Last updated 2020-03-03

Microsoft 365 is Microsoft’s cloud-based offering of a number of services, including SharePoint Online. Boston University’s Information Services & Technology (IS&T) maintains a tenant in Office 365, through which it offers departments, research groups, and others the opportunity to request and manage their own SharePoint site collections. Boston University’s Microsoft 365 Security Policy defines the types of information that may be stored in Microsoft 365/SharePoint Online. The basis for that policy begins with our agreements with Microsoft regarding security in their data centers, some of which is described in the Microsoft Trust Center, but that security must be preserved and extended through the awareness, choices, and actions of each local site collection administrator. This page is intended to introduce local site collection administrators to concepts and settings you can use to preserve the security of your site collection. You’ll find a list of pointers to more information at the end.

Sharing options that can be set by IS&T, upon request, for each site collection

By default, new site collections created for departments, research groups, etc., are set to disallow sharing outside of BU. This optimizes security by guarding against accidental external sharing. The site collection administrator can request that the sharing options be changed to any of the three levels at any time. We recommend that you do not request external sharing to be enabled unless and until you need and plan to use it. Note that changing from an option that allows external sharing to a more restrictive option will cause disruption for people outside of BU with whom content has been shared. The three options that can be set for each site collection are shown below.

O365 Sharing Outside Your Company Options

Permissions controlled by the site collection administrator

The site collection administrator controls access to content within the site collection. While access can be controlled at various levels, e.g., the site collection, a subsite, a document library or list, or even a folder or single document, security is most easily and successfully maintained when sharing and permissions are kept as simple and clear as possible. In general, maintaining permissions at the site collection or subsite level is highly recommended: easy to understand and to maintain. Site collections should be designed so that all content in a given area, e.g., a subsite, has the same access requirements.

We strongly recommend that you use groups to control access in SharePoint. Rather than assigning permissions to individuals, assign permissions to groups and then add people to the group that provides the desired access. By default, SharePoint commonly defines three groups:

  • Owners usually have Full Control over a container, e.g., a site collection or a subsite
  • Members usually have Edit permissions
  • Visitors usually have Read Only permissions

These permission levels are set by commonly followed convention, but you can modify them if you need to, and you can set up additional groups for special requirements. If you are used to permissions in SharePoint 2007, you will recall that Members had “Contribute” permissions. The SharePoint Online default is to give Members “Edit” permissions. “Edit” permissions provide more capability than “Contribute;” e.g., anyone with “Edit” permissions can create, modify, and delete Lists and Document Libraries. This enhances collaboration capabilities, but if you prefer to limit these capabilities at any level, you can always change the permissions for Members to “Contribute.”

Sharing options controlled by the site collection administrator

The site collection administrator can also choose who can request access to a site or share a site with others by controlling the Access Requests Settings, show below. You can reach these settings by choosing “Site settings” from the dropdown menu under the gear (upper right), then choosing “Site permissions” from the “Users and Permissions” group, then choosing “Access Request Settings” from the “Permissions” tab of the Ribbon.

O365 Access Requests Settings

By default, new site collections allow Members to share the site and allow requests for access. You should familiarize yourself with these options and ensure that they are configured to suit your needs. Note that any time you create a new subsite with unique permissions, that subsite will probably be created with all these options enabled, so be sure to set them as you desire. Having these options enabled provides convenience and may be appropriate in some situations, but this convenience can reduce security by allowing sharing of content without the oversight of the site collection administrator.

References