Permissions Management
1. Access Inheritance and how it works
SharePoint permissions operate based on inheritance. Top-level sites push permissions down to the objects and content of the site by default. Lists and libraries inherit permissions from the site, whereas folders (used very sparingly) inherit them from the list/library. Meanwhile, items and files inherit permissions from the list/library (or folders if applicable).
Different permissions can be applied to a list or library, folder, or item. By doing this you are breaking the inheritance of permissions from the site.
The best practice for permission management in SharePoint is to secure the largest object possible and to avoid granular permissions. Creating unique permissions for different objects increases the level of management that the SharePoint site will require.
2. How to best manage Permissions
If set in the wrong way, permissions can expose your documents through search results to more people than intended.
Here are some things to remember in order to protect SharePoint from unintended access:
- Files in folders (if applicable) inherit their permissions from the folder
- Unless you have shared this file with someone individually by using the “Share” option– only people who have access to the folder will have access to files in it
-
- Folders, in turn, inherit their access from the document library
- A library inherits permissions from the site
- Keep the inheritance this way unless you have specific needs to restrict permissions
- The site is at the top of the permission hierarchy. Permissions set here will drop down to all the items on that site.
- There are three permission levels: “Site owners” “Site members” and “Site Visitors”
3. Restricting Permissions on a Library
In specific scenarios, you may want to limit access to the library on the site. For example, when MDTs are in one team in MS Teams you may want specific libraries available to one specific team.
Firstly, ensure that if there is a library like that in your site (one you want to limit access for), you give it a name and description that clearly specifies its exceptional status.
For example, you can call it “Accrington Ward MDT (Clinical Nurse Specialists only)”. This will indicate to admins and members of the Accrington Ward MDT group that this library is visible to the Clinical Nurse Specialists only
To limit permissions on the SharePoint library:
-
-
- Navigate to the library on that site and access the “Library settings” from the “Gear” menu
- Click on the “Permissions for this document library”
- Under the “Inheritance” section select “Stop Inheriting Permissions”
- Now in the “Grant” section you can select “Grant Permissions” to invite specific people to this library
-
Be sure to click “Show options” to make sure you are giving these staff members or groups the right level of access. “Read”, “Contribute”, or “Full Control” are the recommended options. Ignore the other permissions options – they come from legacy SharePoint version and are not relevant to what is intended here
Once shared, you also want to remove groups and people that should not have access to the library.
Best Practice 1: Instead of going into the group and removing people in that group, remove the group itself.
Best Practice 2: Be sure you don’t remove the group you are a member of. Otherwise, you will lose access during the process of making this change. If this happens, ask the site collection administrator (or Local admin) to add you back to the site.
If you made a mistake and want to roll back permission changes, you can click “Delete unique permissions” while in the library settings and start over.
Best Practice 3: A decision was made to remove Microsoft’s native SharePoint everyone except external users security group which allows access to the SharePoint content to everyone in NHSmail tenant. This security group will be removed by Monday 22 July.
For information on available security groups on NHSmail platform, please read the following NHSmail support site guidance: https://support.nhs.net/article-categories/security-group-management/
Last Reviewed Date | 17/07/2024 |