none
Permission inheritance and sharing - what a mess RRS feed

  • Question

  • Hello, I have the current scenario: I have a lot of team sites with the following configuration:

    - default permissions for team members (owners - members - visitors)

    - permission granted at site level or doclibrary level to users/groups (management wants to have access to all content)

    - sharing features enabled

    Now, let's imagine that a user shares a document or a folder with someone (not using the "people with existing access" sharing). This breaks the inheritance on the tree starting from this object. If later I grant another user/group permission at site level or doclibrary level, this user/group will not get access to the folder shared and to the tree below.

    This is so bad. I cannot believe Sharepoint acts in this way. Am I missing something? Disabling sharing capabilities is not an option (it's in Sharepoint nature) but in the meanwhile the governance will be a nightmare. I NEED to remediate it in some way. How? Potentially I can schedule a script that finds objects with broken inheritance and adds father's permissions, but it will increase the fragmentation. Or, I can cover that single case running that script only when someone is added at top level (site or library). Any advice?

    Monday, October 21, 2019 11:44 AM

All replies

  • Hi,

    It’s true that when you perform sharing in SharePoint, you create unique permission for the shared document, item or list. It will only break the permission inheritance for the shared ones. 

    This is the default behavior of SharePoint and will not cause any security issue as long as you don't delete any of the default SharePoint groups.

    One effective way to avoid breaking permission inheritance is to manage users via groups. Users need “Manage permissions” permission to share documents and grant permission to other users. If you want to restrict users’ sharing behavior, you can create a group with custom permission level and deselect “Manage permissions” for them. 

    You can also reset permission inheritance and delete unique permission for a single item or all items with PowerShell commands in SharePoint Server 2019.

    Please refer to the links below for detailed information.

    Understanding permission levels in SharePoint.

    https://docs.microsoft.com/en-us/sharepoint/understanding-permission-levels#permission-levels-and-sharepoint-groups

    Delete Unique Permissions (Reset Broken Inheritance) in SharePoint 2013 using PowerShell.

    Please note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

    Best regards,

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, October 22, 2019 2:56 AM
  • Hi,

    I'm checking how it is going on with this issue.

    Please remember to update this thread if you have any progress.

    Thank you for your understanding.

    Best regards,

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Thursday, October 24, 2019 1:12 AM