This article is part 1 out to 3 pages articles:

Actions on SharePoint Online site collection

From the SharePoint online side some actions are available at the site level:

Create a security group

From the root site click on “Create Group”:siteCollAddGroup.png

The configuration page will allow you to provide following informations:

  • Name
  • About (optionnel)
  • Owner
  • Who can view the membership of the group ? Group Members / Everyone
  • Who can edit the membership of the group ? Group Owner / Group Members
  • Allow request to join/leave this group ? Yes / No

siteCollAddGroup1

As we can find on the web Interface the “Permission Selection” will allow you to select permission assigned to the group at the site level
siteCollAddGroup2.png

The preview screen will recap the change that are going to be made on your site collection.

siteCollAddGroup3

Click finish to create the group, apply security and add members to the group in just one click !

Grant permissions

A quick function will allow you to grant permission to user and it’s hardly recommended to add users to existing group and not assign direct permission:siteCollAddGroup4.png

Break role inheritance

As we can find with other product object that have unique permission are shown with a different icon:
siteCollAddGroup5

We can of course restore permission in order to restore site permission inheritance.

Group management

From any object (site/sub site/document library/ list) you will find the following options:

  • Edit permissions, group can have different permission once you have unique permission on object.
  • Remove permissions, delete permission for this group on the selected object
  • Add Members, add new user/AD group to the selected SharePoint Group
  • Delete Group, remove group from the site
  • Edit Group Setting, go to group settings page.

groupoption.png

User management

When select a user from a group or directly from your root site here are the interesting options:

  • Move to group, move the selected user to a SharePoint group. The user will lose all directly given permissions.
  • Remove user from group, Remove the selected user from the group.
  • Clone Permissions, Copy permissions and group memberships of the currently selected principal to a different one.
  • Copy to group, Copy user or AD group to SharePoint group.
  • Delete User, Delete the selected user from the site collection.

useroption.png

Conclusions

With all this feature admins won’t have any excuse to have a SharePoint permission headache when working with both SharePoint Online site collections and Office 365 Groups.

Some best practises to remember when you will design or re-design your right permission:

Best practices for SharePoint security design — as much as possible: 

  • Establish a clear hierarchy of permissions and inherited permissions
  • Arrange sites (webs) and sub-sites, and lists and libraries so they can share most permissions
  • Break permission inheritance as infrequently as possible
  • Assign permissions at the highest possible level
  • Minimize unique and fine-grained permissions
  • Avoid security design for large list/library in which all or most content must be uniquely secured (item-level)

Best practices for authorizing user access to SharePoint:

  • Do follow the principle of least privilege. Users should have only the permission levels they need to perform their assigned tasks.
  • Do limit the number of people in the Owners (Full Control) group.
  • Do consider using Active Directory (AD) groups for securing SharePoint resources across multiple site collections when a standard set of users require similar access.
  • Do reuse existing organizational role-based AD groups where feasible rather than creating new AD groups just for SharePoint.
  • Don’t assign permissions directly to individual users.  Instead add user as member of appropriate SharePoint group.
  • Don’t grant permissions (to some securable object) via assigning a permission-level directly to an individual user.  Instead, always grant individual user permissions by selecting a SharePoint group to add them into. Then, the user simply inherits the permission-level of their group membership.
  • Don’t assign permissions directly to AD groups. Instead add AD group as member of SharePoint group.
  • Don’t customize the default permission-levels. Instead create new custom permission-levels, if required.

(Src: https://blogs.technet.microsoft.com/marj/2015/07/05/best-practices-for-authorizing-user-access-to-sharepoint-sites-using-sharepoint-groupspermissionsinheritance/