Further to my previous blog on the modern site permissions, we have come up with a work-around to the modern experience governance issue.
What was the issue?
The default permission level for Site / Group Members is Edit rights.
Which gives all users in that group to mess with every app on the site because of this permission level which is active by default in the Edit level.
The problem is compounded because Site Owners are adding people to the sites via Outlook and SharePoint.
Remember that a new site collection is created every time you create a new Planner, new Microsoft Team, or add a site by clicking the SharePoint link.
The new site collection also adds the Office 365 group members as Site Collection Administrators to every modern site collection created, so don’t forget to go and remove those and put in the real SCA’s.
Now go to the Permissions Levels under Advanced Permissions.
Then click on the Edit rights permission level and untick the Manage Lists option. Update the description on top to remove the wording that it can delete lists. If you want to, you can change the name too. I do it this way so I can see instantly that I have changed this site collection without having to go into additional levels to check.
The next issue then, is that Edit now has exactly the same rights as the Contributor level.
So we do with this, is change the Contribute level to be Contribute No Delete rights because it is a very common requirement from business to allow people to add content, but not be able to delete it. We edit the default Contribute rights and remove the delete options.
Now both groups make more sense and our governance model is secured.
Site Owners can add people to their hearts content now and we don’t have to worry about them deleting entire apps.
Of course this means you need to do this manually on every single site collection. This is where our PowerShell dudes need to step in. They can right scripts to do this across the platform to fix the Edit rights and put in the right SCA’s. The script would have to be run daily however if you have Microsoft Teams activated, because teams are created on demand across the business.
Views from Veronique 
[…] issues. However, with Office 365 group connected sites, you can’t. So you need to change the item level permission […]
LikeLike
[…] all well and fine, but if you delete one, you delete them all. Not great. Plus you have to wangle the permissions so that you don’t give everyone and his cat access to delete apps and/or change their […]
LikeLike
Hi DR …. All I can say now, is “sigh”…. We can just never win. So for now, no, they can’t rename. 😉
LikeLike
Hi, you don’t want them to be able to rename documents? If so you require delete. Thread https://techcommunity.microsoft.com/t5/SharePoint/Why-delete-permission-is-required-to-rename-a-document-in-SP/m-p/46134#M4400
LikeLike
Thank you … Thank you … Thank you … I have now changed the permissions on all my site collections and can breathe a little easier now.
LikeLike