Component 1 – SharePoint permission levels

Alright, so picture this: SharePoint permission levels are like a bouncer at a fancy club. They decide who gets in and who gets left out in the cold. These levels are made up of a bunch of individual permissions, kind of like a puzzle where each piece has its own unique place in the grand scheme of things. These permissions fall into categories like List Permissions, Site Permissions, and Personal Permissions. Think of it like the different flavours of ice cream at the parlour, each with their own distinct taste!

Component 2 – SharePoint groups

 Ah, yes, the groups! Think of them like different squads within the club scene. They're the ones that get VIP treatment and exclusive access to certain areas. In SharePoint, we've got three default groups that come with every site, and they are:

• Site owners - These are the big bosses of the site, the ones who call the shots and have full control over everything. They're like the club promoters who can get you into the hottest parties.

• Site members - These are the regulars, the ones who have access to most areas and can do a lot of the heavy lifting when it comes to creating and managing content. They're like the party-goers who always show up and know their way around.

• Site visitors - These are the outsiders, the ones who are just there to check things out and don't have much access to anything. They're like the people walking by the club and peering inside, wondering what's going on.

Now, how these groups are used can vary depending on whether it's a team or communication site, but we'll get to that later. Just like different clubs have different crowds, each SharePoint site has its own unique vibe and usage patterns!

Component 3 – SharePoint objects 

SharePoint has a bunch of different things you can create called objects. Think of them like Legos, but for your website. Here are the main ones:

• Sites - These are like the foundation of SharePoint. They're where everything starts and where everything comes together.

• Libraries - These are collections of files or documents, and there are a few different types of them. You can think of them like bookshelves, but for your files.

• Lists - These are like Excel spreadsheets, but on your website. You can use them for all sorts of things, like keeping track of tasks or contacts.

• Folders - These are like folders on your computer, but within your website. You can use them to organize your files and documents into smaller groups.

• Items - These are the individual files, pages, images, or other types of content that you'll be storing in libraries, lists, or folders. They're like the puzzle pieces that make up your website.

Let's explore how these puzzle pieces, or components as we call them, work together to form a cohesive and user-friendly SharePoint experience.

To sum up SharePoint permissions in a nutshell: you either give a group or a user permission to access something on SharePoint or you don't. Simple as that!

Of course, there are different variations of this, like giving someone permission to edit but not delete, or allowing someone to view but not download, and so on. But the fundamental principle stays the same throughout.

Except for one little thing we already talked about: Site collection administrators are the site's big bosses, and they always have full control, no matter what you try to do. It's like they have a special superpower that nobody else has, so don't mess with them!

Permission Inheritance

When you grant permissions to a SharePoint object, those permissions apply to all of its children by default. But you can stop this inheritance and apply unique permissions to the object.

For example, imagine you have a folder called "Secrets" with a file called "Plans" inside. If you stop the inheritance of permissions at the "Secrets" level, you can apply different permissions to the folder and file. Any changes made to the folder's permissions will also apply to the file, but changes made to the file's permissions will only apply to the file and not to the folder.

However, you should be careful when stopping permission inheritance because it can lead to confusion and accidental exposure of sensitive information. It's important to plan thoroughly before making any changes. Nonetheless, uninherited permissions can be useful in scenarios where you need to display and hide information with increasing sensitivity as you drill into a structure.

Let’s talk about Microsoft 365 groups.

Have you ever been part of a team project and found it difficult to share access to multiple services like email, chat, and project planning tools? It's like trying to solve a Rubik's cube blindfolded - frustrating and downright impossible! 

Well, fear not my friend, because Microsoft 365 groups are here to save the day! These groups are like the Avengers of the 365 suite, bringing together different services and making it easy for owners to add or remove people from the group. Think of it like a magic spell that grants access to Microsoft Teams, SharePoint sites, Planner, and more - all with just a few clicks.

So, the next time you're working on a team project, just remember that Microsoft 365 groups are the superhero team you never knew you needed. Say goodbye to juggling with unique and object or file level permissions to keep everyone on the same page, and say hello to seamless collaboration and productivity!

Let’s understand the relation of M365 Groups and SPO teamsites.

In the world of SharePoint (think of it as a digital clubhouse), a Microsoft 365 group is like a VIP pass to a modern team site. It lets the owners of the group easily add and remove members using a fancy membership panel.

So, how did these members even get here?

When a modern team site is created, three things happen:

a.       The site itself is created (like building a new clubhouse).

b.       A linked Microsoft 365 group is created (like a VIP club that only some people get to be a part of).

c.       The Microsoft 365 group's owners and members are added to the site's SharePoint groups (like assigning specific rooms for the VIP club members to hang out in).

Here's where everyone is placed:

a.       Group owners are put in the SharePoint site owners group (like giving them the keys to the clubhouse).

b.       Group owners are also put in the Site collection administrators group (like being the mayor of the digital town).

c.       Group members are put in the SharePoint site members group (like being part of the VIP club's guest list).

d.       The SharePoint site visitors group stays empty (like a dance floor that everyone can access).

When owners use the membership panel to change someone's role from member to owner, they're changing their membership status in the Microsoft 365 group. This means they'll have access to other Microsoft 365 services and resources connected to the group (like getting access to the VIP club's secret after-party).

Permissions in Communication sites, yes! its wee bit different to teamsites.

In the previous section, we learned how to manage who can access a modern SharePoint team site using the membership panel. But what about communication sites? They work differently and don't use Microsoft 365 groups to manage permissions. Instead, we add groups and users directly to the site's SharePoint groups.

Here's what this means:

1. Communication sites don't have a membership panel, so it's not as easy to add or remove people. We also can't quickly see how many members a site has.

2. To give someone access to a communication site as an owner or member, we need to add them to one of the SharePoint groups using the Site settings > Site permissions menu.

3. When we create a communication site, we're automatically added to the Site Collection Administrators and Site Owners groups. However, the Site members and Site visitors groups are empty, and we need to add people to them before others can access the site.

4. Communication sites are meant to be updated by a small group of people who publish information for others to view. To accomplish this, we need to add people to the Site members and Site visitors groups.

For example, imagine we're creating a communication site for a company. The site owners would be the company executives, and they would add employees to the Site members group so that they could access information on the site. The Site visitors group would be for customers or vendors who need to view information, like upcoming events or product information. To give them access, the company executives would add them to the Site visitors group.

So, although communication sites are different from team sites in how we manage permissions, we can still ensure the right people have access to the site by following a few simple steps.

Let’s talk about the “Privacy Settings” option and how it affects the permissions.

Let's talk about how permissions work on a SharePoint site depending on its privacy settings:

If a site is set to private, only members of the connected Microsoft 365 group can access it. These members are added to the Site members group, as we discussed earlier.

On the other hand, if a site is set to public, things work a bit differently. In addition to the members of the M365 group, all internal users on the tenant (everyone except external users) are also added to the Site members group. This means that anyone in the organization can access and edit the contents of the site.

However, it's important to note that being added to the Site members group doesn't automatically grant access to the Microsoft 365 group's resources. It simply allows people to add themselves (or others) to the group as members if they wish to access those resources. Once they've been added to the group, they can access its resources as well.

For example, imagine that your company has a SharePoint site called "BJP Public Site". If this site is set to public, all internal users in your organization can access it by default. This means that everyone can collaborate and work on the site's content. However, they won't have access to the resources connected to the M365 group until they've been added to the group by someone who already has access.

How individual sharing affects teamsite permissions and its impact.

In a perfect world, managing access to a team site would be straightforward, with a well-organized set of owners and members. However, in reality, things are constantly changing, including people and requirements.

One of the challenges of team sites is that they are highly collaborative, and it's easy for group members to share content outside the group unintentionally. This means that the contents of a site may become accessible to people who were not intended to have access.

As owners, we can limit this risk by adjusting the sharing capabilities of group members. This can be done by navigating to Site settings > Site permissions > Change how members can share, and selecting an appropriate sharing setting that meets the site's requirements.

Permissions for differently provisioned SharePoint sites.

Creating a SharePoint team site can be done in two ways:

1. By creating a new team or private channel within a team.

2. By using the standard Create site button on the SharePoint landing page.

But wait, there's more! Some organizations like to spice things up with intricate scenarios like:

a. Using team sites as publishing or communication sites by adding Everyone except external users to the Site visitors group. It's like inviting the whole neighbourhood over to your house party, but you better be careful not to share too much sensitive information in the living room. It's best to keep public and private stuff in separate containers, but if you're feeling adventurous, go ahead and mix it up.

b. Using Microsoft 365 groups to manage visitor access instead of editing access. This involves moving the M365 group from the Site members group to the Site visitors group and managing editing access by directly adding individual AD users into the Site members group. It's like hiring a bouncer for your party, except the bouncer can't control who goes into the other rooms. A security group (dynamic security groups work well) is a better fit for managing a large group of visitors because you can limit the group's access to other group-connected services in a more granular way than in SharePoint.

Some common mistakes around SharePoint permissions

SharePoint permissions can be a tricky business, but don't worry - even the pros make mistakes sometimes! Here are some common blunders to watch out for:

1. Giving someone ownership of the group without realizing they now own everything connected to it. That's like giving your dog the keys to your house and car. You may never see them again.

2. Having too many group owners is like having too many cooks in the kitchen. It's chaos, and nobody knows who's in charge.

3. Having only one group owner is like playing a game of Jenga with one hand tied behind your back. It may seem stable at first, but one false move and everything comes crashing down.

4. Using AD groups everywhere may seem like a good idea, but it's like throwing all your eggs in one basket. Sure, you may have less to manage, but if something goes wrong, you're in for a scramble.

5. Adding someone directly to the SharePoint site members group is like hitching a ride on a rocket ship. Sure, it's exciting at first, but when the rocket takes off without you, you're left stranded in space.

6. Forgetting to limit external sharing is like leaving your front door wide open. Sure, your friends and family can come and go as they please, but so can anyone else - including that pesky neighbour who always borrows your lawnmower and never returns it.

Remember, these mistakes are easy to make, but with a little care and attention, you can avoid them and keep your SharePoint site running smoothly!

First Published on March 21st, 2023