Introduction
This article provides step-by-step instructions to configure a SharePoint Online (SPO) site with custom permissions that specifically address the use cases listed below. If the use cases presented here do not apply to your scenario, additional information can be found in the following KB article, How to work in Microsoft 365 (M365) with sensitive or highly sensitive data.
Use Case Specifics
- Students/Personnel who need to view and edit files, but cannot be allowed to delete them
- Student/Personnel required to sync files with their local machine for analysis and modification using the OneDrive Sync Client. This assumes that local machines are compliant with all applicable policies, regulations, and procedures.
- Students/Personnel will be required to check in and out files to avoid accidentally overwriting each other’s work
- SPO site owners are the only personnel permitted to share files
Contents
- Creating a new SPO site
- Creating a custom SPO permission for students/personnel
- Turning on local file sync
- Requiring file check in and check out
- Limiting file sharing to site owners
- Marking Files for Deletion
Instructions
If you are using or intend to use Microsoft Teams for collaboration to benefit from chat and online meeting capabilities, then, for the use cases listed above, we recommend that you create a separate SharePoint site to act solely as a file repository. Applying some of the configurations identified in this article to your Teams SharePoint site could cause your Team to malfunction.
Creating a new SPO site
For the provisioning of a department owned and managed SharePoint Site, visit and request the item at SharePoint Site Collection.
- From Microsoft 365 Online, select the SharePoint App icon.
- Select the + Create site button.
- Select the Team site option.
- Enter a name for your site in the Site name field.
- Enter a description for your site (optional).
- Leave the privacy setting as “Private - only members can access this site”.
- Click the Next button.
- Add the email address for a second owner.
- Do NOT add members at this time as you will want to modify the permissions first.
- Click the Finish button.
Creating a custom SPO permission for students/personnel
This configuration will allow you to define permissions for students/personnel who will need the ability to view and edit files, but not be allowed to delete them.
In this section, we will accomplish three configuration settings
- Create a new permission level with edit but without deletion
- Create a new group and assign the new permission level to that group
- Set our new group as the default group for new members to the SPO site
Create a new permission level with edit capability but without deletion capability
- From Microsoft 365 Online, select the SharePoint App.
- Go to your SharePoint site.
- Click the Gear icon in the top right.
- Select the Site permissions menu item.
- Select the Advanced permissions settings menu item.
- Select the Permission Levels menu item from the top toolbar.
- Select the Edit list item.
- Scroll to the bottom and click the Copy Permission Level button.
- Enter "Edit No Deletion" or a descriptive name of your choice into the Name: text box.
- Uncheck the Delete Items and Delete Versions checkboxes.
- Click the Create button at the bottom of the screen.
Create a new group and assign the new permission level
- From Microsoft 365 Online, select the SharePoint App.
- Go to your SharePoint site.
- Click the Gear Icon in the top right.
- Click the Site Permissions menu item.
- Select the Advanced permissions settings menu item.
- Click on the Create Group menu item in the toolbar at the top.
- Enter the text "Edit No Deletion" or a descriptive name of your choice into the Name: text box. It is recommended that the name matches the permission level to easily provide permission information to the owner when assigning a new member to a group.
- At the bottom of the page, select the permission level you created earlier, which in this screen shot is named "Edit No Deletion".
- Click the Create button.
Set our new group as the default group for new members to the SPO site
- From Microsoft 365 Online, select the SharePoint App.
- Go to your SharePoint site.
- Click the Gear icon in the top right.
- Select the Site permissions menu item.
- Select the Advanced permissions settings menu item.
- Select the link of the new group you just created.
- Click the Settings menu item at the top of the screen
- Click the Make Default Group item.
Now when adding new members to the site add them to this group to give them edit ability with no deletion ability. By making it the default group, new members will automatically be added to this group.
Syncing files with local machines using the OneDrive Sync Client
For syncing to work, it is necessary to make sure the local machine has the OneDrive Sync Client running and working with OneDrive before continuing.
- From Microsoft 365 Online, select the SharePoint App.
- Go to your SharePoint site.
- Click on the Documents menu item in the Navigation menu. This will bring you to your document library.
- Select the Sync item in the toolbar.
- Select the Sync now link.
Checking files in and out to avoid accidentally overwriting other’s work
- From Microsoft 365 Online, select the SharePoint App.
- Go to your SharePoint site.
- Click on the Documents menu item in the Navigation menu. This will bring you to your document library.
- Click the Gear icon at the top right.
- Click the Library settings link.
- Select the Version Settings link.
- Select the Yes radio button under the Require documents to be checked out before they can be edited? setting.
- Click the OK button.
Limiting file sharing to the SPO site owners only
- From Microsoft 365 Online, select the SharePoint App.
- Go to your SharePoint site.
- Click on the Gear icon in the top right.
- Click on the Site permissions link.
- Click on the Change how members can share link.
- Select the Only site owners can share files, folders, and the site radio button.
- Click the Save button.
Marking files for deletion
If you need a way for members of your site who cannot delete files to still be able to mark documents for deletion, you can use the following approach called “Enterprise Keywords”.
Activating Enterprise Keywords
To activate Enterprise Keywords for your SPO site, do the following
- From Microsoft 365 Online, select the SharePoint App.
- Go to your SharePoint site.
- Click on the Documents menu item in the Navigation menu.
- From the Document Library screen, select the Gear icon in the toolbar on the top right of the screen.
- Click the Library Settings link.
- Select the Enterprise Metadata and Keywords Settings option.
- Check the Add an Enterprise Keywords column to this list and enable Keyword synchronization box.
- Click the OK button.
- Click on the Documents menu item in the Navigation menu to get back to the top of the document library.
- Select the All Documents drop down.
- Select the Edit current view menu option.
- Find and check the Enterprise Keywords box.
- Click the OK button.
Marking an item for deletion
- Click the Edit in Grid View item in the document library with nothing else selected.
- Once the page refreshes, click the cell in the "Enterprise Keywords" column next to the item you want to mark for deletion.
- Type the agreed-upon keyword that to indicate deletion, such as “delete”.
- Click the Exit quick edit menu item to save the keyword.
Searching for marked items
- Give the site a little time to learn the keyword. It needs to re-index your site on this keyword.
- If you just type the keyword into the search box, it will return all tagged results as well as files that contain the word. However, if you specify the column, it will only return your tagged results. For example, “[Enterprise Keywords]:delete” will only return the files and folders you tagged with that keyword in that column.