Solved

Hide/Display SharePoint site links from users via permissions

Posted on 2016-08-30
20
21 Views
Last Modified: 2016-09-24
We are configuring SharePoint Online (SPO) and we are trying to hide site links from users if they do not have permissions for that site. As of now, SPO shows all site links to all users whether they have permissions for them or not. SPO will not allow users to access sites they do not have permissions for, which is good, but we simply have too many sites to present to all users all the time. How can we accomplish this task?

Thank you!
0
Comment
Question by:mbresit
  • 11
  • 9
20 Comments
 
LVL 14

Assisted Solution

by:SneekCo
SneekCo earned 500 total points
ID: 41776788
That functionality is builtin and is dependable. A few points;

    Make sure you are not testing with your admin account or an account that has access to all sites. With that account you will see all sites you have access to, probably all of them.
      Test with a standard user account.
        If you are using a visitors group with all users as members, and that group is granted access on all sites, then the standard users will have all sites in their menu.
          If you have a group such as Style Library Readers and the all users account is a member of that group, then it is possible that all users will have all sites in their menu. (Depends upon the permission level granted that group.)
          0
           

          Author Comment

          by:mbresit
          ID: 41776810
          We are testing from a standard user account, so we know this isn't an admin issue. The Navigation Links for all Team Sites are still showing for our standard user account. Where can we find permissions that specifically control whether or not our user sees those Navigation Links for Team Sites that they do or do not have permissions for.

          In case it's helpful:

          Standard user has permissions for the Accounting Team Site but not the IT Team Site

          Standard user sees both Navigation Links from their home page but can only successfully gain access to the Accounting Team Site, since she is appropriately permed for that Team Site.

          What we're looking for is something akin to Access-Based Enumeration which we used on our 2012 R2 file servers.

          Thank you.
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41776824
          There is a "check permission" control in the ribbon you can get to like this -

          Site Actions --> Site Permissions --> Check Permissions

          That is one way to determine the permissions of a user.
          0
           

          Author Comment

          by:mbresit
          ID: 41776836
          The permissions for the user are correct. They can successfully access Accounting but not IT, however Navigation Links for both Accounting and IT show on their home site. We want this user to only see the Navigation Links which they have permissions for, which in this case is Accounting.

          Thanks.
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41776842
          Navigation is based on permissions, there is not a separate ACL for out of the box navigation. I am suggesting that although you see permissions as correct, keep in mind it can become tricky. Check again.
          I can tell you from experience it is more likely that human error is the problem and not computer error.
          0
           

          Author Comment

          by:mbresit
          ID: 41776871
          The Accounting Team Site shows only the Accountants Security Group

          The IT Team Site shows only the IT security Group

          Our standard user is a member of Accounting and not a member of IT, yet our standard user can see Navigation links for both Accounting and IT.

          Any other thoughts on where to check for mistakes or where we should be looking?

          Thanks,
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41776922
          There are other system groups within each site such as "Style Resource Readers", "Restricted Readers", "Approvers", "Hierarchy Managers", "Designers" and maybe some more.  Your sites may not have any of these groups, but if it does make sure your users are not part of one of the system groups which would give the user access to all sites, and then all sites would show in navigation. As mentioned, you can go to the site that the user is NOT suppose to have access to and use the "Check Permissions" tool to see if the user has some type of hidden access. This wouldn't be a mistake, but something that happens all the time.

          Good luck...
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41776925
          One last thing, and this is a very very long shot, but if for some reason the user is a site admin that would explain the access, but the user would not show up under the usual site permissions page.
          0
           

          Author Comment

          by:mbresit
          ID: 41786122
          After speaking to MS at length about this last week - following this exchange, they said what we asked above cannot be done. subsites can be hidden from user view through permissions, but site collections cannot. That sounds crazy to me though, but from our own practical experience we can see that subsites do hide as expected and that site collections do not. Is anyone aware of how to make site collection links only show up for users who have permissions to that site collection?

          The subsite solution would work wonderfully for us if we had less than 1TB of data, but since there seems to be a hard 1TB limit for site collections, we feel forces to separate these out into various site collections. We are still struggling to figure a way to do this elegantly/seamlessly for our users. Presenting links to resources only to users that can connect to them.

          Thanks,
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41786151
          User can only see Site Collections that they have access to, that they have some type of permissions for. Be it read only, limited access all the way to full control. Other wise they will receive access denied when navigating to the site collection, and also they will not see a site collection in the top navigation bar unless the user has been granted access to the site collection.

          The exceptions would be if the navigation is not using standard SharePoint navigation controls. A hard coded link could of course be added to the page that would not be security trimmed. But that would not be SharePoint out of the box and would fall under the custom coding category.  


          If what Microsoft is telling you it true, they have SharePoint setup incorrectly.

          Good luck...
          0
          How your wiki can always stay up-to-date

          Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
          - Increase transparency
          - Onboard new hires faster
          - Access from mobile/offline

           

          Author Comment

          by:mbresit
          ID: 41786167
          OK, we may be getting somewhere now then. I think we may have hard-coded the links accidentally, but I am going to check with our sys admin to be sure. If that is the base, we will remove the hard-coded links and do additional testing. More to come, thanks.
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41786171
          Hope that helps... sorry, should have asked sooner about the hard coded stuff but thought it was just the out of the box navigation...

          Good luck...
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41789452
          Any luck?
          0
           

          Author Comment

          by:mbresit
          ID: 41789926
          Unfortunately, we only get the result we want with subsites. Subsites present to users with permissions only, but when trying to get the same result at the site collection or team site level, it shows all to everyone. Sadly, we've gotten no further on this.
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41790025
          You may have already tried this -

          Go to the settings page of your SPO tenant. Click on Top Navigation Bar User Experience. You should see a table with some radio buttons that you can use to show or hide certain items from the top level navigation. Sites should be an option.

          Not sure if this will help you or something you can use, but hope so.

          Good luck...
          0
           

          Author Comment

          by:mbresit
          ID: 41790438
          We don't see site collections/team sites in the navigation bar in either case (show/hide are selected), and we only see them when they are hard-coded. As you mentioned, hard-coding presents a problem. So the current question is: How do we get site collections/team sites to show up at all in the nav bar without hard coding them?

          Thank you.
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41800922
          Any luck?
          0
           

          Accepted Solution

          by:
          mbresit earned 0 total points
          ID: 41801465
          No. However, Microsoft literally just upped the 1TB limit per site collection to 25TB yesterday, so this solves the problem since we can now use subsites, which we have had no trouble with thus far. We do appreciate your efforts in trying to help resolve the issue.
          0
           
          LVL 14

          Expert Comment

          by:SneekCo
          ID: 41801502
          Glad you found a workaround...
          0
           

          Author Closing Comment

          by:mbresit
          ID: 41813580
          It's the best solution to the problem.
          0

          Featured Post

          Maximize Your Threat Intelligence Reporting

          Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

          Join & Write a Comment

          Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
          Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
          Office 365 is currently available in five editions. Three of them are for business use: Office 365 Business Essentials, Office 365 Business, and Office 365 Business Premium. Two of them are for home/personal use: Office 365 Home and Office 365 Perso…
          Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

          758 members asked questions and received personalized solutions in the past 7 days.

          Join the community of 500,000 technology professionals and ask your questions.

          Join & Ask a Question

          Need Help in Real-Time?

          Connect with top rated Experts

          19 Experts available now in Live!

          Get 1:1 Help Now