Complete a SharePoint Access and Permission Review

Site Collection Administrators (SCA) can complete a manual access review of permissions and users on their site(s). There is no report generating tool in SharePoint — if you require a granular review of all permissions on a site, contact EASI SharePoint Support to generate a report using Sharegate.

This review can be conducted as needed; it is recommended that it be done at least once per year. Site owners with higher risk content are encouraged to check access on a more frequent basis.

How you conduct the review will depend on how you have implemented permissions.

If you use individual users within SharePoint groups, complete all steps as instructed.
If you use Active Directory groups within the SharePoint group, you will need to verify the group membership outside of SharePoint (see step 2 for details) and complete all other steps as instructed.

Before you begin

Ensure a document library called Access Reviews has been created in your top level site and with restricted permissions to site owners and SCAs only. This is to ensure the document cannot be modified.

Create a blank Word document and name it Access_Review_yyyymmdd.docx. For this procedure you will be doing screen captures and saving them in Word.

1. Review and verify Site Collection Administrators

Site collection administrators have full control. They reside outside a SharePoint Group and are added directly (cannot be an existing AD security group). SCAs should be limited to 2-3 people.

Go to your site, select the gear icon > Site permissions > Advanced permissions settings > Site Collection Administrators.

Adjust if necessary. Take a screen shot and save to your Word document.

2. Review groups and membership

Check your SharePoint groups and verify their membership.

Go to your site, select the gear icon > Site information > View all site settings > People and Groups > More….

A list of all the groups used within your site collection (including subsites where inheritance may be broken) will be displayed.

Validate that these are expected groups and you don’t see anything unusual. Only groups should be listed here. There should be no individuals listed at this level. Take a screenshot and save it to your document. Click on each group, and review the membership:

If you are granting access to individuals via Active Directory, you will see a list of names.
If you are using Active Directory groups, you will see the group name. You will have to check the membership of the group within your group management tool (eg. Grouper)

Screenshot the membership of each group. Remove unauthorized users or members who may have left the team by checking off the boxes beside the users. Select Actions > Remove Users from Group.

3. Review access

For each group identified in step 2, verify the permission level assigned to them. Within the People and Groups area, click on a group name. Select Settings > View Group Permissions.

This will show you all permissions the group has across the site collection, including where they have been broken. The less you break inheritance, the easier your access review will be.

For each group, verify the URLs are appropriate and the permission levels are accurate. You’ll see a different URL wherever inheritance has been broken. In the example below, the BI subsite and the Discussion board on the DM Hub subsite have unique permissions which is why there are two separate line items. If you never break inheritance, you should only have one URL listed.

Check to make sure that permissions are at the subsite or list level. Individual files should not be listed. In the example below, you will see that there is a single file with different permissions. This is not a best practice as it becomes complex to manage.

In this case, you can fix it by going to that affected library and reviewing the item's permissions. In this example, there was no reason that image needed separate permissions.

To clean it up, click into the library, right-click the item > Manage access > Advanced > Delete unique permissions to restore inheritance.

Once cleaned up, here is the new report.

Save this to your Access reviews library. Screen shot the permissions for each group in your site collection, save them in a document with the date of review, and upload to your access review folder.

What is Limited Access?

While conducting your reviews, you may encounter a permission level called Limited Access.

Limited Access permission level is different, as it is not a true permission level. It happens when permission inheritance is broken. This level is assigned when you provide access to a specific item. You cannot assign Limited Access permissions directly to a user or group. Instead, when you assign, edit, or open permissions to the single item, SharePoint automatically assigns Limited Access to other required locations, such as the site or library in which the single item is located.

There’s no easy way of telling why the unique permissions were granted, who set them up, which child objects they apply to, or whether they’re still needed. This is another reason to avoid breaking inheritance on individual items. For more information, see limited access permission.