Understand permissions in Microsoft Storage

In Microsoft Storage, permissions can be granted in two ways:

  • Folder-level permissions: When a user has access to a folder via folder-level permissions, those items will appear in the user's Microsoft OneDrive at IU under "Shared".
  • Team-level permissions: When a user has access to a folder via team-level permissions, those items will appear in the team within Microsoft Teams at IU, and they may also appear in OneDrive under "Shared Libraries".

Microsoft uses additive permissions; as a result, if users are granted permissions at both the folder level and the team level, managing permissions becomes more difficult. For example:

  • If users have access to a folder because they are members of a team, and if they also have folder-level permissions to the same folder, removing access for those users at the folder level does not remove their access to the folder, because they still have team-level access permissions.
  • If users have access to a folder because they are members of a team, and if they also have folder-level permissions to the same folder, removing for those users at the team level does not remove their access to the folder, because they still have folder-level access permissions.

To remove access to a folder for a user who has both folder-level and team-level permissions, you must remove the permissions at both levels. It can be easy to forget that a user has access to a folder based on their permissions at both the folder level and the team level, especially since the management of teams and folder-level permissions are handled in different places.

As a result, it is easier to choose to use either folder-level permissions or team-level permissions for a user rather than using both types of permissions to manage that user's access.

Microsoft and UITS recommend that permissions be managed at the team level whenever possible.

When you grant users team-level permissions, those users have access to all the folders and files stored in that team's public channels. If certain members of the team need access to specific files, and others on the team should not have access, create a private channel and store the files in that private channel.

Note:
There is a limit of 30 private channels per team.

If you need to limit file access to groups of people who are not part of a larger team, you can create multiple teams to manage your files.

Items migrated from Box via SkySync have folder-level permissions. If items were migrated from Box manually, the team owner chose the permission settings when items were moved into Microsoft Teams.

For more on managing permissions, see:

This is document bgol in the Knowledge Base.
Last modified on 2021-04-27 10:51:21.