none
Office 365 SharePoint Permission Issues RRS feed

  • Question

  • I created 4 sub sites. The sub sites are being linked from the top site via navigation except that the 4 links are getting audiences so that only certain folks see the links.

    The audiences are based upon SharePoint groups that are generated in Office 365 active directory. The audiences have compiled and folks can now see the links.

    The SharePoint groups were used to assign read permission to the 4 sub sites. The SP groups were also used to assign contribute permission to the sub sites web parts.

    The issue: accessing the sub sites for the members of the SP groups, they were informed that they did not have permission and the site allowed them to request it. I tried adding the group to the auto generated “sub site visitors” groups, under permissions, and this did not assign read permission. I had to add each member individually to the sub site visitors group in order for them to get access.  I then gave that group contribute permission under the web parts.

    I have been using office 365 active directory, SharePoint groups to assign permissions since back in the on premises 2007 days. Has something changed? Might this be a bug? I know the rest of the site collection is working fine using SP groups to assign access and web part permissions.

    How do I get around having to add folks individually to the auto generated groups?

    Monday, July 15, 2019 5:24 PM

Answers

  • I figured out what happened with the groups and it's not a problem with the system as much with a user trying to be efficient. Let me explain:

    We have one main site and four sub sites. The main site has some people in it. Those people are also members of the four sub sites. Each sub site gets a handful of extra people that are members of that sub site only.

    When the network administrator created the audiences based upon the groups, he first put the members of the top site in their own group and then the sub site extra members in the sub site groups. He then nested the groups such that everyone would be part of the correct group. I then used the sub site groups to assign access to the sub sites. I did not know that the sub site groups did not contain the full set of members. Nesting worked when I created the audiences, but not for permissions. Since the sub site groups had only a fraction of the total members, only those in the group got access.

    I will have to get him to fix the groups.

    Can someone explain why the nesting SharePoint groups worked for creating audiences but not for permissions?



    Monday, July 22, 2019 6:35 PM

All replies

  • Hi,RCDA,

    According to your description, I assume the sub-sites break the permission inheritance and have their unique permission settings. Then you assign the SP groups read permissions in the 4 sub sites. In the site permission page, please do a permission check on the groups with issues.

    The issue you have is the users in the SP group will not get access to the site when you grant the permission to the SP group directly or add the O365 group to the subsite visitors group, you have to gave the user permission directly by adding group members one by one. Please set me right if there are misunderstandings.

    "I tried adding the group to the auto generated “sub site visitors” groups, under permissions, and this did not assign read permission." 

    What Group are you adding? The AD group or the SP group? The process of adding users/groups to subsite visitors group only work for individual users instead of any groups?

    I construct several test with O365 groups and they get the read permission correctly. More detailed permission setting information will be helpful in reproducing your issue in my end. 

    Best Regards

    Jerry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, July 16, 2019 2:55 AM
  • Yes, these 4 sub sites do not get permissions from parent sites. I did this because only a few folks will be using them and it's a pain to remove all the extra people that don't get access.

    I had the network administrator create the corresponding groups in Active Directory and that created the SharePoint groups upon sync with Office 365. I then added the SharePoint groups to the sites and gave the group read permission. They did not get access. I then tried adding the SP group to the site visitors group since it is created and given read permission at site creation. The folks did not get access to the site.  I then had to add the members individually to the visitors group in order for them to get access.

    This is the first time I've ever used the auto generated permission groups. Usually I add the SP group to the site and give it permission directly. I know that the members are in the SP group because I used the SP group to create audiences. I then checked the audience members and as expected the member list is correct.

    Tuesday, July 16, 2019 12:49 PM
  • Hi, RCDA,

    I assume the groups made this way:

    1. Create the Group in local AD

    2. Sync the local AD group to Azure AD

    3. Create a SharePoint Group contains the AD group.

    I cannot reproduce your issue in my end. The best approach I can think of is removing the SP group from the user information list and recreate a new SP group to have further tests. It seems that the SP group is not correctly recognized.

    Best Regards

    Jerry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Thursday, July 18, 2019 9:46 AM
  • That sounds like a good idea and I would do that but the SP groups are correctly recognized as far as being the basis for audiences. And if I delete the groups and recreate them, then the audiences will compile with no members. I can't have that. At the moment, I've got the permissions working as expected.

    If I have the network admin delete the SP groups and recreate them by syncing Local AD groups with Azure AD, will that mess with my audiences? I'm  thinking that when the groups are deleted, the audience settings will lose the rule which includes folks that are a member of the deleted SP group. When the groups are recreated, I would have to add the rule back in order for members of the SP Groups to rejoin the audiences. Right? I'm guessing that this is kind of like when I delete a document and the link to it in navigation disappears.

    I don't want the folks that have access to the sub sites to lose access because the links that show based upon audience membership disappear. The main concern is that Microsoft only compiles audiences once a week and if I screw things up, it takes a week to get it right. It's not like when our site was on premises and we could compile when ever we wanted/needed to.

    Thursday, July 18, 2019 12:59 PM
  • Hi, RCDA,

    You are right, delete the existing SP groups will cause a mess. So for testing,  keep the old SP groups and create new groups in the same way for troubleshooting. 

    Best Regards

    Jerry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Friday, July 19, 2019 9:21 AM
  • I will talk to my network admin and have him create a new SP group with different members in order to see if I can figure out what is going on.
    Friday, July 19, 2019 12:35 PM
  • I had my network admin create a new group with a test account in it. I gave the group permission the way I did the other SP groups and then when I logged in as the test account, the test account had access to the site as expected. I'm now stumped as to why the earlier 4 groups wouldn't have access.
    Monday, July 22, 2019 1:00 PM
  • I figured out what happened with the groups and it's not a problem with the system as much with a user trying to be efficient. Let me explain:

    We have one main site and four sub sites. The main site has some people in it. Those people are also members of the four sub sites. Each sub site gets a handful of extra people that are members of that sub site only.

    When the network administrator created the audiences based upon the groups, he first put the members of the top site in their own group and then the sub site extra members in the sub site groups. He then nested the groups such that everyone would be part of the correct group. I then used the sub site groups to assign access to the sub sites. I did not know that the sub site groups did not contain the full set of members. Nesting worked when I created the audiences, but not for permissions. Since the sub site groups had only a fraction of the total members, only those in the group got access.

    I will have to get him to fix the groups.

    Can someone explain why the nesting SharePoint groups worked for creating audiences but not for permissions?



    Monday, July 22, 2019 6:35 PM
  • Hi, RCDA,

    For i am not pretty clear about the actual nesting structure in your end. It is a bit hard for me to figure out why audiences work while the permission group not.

    Per my knowledge, it will be better not to use nesting groups for permission levels. It will always cause a mess and hard to troubleshoot. Just create a bit more separate groups for you to make a clear structure. It will not cause much work in your audience settings while the permission groups will be much easier to handle. 

    Best Regards

    Jerry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Thursday, July 25, 2019 1:38 AM