Security in Teams and SharePoint

IT in our organization is still very much the Wild Wild West, and most users have no idea how to manage things are typically handled by IT in larger organizations.  In an effort to help keep the peace, and educate folks a bit, I occasionally post a few thoughts towards best practices to help folks along.  

This is one such thing.  Lately, I have noticed folks just handing out site/team ownership without any thought towards what they are doing.  People that should not have access to certain things, suddenly have sweeping access.  

This is by no means all-encompassing.  It is only meant as a basic outline to help most users in a default SharePoint Online / Teams environment.

================

It is super easy to make another user an “Owner” of your Team or SharePoint so they have the access they need to do whatever they need to do at the time. It is also a little dangerous.

Did you know that in doing so, you give that person the right to do whatever they want inside of your Team / SharePoint?

This includes …
· Delete your Team or SharePoint
· Add any users they want to your Teams/SharePoint, even as an Owner.
· Access any document.
· Share any document (even externally).
· Change any document.
· Delete any document.
· View HIPAA protected information.
· Share HIPAA protected information.

The same security controls are not in place for Teams / SharePoint as those for the File Server (also known as the G drive or H drive or whatever letter is assigned to your drive).

Access Security is the sole responsibility of the Owners of the Teams / SharePoint.

Fortunately, Access Security is extremely easy to maintain.

• Do not make anyone an “Owner,” unless you really want them to have that authority.
• Do not make anyone a “Member” that is outside of your working Teams.
• Add a “Visitor,” if someone needs access to everything in your Teams / SharePoint.
• Share a document and/or folder, if that is all a person really needs access to.

How do I do this?

1. In SharePoint,
1. Click the gear in the top right of the page
2. Choose “Site Permissions”
3. Click “Add members”
1. "Add members to group” will add a site Member
2. “Share Site Only” will add a site Visitor
2. In Teams,
1. Only a Member may be added here.
2. Click the ellipses ( . . . ) next to the Teams name
1. Choose “Add Member”
3. “Guests” can be added, but that is a whole other story.

Through these same menus in SharePoint, you can remove an “Owner” or “Member” that should no longer be there. In Teams, choose “Manage Team” from the ellipses menu next to the Teams name.


Overview: Site governance, permission, and sharing for site owners - Microsoft Support

• Owner
• Full Control
• Manage Site Permissions, Settings, Appearance, as well as Add, Edit, and Delete any documents or Site contents.
• Member
• Contributor
• Edit site content, as well as add, edit, and delete documents.
• Visitor
• Read Only Viewer
• Can see most content but cannot edit or delete.