One of the most complex aspects of running any organisation’s digital workspace is how to manage all the associated permissions and access to the different applications, documents and information within it. In a nutshell, this is sorting out who is able to see and also use every aspect of your digital workspace, including content. It’s also about defining how users can access apps and content, for example: can they edit or just read an item? The defined permissions relating to different tools can get very detailed, granular, and specific.
Before the dramatic improvement in digital workspace technologies of recent years, access and permissions were less of a problem, because an employee who should not necessarily have access to a particular application would not be able to find it, so they just would not access it. Now, with the introduction of feature-rich platforms like Microsoft 365 that come packed with a huge range of applications and include powerful search capabilities, employees can uncover vast numbers of documents and apps. This means permissions and access need to be far more tightly managed.
Why are permissions and access important?
Having a good approach to permissions and access across your digital workspace is critical for a number of reasons.
Security and privacy
Organisations take their legal and regulatory commitments to data security and privacy very seriously. Data breaches, the exposure of sensitive information to the wrong people, not meeting GDPR standards and so on, can lead to very serious reputational damage. Managing permissions and access can help to minimise the risk of issues relating to security and privacy.
Access to internal sensitive information
Some information is very sensitive and while it might not be a security risk, access to it needs to be restricted within an organisation.
Confidence and adoption
Many users are sensitive about sharing information and documents and who can see what they are working upon. If they are not confident that the right permissions and access to a document are not being applied, they may be reluctant to use the digital workspace, impacting overall confidence and adoption in your digital workspace tools.
Digital workspace governance
IT and digital workspace teams often need to apply some level of governance and control to a digital workspace, for example locking down the use of particular tools. This is a particular issue with Microsoft 365 where there is so much functionality, IT can simply not support everything, and therefore not all tools will be rolled out. Here, restricting access and holding a tight rein over permissions is sometimes required.
Individual application governance
Similarly, to ensure the good management of different tools, access restrictions on who has administrator-level access is important. For example, many organisations will want to control who has the ability to set central policies and settings relating to Microsoft Teams.
Findability and search
A powerful search is one of the advantages of the digital workspace. Permissions and access need to be correct in order for employees to find what they need to successfully carry out their roles and increase productivity.
The fluidity of access
Access to documents and applications across an organisation’s digital workspace can be fluid, with a high turnover of staff, contractors and temporary roles and even content shared with external third parties. With a complex and changing pattern of access, it is important to manage access and permissions to avoid the chance of any security risks.
Challenges around Microsoft 365 and SharePoint permissions
With so many organisations using Microsoft 365, many of the challenges around permissions and access in many digital workspaces are associated with this platform. The good news is that permissions with Microsoft 365 and SharePoint are very granular, flexible and specific, so you can match the complex pattern of permissions and access that even smaller and less complex organisations require. The less good news is that SharePoint permissions, Microsoft 365 groups and other related factors are a little bit complicated in places and because there is so much detail, it can take some time to understand.
There are multiple reasons for this. It’s partly because there are different tools where permissions can be set (SharePoint, Teams, Yammer, Microsoft 365 level etc.) as well as the ability to view items right down to the folder, document or page level. Also, because SharePoint document libraries get created across different tools (e.g. a Teams space and a Microsoft 365 group will also have an associated SharePoint library), SharePoint permissions are potentially complex.
It is also about the granularity of permissions that can then be applied; in SharePoint alone, there are ten default permission levels, and you can customise permission levels if you need to.
The world of groups and permissions across the Microsoft 365 platform and how to manage them is way too detailed for us to be able to go into here, but here’s a little bit of explanation if you’re new to this.
Understanding groups, admins, owners and more
At the heart of managing Microsoft 365 and SharePoint permissions is using groups. Basically, users can be added to groups and then you assign permissions at the group level. This is a much more sustainable way to manage SharePoint permissions or SharePoint Online permissions, as it would be impossible to add each individual to each SharePoint site that they need to have access too. Instead, you just need to add a person to a group and because that group already has permissions applied, the user gets access to the SharePoint sites.
It is a good idea to familiarise yourself with Microsoft 365 groups and the other groups that occur across the platform. Microsoft has some good resources to understand Microsoft 365 groups, including more detail for administrators. There is also a useful article that describes the differences between groups across the 365 platform, including security groups managed through Azure Active Directory that are likely to be important for determining “who can see what” on SharePoint.
It is also useful to start to understand the different administration roles related to Microsoft 365 (global admins, user admins and groups admins) and roles associated with a group (owners, members, guests) so you can understand who then has the ability to control permissions and add people to groups, at what level they can do this. Admins also have the ability to apply global settings that will determine the power of group owners to be able to invite users. For example, admins can determine whether external people from other organisations can be added to groups. This article on governance for Microsoft 365 Groups is a good place to start.
Managing SharePoint permissions
Getting your head around the world of SharePoint permissions is also important. Many people want to understand SharePoint permission levels and the permissions hierarchy, how these relate to Microsoft 365 groups, what permissions to apply across communication sites and team sites, and so on.
Again, Microsoft has some good resources here including a flagship article on permission levels in SharePoint and all about SharePoint groups too. There’s also “how to” information with a guide to how to create and edit permission levels.
Here the level of detail can feel almost overwhelming. However, it’s likely that most organisations may not need to lean in on the level of granularity that is possible; the ten default SharePoint permission levels from “Full control” to “View only” are all the options you have. It doesn’t mean that you’re necessarily going to be using them all.
When Microsoft 365 gets rolled out, users often have the ability to use OneDrive. Here it is important for users to understand who can view OneDrive documents and how they can share files with others. Having the wrong idea about OneDrive permissions can limit use of OneDrive because people are worried everyone can see their documents, but it can also mean they can accidentally share sensitive documents with people who should not have access.
Again, it’s worth creating resources that clearly explain:
- OneDrive access permissions and levels
- OneDrive sharing permissions and file permissions
- How to set permissions and share files.
With so much complexity in managing applications and document access and permissions across Microsoft 365, it is sometimes necessary to add an extra layer of control across your digital workspace. This is one of the advantages of using a tool like Workspace 365, where you not only can drive a more coordinated and high-quality user digital workspace experience for staff, but also add in necessary governance, including managing access.
Using Workspace 365 to manage app access
It is very simple to set who has access to a particular app accessed through Workspace 365. In the platform’s “App Store” feature, each individual app has settings. Here you can select the “Who has access” tab and define the groups (and even individuals if necessary) who have access. A tick box setting also allow you to set access to everyone by default.
However, for many digital workspace teams, particularly in larger organisations, this approach may be too simplistic. Therefore, Workspace 365 also has a powerful Conditional Access feature, that allows IT teams to set policies relating to individual app access based on different criteria, such as the device being used by the user, whether access is coming from outside the company network, the browser being used, the operating system and even IP addresses. You can even set how the app is shown to a user when there is no access, for example invisible or greyed out.
Conditional Access allows organisations to not only ensure IT security and privacy policies are adhered to, but also manage the complexity involved. For example, an app might not be allowed to be used in a particular country. Conditional Access also improves the user experience by helping to keep the digital workspace uncluttered and avoiding errors. For example, if you know an app isn’t going to work on a particular browser or device, you can restrict the access accordingly.
Group permissions to Workspace365 settings
In Workspace 365, there are also robust controls about who can control various aspects of each workspace. Permissions can be easily set for various different capabilities, including the ability to edit your own workspace, create apps in the app store, create and manage announcements and so on.
First, Workspace 365 allows you to manage the different user groups, and then allows you to apply different permissions to the groups across different capabilities. Permissions come at three levels – Allow, Not set and Deny.
This gives IT and digital workspace teams the ability to apply important governance to a digital workspace based on Workspace 365.
Getting started with managing permissions and access
Managing permissions and access is very important in your digital workspace and can get very detailed. We hope this article has helped you to get started and consider your options. If you’d like to understand how Workspace 365 can help you manage some of the complexity, then why not arrange a free demo?