.  This is both because the flexibility of its design leads to a confusing implementation and because most users aren’t properly trained on how SharePoint security works (yes, this should be handled through a governance policy). 

Because of this, a number of issues usually arise: users don’t have enough access or users have too much access.  Just this weekend I was chatting with someone that uses SharePoint in their organization and she described a conversation with their SharePoint contact who was giving her access to a site – or so she thought.  Typical, irritating to users and something that needs to be handled better in order to successfully accomplish user adoption.  

The flip side of that problem is giving users too much access – more access than you are intending them to have.  Sometimes this isn’t that big of a deal, but many times it can be a serious issue with competing clients seeing each other’s content, etc. There are many examples of how this could turn out badly.    

Well, in SharePoint Online, as part of Office 365, Microsoft has added a nice and easy way to grant users access to SharePoint by way of the ‘Share this site’ link.   Unfortunately, while this is a very easy way to grant users access, it will in many cases grant too much access unintentionally – not because it doesn’t work properly, but because it isn’t doing what most users will expect it to do.

First, a quick primer on SharePoint security:

  • SharePoint has a number of containers and entities, all of which can have security attached to them:  Site collections, sub sites, lists or libraries, folders (I’m not touching this topic in this article) and items.   
  • Security can be assigned directly to these containers and items by adding a user and defining the permissions they have.  Users can also be granted access through an Active Directory security group or a SharePoint security group. 
  • By default, security in SharePoint is inherited.  When you have security on a site collection and create a sub site, you can tell SharePoint to have the sub site inherit the permissions of the parent site collection.  People and groups will have the same permissions to view, add and update on the sub site content as they did on the site collection. 

There are lots of details to work through if you want to dig in, but those are the basics.  Now to the specific problem scenario. 

I have a SharePoint Online site collection and I want to create an area where I can collaborate with people outside my organization on a project.  To me, this translates into a sub site (or even better a site collection if possible) because I can isolate security at a whole site level, I can have a landing page for users, I can add additional lists later without having to change security, etc. So, I create my sub site. 

By default, my site has a document library which is all I really need for starters.  Now, I want to grant my external users access to the site – here comes the potential issue.  SharePoint Online has the ‘Share this site’ link right on the default page.  You can get to the same functionality by going through the Site Actions menu and selecting ‘Share Site’.  Both are shown below.

image

image

Either of these links will open up the following form:

image

Herein lies the potential for a security issue.  Now, the form does some nice things.  It allows you to add users to groups and then send them an email that will alert the user to the fact that they now have access and provides them a link to the site, list, etc. that you’ve just given them access to.  Where this form causes issues is by only allowing you to add them to the pre-existing ‘Visitors’ or ‘Members’ SharePoint security groups.  By adding users to the ‘Visitors’ or ‘Members’ groups, you are very likely granting them access to more than just the sub site. 

The Members and Visitors groups are default groups added to most SharePoint sites and many site administrators allow the groups to be inherited in sub sites and lists as they are created.  Members are generally able to read most everything and contribute to most lists and content.  Visitors can read, but not contribute.  If I were to add my external users that I want to collaborate with on one specific sub site to either of these groups, they’d have access to much of the rest of my site as well unless I had specifically gone and locked down my other content by breaking inheritance and/or removing the Member and Visitor groups from my other sites and content – which most administrators or users do not do. 

Suggested Approach:

The suggested approach to granting users access to only the sub site (or list) is to do it directly/explicitly rather than using the shortcut.

  • On the sub site, select Site Actions –> Site Settings

    image

  • Select Site permissions

    image

  • In the ribbon, select ‘Stop Inheriting Permissions’

    image

  • Now, there are plenty of variations here, but we’re going to add a new group.  Even if I’m only adding a single person right now, it’s better to have a group in place in case you want to add others later with the same permissions.  The group will be visible throughout the site collection (trivia, but might actually be relevant if you have groups for partners, clients, etc. in the same site collection).  So select Create Group from the ribbon.

    image

  • For simplicity’s sake in this example, give the group a name and select the permission level you’d like for the group.  I’m using ‘Contribute’.  Click Create.
  • From the Permissions page (where you land after creating or adding a group), click the name of your group.
  • You are listed as a member by default, but now you can also add other users who will all take on the permissions of the group.  More importantly, they will only have permissions in the sub site, rather than in other areas of your site collection that you might not want them to have access to.  Click New –> Add Users

    image

SharePoint security and permissions have many options.  Be aware of what you are doing when adding users, groups and managing their permissions in order to maintain the security you need and want. 

2 comments

  1. NOTE: There are TWO STEPS not listed here which are necessary to make this work as the article suggests. I found the article very useful for my situation and pretty sound advice, I was just stumped afterwards and it took me 2 (maybe 3) minutes to sort out. Anyways, here is what I did:

    1. When you are in the Group Permissions page for the group you just created, DO NOT click New -> Add Users, but INSTEAD click Settings -> Make Default Group. This makes your newly created group the default group that will APPEAR as a choice in the NEXT step. DO NOT click New -> Add Users as when you type in the external user’s e-mail address you will get an error that it cannot be found in Sharepoint (this is logical, because you have not added them to your Sharepoint account).

    2. Now go to your “Ribbon” up top for the sub-site and click Site Actions -> Share Site. Your newly created group should appear as the label for the second choice (previously labeled “Members” or “[Name of Your Main Site] Members”. In this second choice type in the external user’s e-mail address to share the site as you are normally used to doing. This adds the user to the new group you created (once they “Accept” the invitation).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.