We would like to set up a Document Library in a SharePoint Online site with different members, visitors and owners than the Site the Document Library will be created in. It works very well (we have different population for visitors [read] and “members” [edit]) but we can’t prevent parent Site Owner’s from having ~Full Control access to the Library even if they do not have explicit Full Control permission on (they are not owner of) the Library. Please note: These owners are NOT Sites Collection Administrators (which, we know, cannot be denied access to a library). Thanks, Pierre
Apologies. Yes what I was talking about is Site collection Admins & not the owners.
Yes whenever you create a modern site or a O365 group or team, there is a email id generated for the same. This email id is something similar to a security group & this id gets added as the site collection administrator. What you have done is the right approach as of now. But its strange why the person who creates the group is not made the administrator.
I received responses on other platforms and it is worth to share them here:
We are actually using Modern SharePoint Online and the interface to manage members of a site (so called “Team Site”) is tricky… Referring to the two pictures below here is how it seems to work
As we can see on the right picture, users (members), existing or added, are assigned to Member or Owner “group” – but the behavior is quite surprising –
- When selecting “Member” the user is supposedly added to the group “<Site Name> – Members” (created automatically at Site [collection] creation time) and this can be indeed confirmed doing a Permissions Check for that user and confirm it shows something like “Edit – Given through the “<Site Name> – Members” group.
However, if you look at this Group itself and its members, you won’t see the user and this is weird and misleading. The actual membership status and displayed membership status is different 🙁 - When selecting “Owner”, it is worse: it may silently and invisibly adds the user to “<Site Name> – Owners” group but it adds it to the “Site Collection Administrators” (or equivalent).
However, again, you can’t see it looking at the members of the Group “<Site Name> – Owners” (also automatically created at Site creation time) AND, also, looking at “Site Collection Administrators” you won’t see the user there either.
The problem is that you MAY NOT deny Site Collection Administators access to a library hosted in the site but you MAY restrict access rights of Site Owners. So if you expected, by selecting “Owner” in the Group membership pane shown above to make the user “Owner” and not “Site Collection Administrator”… you have to work around !
Work around:
- List explicitly the Site Collection Administrators in the permissions settings of the site collection to avoid confusion with this special Group membership administration pane which is, apparently, far from perfect at this stage
- Makes users “Members” on this pane and place the one you want explicitely in the “<Site Name> – Owners” so that they really are “Site Owner” without automatically being “Site Collection Administrators” as well !
It is not perfect, and more tests may be required to fully understand what’s happening behind the scene but these are the root causes of the issue I was describing and also the way we solved it.
Regards, Pierre
Sorry, I misexplain this – I created the site an de was indeed in the Site Collection administrator – that was not the point.
What was strange though is that later, I enroll other colleagues which I made owner (using the new Modern panel to do so) – I did NOT explicitely made them Site Collection Administrators, I expected then them being just Site Owners, without being administrators (we want to be able to have some restricted access component on our SharePoint which Site Owners -but not Site Collection Administrators, would not have access to). The fact is that it appeared that even if not visible in the Site Collection Administrators list, they actually were made Administrators – i.e. In the special Modern SP365 User enrollment panel, Owner=Site Collection Administrator which is misleading.
Thanks – regards, Pierre
Site owners will have access to all the document libraries even if you have managed permissions at library level & removed owners from there.
Not quite.
What you say is true for Site Collection Administrators but if you are “Site Owner” and NOT “Site Collection Administrator” then you can be denied access to a component (e.g. a Document Library) by breaking the rights inheritance and avoiding to give specific rights to these original Site Owners.
In the meantime, I have identified a specific issue that happens with Modern SharePoint Online / Office 365 as “Site Owners” are apparently made automatically Site Collection Administrators (even if you can’t see that in the SharePoint interface). However, if you make them “Members” in the special Modern Team Site SharePoint Office 365 and manually place these users in the “Owner” group they are no more “Site collection Administrators” yet remaining “Site Owners” … in that case, I am able to deny them access to lower level components.