SharePoint permissions: why they spiral out of control and how to tame them

SharePoint is where SMBs suffer the most unintentional data leaks: folders visible to "everyone in the company" when they were meant to stay internal. Here are the mental models you need.

SharePoint permissions are layered — what applies at site level differs from what applies at library, folder, or individual file level. That layering is both its strength and the reason things go wrong.

The 3 layers

1. Site level: who has access to the site at all. Three roles: Owner, Member, Visitor.
2. Library/list level: custom permissions per document library.
3. Item level: individual files or folders with their own permissions.

Why things spiral out of control

• People click "Anyone with the link" in the Share dialog. That creates an anonymous link.
• "Everyone in your organisation" sounds internal — but in some configurations it includes guests.
• Inherited permissions: item-level exceptions that nobody keeps track of.
• Orphaned permissions: someone has left but their permissions are still in place.

Hygiene

• Set the default sharing to "only people you specify". Reserve "Anyone with the link" for explicit requests.
• Review every quarter: sites with > 50 members. Still relevant?
• Check for inherited-permission exceptions: "View permissions" → "Advanced".
• Consider DLP policies for sensitive file types (payslips, contracts).

Retention + permissions

Retention policies determine how long something is kept. Permissions determine who can see it. The two are independent — a document that must be retained under policy but is visible to everyone is still a leak. See retention policies.

See also: OneDrive sharing policy, M365 pillar.