top of page

Best Practices to Avoid SharePoint "Spaghetti" Permissions

Access to information is both an asset and a risk. Oversharing is one of the largest risks to private information, especially in the era of AI tools like Copilot. Having a well-defined and maintainable permission model is a big key to success in SharePoint Online, but having a well-defined permission model also has its challenges. Below are some key thoughts and best practices you should consider regarding your Microsoft 365 permissions models as they relate to the documents you store in SharePoint Online:


Basic Permissions Through Microsoft 365 Groups

One way to assign permissions is through the standard Microsoft 365 groups created alongside your Modern (Teams-Enabled) Site. With every new site, the following groups are created:


  • Site Admin: True administrator-level control of the SharePoint site and all its assets.

  • Owner: Admin level control of the Group, including to SharePoint, Teams, and other applications.

  • Member: Read/Write permission to all content in the Group, but no admin access.

  • Visitor: Read-Only access to all content in the Group.


The easiest way, by far, to control permissions is to define a Site structure that resembles working groups within your organization, allowing you to assign naturally-defined groups of users to each of the roles above. By sticking with a strictly out-of-the-box model, it will be much simpler to govern permissions across your Sites.


One thing to note is that the 'Owner' level of access gives people the ability to change the membership of groups, fundamentally giving them the permission to modify who has access to the Site / Team. This privilege should come with training and with express expectations of acceptable use.


Enhancing permissions beyond the basic groups

If you feel the need to get more granular and provide more specific permissions, SharePoint offers you the ability to change two key things about the permission model:

  • Breaking inheritance and giving objects (libraries, docsets, folders, documents, etc.) unique permissions.

  • Creating custom permission levels that provide different sets of privileges to assigned users.


When breaking inheritance, you are multiplying exponentially the amount of maintenance you will need to do in order to maintain security. If you feel the need to do this, our strong recommendation is to only break inheritance at the Library level. Any lower, and you will run a high risk of making your permissions unmanageable.


Custom permission levels are more forgiving, although our strong recommendation is to make them common across all of your sites in order to maintain consistency and reduce confusion on different levels of access.


Generally, it is important whenever you are departing from standard permissions models to document the changes in detail, so your administrators will have reference to the changes in the future. It's also pivotal to test your access model with these changes because there may be unintended consequences of these custom models.


With a custom permission structure, you may want to consider a third-party permissions management tool to help more granularly control the permissions you have put in place.


Sharing Links

Being able to quickly collaborate on documents is an extremely valuable part of SharePoint Online. Sharing links help to enable this, but at a higher level, Sharing Links allow people in the 'Owner' or 'Member' category for a document to quickly modify permissions and grant case-by-case access (read or write) to a document.


While you can restrict people's ability to share documents within your company, we recommend leaving this option open to your people and training them on the proper use of the tool. We also recommend setting the default sharing behaviour to 'People I Choose' to prevent oversharing. There are a lot of valuable use cases for this functionality and restricting it will be a negative to overall experience.


Cleaning up errant links can be a bit of a mess, but problem number one is identifying where these links exist. A reporting tool built into the SharePoint Advanced Management module can provide you with a list of links that you will need to remediate. From this report, you can request your users take action to clean up loose ends.


Sharing Externally

One benefit of SharePoint being a cloud tool is that you are technically able to share with anyone with an email address. For those security-minded folks, this is actually a big risk in the hands of the average user, both from a purposeful misuse and an accidental misuse perspective.


While it would be over-restrictive to turn off external sharing, our recommendation is to highly limit this functionality, only providing the privilege of external sharing to a select few users who have undergone additional training. With this restriction in place, you will likely achieve your protection goals while preserving collaboration capabilities.


Actions that a user can take on a document can also be controlled via Sensitivity Labels and/or DLP policies, and hence, it would be valuable to explore these two features of Purview as you develop and evaluate approaches to protecting your data.


bottom of page