編輯

共用方式為


Planning Permissions with Group-based SharePoint Sites... when you're used to Regular SharePoint Permissions

Note

This is an open-source article with the community providing support for it. For official Microsoft content, see Microsoft 365 documentation.

Basic Idea

When you're a Site Owner of a SharePoint Site Collection, you should ask yourself - Is this SharePoint site collection associated with a modern Office 365 Group?

If it is associated with a Group, the permission model you're used to is going to be different. You can easily confuse users and expose content in a way they don't want to if you try and apply and manipulate traditional SharePoint permissions in a Group site.

A Cautionary Tale: As Site Owner, you may want to discourage other Owners of the Group Site not to use the traditional Designer/Contributor/Reader SharePoint Levels. This can lead to a support nightmare.

The Story So Far

As a SharePoint Site Owner, you should already be familiar with these permissions concepts:

This has been the model for On-Premises SharePoint Site Collections for some time.

Where things are different with Office 365 Group-generated SharePoint Sites

It's hard not to spawn a SharePoint Site Collection when using the new Modern Office 365 tools like Teams, Planner, and Outlook. Make a new Team, and you get a Site Collection. Membership, by default, is synced across these tools.

Here's the breakdown

Traditional SharePoint Site Site Spawned from O365 Group Shared with Teams, Planner, Outlook, etc
Owners Owners No
Members Members Yes
Designers n/a No
Contributors n/a No
Visitors n/a No
Custom level n/a No

It is still possible to create a Modern SharePoint Site that isn't part of a group, and in that case you get the usual permission levels.

Best Practices

  • If you're adding users to a traditional SharePoint site, add them using the Gear Icon and Site Permissions link.
  • If you're adding users to a Group-spawned SharePoint Site Collection - who need to participate in Teams, Planner, Outlook - add them with the Members link in the SharePoint Group Site, or add them in Teams, Planner, or Outlook.
  • Don't add them in both places.
  • Remember: In an Office 365 Group, a Member added to the associated Team, Planner, or Outlook instance is a Member in the SharePoint site. The benefits of tool integration only works if your access is the same across the suite
  • A Visitor really isn't a thing with a Group-spawned SharePoint Site - unless you add them into the SharePoint-generated 'Visitor' group via the Site Permissions link.
  • A Member in a Group-spawned Site SharePoint has considerable power. That mission critical document library with beautifully crafted Views and Workflow? Someone adding Planner Tasks can easily delete this library.

Terminology

Product names overlap a little, so here are some stories describing common scenarios:

My team needed to collaborate, so I signed into Teams and made a Team. That also generated a Group SharePoint site, and a Planner Board! When I add a user to the Team, they have access all over.

I had to add some read-only users to my legacy SharePoint Online Site. I went to Site Permissions and added them to the existing Microsoft Entra Visitors Group. I didn't see a link that said 'Members' on the screen.

My boss told me to own our group's Planner board, so my IT department made me an Owner of this Office 365 Group! I can now add users to a SharePoint Group Site! And delete Planner Boards.

Further Reading


Principal author: Patrick M Doran