Permissions in the modern SharePoint / Teams cloud continue being a huge headache in most people’s lives. It’s understandable. There are 13 admin centres in Office 365, 45 administrator levels; 4 different SharePoint templates, 4 additional permission levels; 3 different Teams templates; then add Office 365 groups into the mix. It’s a huge undertaking getting your head around it all.
Let’s start with the issue with edit rights. By default, all people added as members in Teams or SharePoint, get added to a SharePoint Members Group which has edit rights on it. And this is the issue – edit rights have the Manage Lists permission level added to it.
In stand-alone SharePoint, you could have just changed the permission level for the group to contribute with no issues. However, with Office 365 group connected sites, you can’t. So you need to change the item level permission instead.
I stand by my viewpoint that this is a fundamental flaw in the permissions model. It started with SharePoint 2013 on premise, and was just compounded by Office 365 groups. Microsoft refuse to acknowledge that this is an issue, I’ve tried many times. From a data governance and security perspective, this is an issue in my book. Try and explain to Security Officers and ISO auditors that all staff in members groups have rights to delete entire libraries full of strategic company information in every single site collection, (this includes all the sites connected to Microsoft Teams). Fixing it is a manual exercise unless you have a PowerShell guru that can write and run scripts for you daily to fix this automatically on every SharePoint site collection. It is important to add this to your governance considerations when designing your intranet.
Now let’s talk about the home page of the modern SharePoint sites. It’s the big EDIT button on the home page that understandably freaks out a lot of people.
First you need to understand where the home page lives. Pages are embedded into sites and live inside of a document library called Site Pages. You can access it from Site Contents either on the Quick Launch to the left, or from the Settings cog on the top right.
There are classic and modern pages available from the New button in here and you can jump between the default views. I tend to delete the “By Author” view and make the All Pages view the default, then sort the items alphabetically to make them easier to find.
You can make new pages here in the ‘back-end’ where people are highly unlikely to stumble into. Just take the Pages link off the Quick Launch as well.
You can make any page a home page, so you can run themes on a monthly basis if you need to. You can also rename pages here. Leave the default “Home” page as is, so you can always revert back to that one and know where you started. You may see page names with weird info like 6742xR23f. That happens when you’ve created a page but didn’t click Save fast enough.
To stop people adding or editing pages, you need to change the permissions on library level. Go to Library Settings.
Or go directly from Site Contents.
And select the permissions link.
Click Stop Inheriting permissions and confirm the action.
You’ll see that the message now changes to say this library has unique permissions. The 3 default groups are still in there though. If you leave them like that, the permissions won’t change.
Now there are different ways that you can do this depending on who must do what and what AD/ O365 groups you’ve got set up, but we’ll keep this simple for the sake of this blog. I’m going to delete all the groups and add one owner and everyone else as visitors.
Very important – if you are not a Site Collection Administrator and you do this, you will lock yourself out the library. So if you are NOT a Site Collection Administrator and only a Site Owner, make sure you add yourself as a full control user first! Then you can select the groups and delete them. To reiterate – if you just leave the groups in, even though the library says it has unique permissions, it will still have the same permissions as the site it is on because nothing has actually changed.
Then you can add the rest of the people with read rights, but don’t share everything and don’t send a welcome email.
VERY IMPORTANT!!! Before you do anything else, click Browse on the ribbon then Settings.
Now click List Name, Description and Navigation and go an put in what you just did. This description box is critically important to good intranet management. Every single app must have a description in that explains the settings in that app. You are NOT a good SharePoint person / Intranet Manager / Developer / Consultant if you are NOT doing this! It just causes chaos for whomever takes over your stuff when you go. Fill in the descriptions properly! *Rant over*.
Anyway, that’s that. Go back to your home page and the edit button is gone for all staff.
Clean out all those default web parts on the home page and add your own.