How to sync Hub permissions to the associated sites

As you build your SharePoint Online Intranet portal and associate all the different sites to the Hub, you want to assure a smooth user experience for your Hub Visitors. While associated sites inherit Hub Menu and branding, security is not inherited when you associate a site with the Hub. What that means that if the user visits your Hub Site, he/she might get “access denied” when visiting that associated site (if the user does not have permission to access the site). However, we now got a new feature in Hub Sites that allows us to sync hub permissions to the associated sites. In this article, I would like to explain how it works, what happens behind the scenes when you enable it, and a few important nuances you must be aware of to avoid a governance nightmare.

What is a Hub Site

For you to understand the below feature, you must first understand what a Hub Site is. I explained the concept of Hub Sites and how to create them in great detail here.

What happens when you associate a site to the Hub

Just as stated in the above-mentioned article, the following major things occur when you associate a site with a Hub Site:

• Hub Navigation inheritance
• Hub Branding (theme) inheritance
• The site becomes part of the Hub Search Scope

There are a few other benefits of the Hub – but the major ones listed above.

What happens to the site security when you associate a site to the Hub

One thing that does not get inherited from the Hub is security. So while the user might have access to the parent Hub site, the user might get an “access denied” message if you do not have access to the associated site.

Moreover, this concept is so important, we even got Navigation Audience Targeting feature released some time ago just for that reason – to hide the navigation menu links from the navigation to sites users do not have access to or should not see in the navigation.

How to sync Hub Permissions to the associated sites

1. On a Parent Hub Site, click Gear Icon > Site Permissions
2. Click on a Hub tab, enable the Sync hub permissions to associated sites toggle switch On, then add the security group that you would like to have read-only access to the Hub and ALL the associated sites
3. Navigate to one of the associated sites and access its Site Permissions (Gear Icon > Site Permissions), then click on the  Hub Tab up top. Enable the toggle switch to sync Hub permissions to this site (in other words, inherit that Visitors Group from the hub site)

What happens behind the scenes when you sync Hub permissions?

Let me now explain what happens when you enable Sync Hub Permissions to associated sites. Now, this is probably the most important part of this post. For us to see it, we need to go behind the scenes.

1. On the Parent Hub Site, click Gear Icon > Site Permissions
2. Click on Advanced permissions settings
3. In addition to the three default security groups, you will now see a 4th SharePoint security group created called Hub Visitors with the Read permission level
4. If you click inside of the group, you will notice the user or groups you added as Visitors when you enabled Hub permissions sync using the instructions above
5. If you navigate to any of the associated sites now and go to their Advanced permissions settings, you will see the same Hub Visitors SharePoint security group appearing as an extra, 4th security group (assuming you synchronized Hub permissions to that site)

Why you need to be careful with Hub permissions sync

I usually try not to express personal opinions in my blog, leaving the features open to your own judgment and use cases. But in this case, I am tempted to express my two cents about this new feature. Personally, I can’t say I like it, and let me explain why.

• Confusing Site Security management: It is not obvious anymore from looking at site security who might or might not have access to the site. For example, when you look at the Site Permissions, you see the 3 regular security groups, and it might lead you to believe that there are no visitors unless you also check the Hub tab and its permissions inheritance there as well. Oy Vey!
• Deviations from a 3-group permissions model: Kind of related to the above, the whole idea of modern security relies on a simple 3-group security model – Owners/Members/Visitors. As I demonstrated above, it adds a 4th group (Hub Visitors) behind the scenes, making things complicated to manage and adds to the confusion.
• Defeats the purpose of flat IA: The whole idea of a flat IA is that each site is independent and can have its own identity, content, security. That’s exactly why we no longer have subsites – so there is no “accidental” security inheritance. It seems like it is kind of back to this model again.
• Hub Visitors Group left in place if disabled: When the Hub Owner disables Hub permissions sync at the Hub level – it leaves the Hub Visitors Group in the Hub site itself (though it removes it from the associated sites). This can lead to yet another confusion as to who has access to the Hub Site itself.