Manage SharePoint Permissions

Your SharePoint Security should be a primary concern!

In this video, Office 365 MVP Benjamin Niaulin demonstrates how Sharegate can be used to manage SharePoint Users and their permissions in order to enforce security on both SharePoint and Office 365.


As always, if you're the person in charge of the SharePoint environment, whether it's On-Premises or in Office 365, you want to make sure that you stay in control of whoever has access to what, and don't grant the wrong permissions to the wrong people. How do you do this?

In SharePoint, it's quite complicated, right? You can do something by site collection, and even then, it's hard to stay in control of who has access to what. It gets even harder when you're in Office 365, and then introduces external users, groups, and all this kind of stuff. So that's why, with Sharegate, we've invested a lot in security management. The way that it works is you put Sharegate on your desktop, and start exploring and managing security right from the central location. Let me show you how that works.

Manage SharePoint Permissions with Sharegate

I'm going to click on Explorer which is the default tab of Sharegate. There, I'm going to see all of my environments, whether they're On-Premises or on Office 365. Of course, I can click on the plus sign and add as many environments as I desire.

Once that's done, I'm going to be able to explore by clicking and drilling down to see all the different sites and site collections. I can continue to explore, looking at all the lists and libraries, site settings, what are the site collection features activated, what are the site content types, the groups available, what are the lists and libraries available, who has access to them, and something that we're going to see of course, the content types, there are tons and tons.

Every time I highlight something, the Sharegate Explorer panel is going to show me, on the right hand side, the general information on this and the security information, or the security management features, available. Under "General", I'm going to see all the descriptions, all the properties, when was it created, when was it modified, what is the size, who are the owners, how many subsites. Running out of breath. There are so many things I can see right from here.

SharePoint Security Through Permissions

But what about security? What about those permissions? If you click on "Security" tab on the Explorer for a particular object you've selected. And don't forget, you can also select multiple objects at the same time so that you can run bulk actions on them.

Once you've selected an object, you'll see that, here, you'll get tons of information such as: Is custom permissions enable? Are anonymous access available? Who has access to it? Click on the "Permissions" link and "View All", and you can see who has access, and how they have access. You can also see who are the administrators, who are the owners; and, if there are any external users, you'll see them here at the bottom. Who are the external users for this site collection, or for this library? You get the idea.

At the top here, this is where security management comes together in Sharegate. We give you tons of options that will allow you keep control over your different environments, whether it's one by one, or if you select multiple together, you'll see them grouped here as well.

You'll have a couple of options. The first one is "Add Permissions", that goes along with the "Remove Permissions", of course. And this follows the best practice; with our use of experience, we know that generally speaking, we want to add users or active directory groups in SharePoint Groups as much as we can.

It's easier for management, and it's generally recommended. Here, because I've selected the group site collection in the previous screen, you see that the target is automatically selected. If I go back using the breadcrumb at the top, and selected multiple site collections, and click on the same "Add Permissions", I'll see that they're all selected here, and all their groups are available and shown below. This will make it a lot easier...

To find a user, say Alex Darrow, the famous Alex Darrow from my demos, I'm going to select this person and add them here and click on Select. Now, I can filter because I know I want to add Alex Darrow to all of the members group in my different site collections. So I start typing "member", and I can see all of the different groups that have the word member in there. Select them all, "Apply" or "Add Explicit Permissions".

I don't recommend that because I've selected a user. If you've selected an active directory group, you could add explicit permissions to that. The options are there, and Sharegate allows you to do that. Click on "Apply", and now, Alex Darrow has been added to the members group of these four site collections. Pretty cool.

Now, if I go back to the explorer, there's also "Remove Permissions". So it's the same principle. You have all of the targets selected, you choose a user, say Alex Darrow, select the person, and "Remove Permissions". Now, I can put the same things from all of the groups or, once again, filter and remove Alex Darrow from same members group that I had just added in bulk.

Manage SharePoint Groups Permissions

Now, think about that for a second. You're in your environment, right? You're in your Office 365. You're in your SharePoint On-Premises. It's going out of control. There are multiple sites, multiple site collections. People are breaking inheritance everywhere. You have this library that's different than the other. And you have a new person that comes into the organization, or you want to add someone, or remove them from specific groups. How are you going to do this? That's where this comes in. The same tool that allows you to migrate, to run reports, will also allow you to run this kind of security management feature here.

So I can continue on and click on Explorer. Let's ungroup all of them. I can also "Copy User Permissions". So there, I can select one source user, select a destination user, and it's going to copy the group membership, go to child objects, or even go to content. And Sharegate is going to go for the target selected, it's going to go and apply the permissions from one user to another. I think I did this last week when somebody joined the organization here at Sharegate, and I wanted to give the same permissions as someone else in the department that I wanted to. It took me three clicks and a couple of minutes, and we were all set in that entire environment. That's what I need. I need simple solutions for big problems.

If I go back once again to the Explorer, another one will be to "Check Permissions". I mean, it's pretty straightforward. It's what the name says it does. You give it a target, selected in the previous screen, you choose a user, and see what you want to check permissions on, how you want. You want to check them on lists and libraries only, sites only, sites and list and libraries, content? That's what all of these checkboxes are. Only custom permissions, only explicit, only limited, and you choose them. You can combine them, as well. That's what the "Check Permissions" does. And, of course, afterwards, you can export them into Excel, and give them.

And I'll give an example of a customer of ours, who were using SharePoint and had the Sharegate, said somebody in the Finance Department wanted to know who had access. Or, how did John have access to the entire site collections? Simple clicks, gave them the report, and they knew exactly what was going on in their environment, on their content, lists and libraries, and sites and site collections.

So we have the "Clean Limited Access", of course. "Clean Limited Access" is what? Well, SharePoint adds automatically limited access to almost every different object. So, for example, if you want to understand that a little bit more, if you have a document library or folder, and everything above it has custom permissions, the folder above it, the library above it, and the site above it, what SharePoint does is automatically grant limited access so that a person that has to have access to a document below the library can pass through. It's like going through a corridor and needing to open all the doors to get to the last one.

Limited access, though, does not get removed once you remove the permissions granted at the destination. So if you want to keep a healthy environment, clean and well organized, Sharegate cleans the limited access, and removes only the ones that are no longer needed.

You also have the "External Sharing Report". That is a God-send if you're in Office 365. Office 365 has introduced a way to invite people from outside of your organization to participate in your SharePoint environment, in your groups very soon, and everywhere else such as OneDrive for Business.

Now, we've had this problem right here at Sharegate. I granted access to two external users for one document in our team site, but someone else had added the "Everyone" group for the entire site as contributors. So by granting two external users access, because of that other action, everyone had access. They had access to everything in my team site. That is extremely dangerous. That's why we actually build this feature, learning from our own experiences. So you can click on "External Sharing Report", and you'll know everything that's been shared with external users.

Saving what I think the best for last is our "Permissions Matrix Report". We've been asked to do this for months now. You select something at the source, you press on the button, and you get a beautiful table report on who has access to what you selected, and how they have access. You can even export that into Excel. If you want, you can even expand the groups, including active directory groups, to see the users inside of them, and how they have access to them.

Honestly, if you wanted to stay in control of your SharePoint or Office 365, OneDrive for Business environment, look no further.

Read video transcript