One of the most frequent concerns/questions users have about security in SharePoint is whether or not the files you store in Office 365 ecosystem are safe and secure and can’t accidentally be accessed by curious colleagues or discovered by accident by those who do not need to see them. Security, in my opinion, is one of the core strengths of SharePoint (if configured correctly, of course). So with this post, I would like to explain how you, as a user, can set security for files in SharePoint and be rest assured that your documents are safe and sound.
Below, you will find a list of all possible options/locations where you can set security for files in SharePoint. No matter which option you choose, one thing to keep in mind is that content access and search are permission-driven. That means that content will not be visible, searchable, or accessible by anyone who does not have permission to access it. I documented this concept in one of my previous posts.
Option 1: Unique permissions on a SharePoint site
You can easily secure your files by storing them on any SharePoint site and making sure, the site has unique security settings. The content that is stored on a site (all document libraries, other web parts) inherit permissions from that site. Setting security at the site level is considered the best practice in SharePoint. Make sure to follow this step by step guide to set unique security on a site.
Option 2: Unique permissions on a Document Library
There might be a situation when you need to store files on a SharePoint site (say project site) but have unique security for a handful of those files. If this is the case, you might want to create an extra document library and then break the permissions inheritance of that library. In such case, the site as a whole will be accessible by all who need to have access to it, yet, the document library will have unique privileges in terms of security. Follow these steps to set unique permissions for a document library.
- Navigate to the document library you want to set unique permissions for (Gear Icon > Library Settings)
- In the middle of the screen click on Permissions for this document library
- Note that it will state that by default the library inherits permissions fro the parent (Site in our case). This makes sense.
- What we need to do is break that inheritance so we can set out own. Click Stop Inheriting Permissions
- Click OK when you get a warning message
- It will now state that This library has unique permissions – exactly what we wanted
- Next, you can adjust permissions for this particular library. Say, for example, I do not want my team members and visitors to see or access this library. Just Site Owners should see it. So, what you can do, is remove those groups from this library. Don’t worry, whatever you do here only impacts the library, not the whole site.
- Likewise, you can add specific users if you wish by clicking on Grant Permissions button. So in the end, your library might have unique access that looks like this:
Option 3: Unique permissions on a folder
You can go one step further and break the inheritance at the folder level, thus only having one or few folders with unique security, while the library itself will inherit security from the site. The process is very similar to above; we are just going little more granular in terms of where in the chain we are breaking inheritance.
- Check the checkbox next to the folder you want to hide, then click the “i” icon, then Manage Access
- You can tweak access right in the pop-up that appears, but if you opt for more “advanced” way of setting up security for a folder, click on Advanced
- From there, you will see a now-familiar screen that will allow you to set granular permissions for a folder. By default, folder inherits permissions from the parent (Document Library in our case). By breaking inheritance and removing/adding groups and users (just follow Steps 4-8 in option Option 3 above), you can set unique permissions for your folder and hide it from other users.
By the way, I also recorded a video on how to set unique permissions for a folder, check it out!
Option 4: Unique permissions on a file
Yes, we can go one level further and set unique permissions at a file level. This option is great if you have 1-2 files that require unique access from the rest of the site.
Option 5: OneDrive
If your head is spinning after reading all the previous options – maybe setting up unique permissions is not for you. In this case, you can just store your sensitive content in your own OneDrive account. By default, it is private, until you share and you can easily control who you are sharing with from within your OneDrive (works the same way as sharing from SharePoint). To learn more about sharing from OneDrive, check out this post. Of course, one thing to keep in mind is that OneDrive is tied to your user ID, so if you win a lottery tomorrow and decide not to show up at work, your files are going to be deleted with the account, leaving your jealous co-workers without those important files that should have been in SharePoint, to begin with.
Option 6: Password protection on files
The last available option that exists has nothing to do with SharePoint or OneDrive. It is something that is part of some MS Office file types (Word, Excel). The functionality I am talking about is, of course, the file password protection.
While this option will save you from messing around with SharePoint and OneDrive sharing, I don’t really like one as this requires users to remember yet another password. Multiply that by the number of files, and you get the idea. I had many times set passwords for my own files, only to forget them a few days later. And you will not be able to recover that content, if you forget one, so be careful! And by the way, if you create passwords for your files, you will not be able to open them in the browser in SharePoint, using Office Online. Check out this post to learn more about this and other limitations.
I recommend either Option 1 or 2. Both are scalable and allow you to store many files and folders with unique security. Once you start messing around with the unique folder or file security, it becomes an administrative nightmare for you to manage. I don’t like the OneDrive option because OneDrive is your own account. And individual file protection forces you to remember many one-time passwords. So yes, stay at the site/document library level in terms of security and stay out of trouble!