Unique permissions for Restricted/Confidential Data
1. Why do we need “Unique Permissions”?
- ISDM Policy provides that “restricted” or “confidential” data are intended for the use by “specific groups” of authorised personnel within the University and business partners.
Data Stewards shall assign the permissions on a need-basis and create/manage the “specific groups”.
- Default permissions in DDAS organisation structure are inherited from its parent folders, which may allow the Data Users who does not have such need to access.
2. Steps in managing “Unique Permissions”
- Create new SharePoint group
- Create specific folder
- Stop inheritance
- Assign access rights to the specific folder
- Remove the unnecessary access rights
3. Create new SharePoint group
3.1 Login DDAS SharePoint web. Click the icon “gear wheel” and then “Site settings”.
3.2 In “Site Settings” page, select “People and groups”.
3.3 Select “Groups” and then “New”.
3.4 Please fill in the following information to create new group.
- Name: SharePoint group name
- About me: description to SharePoint group
- Group owner (who can add/remove membership): group owner’s email address
- Who can view the membership of the group? Suggested value: Group Members
- Who can edit the membership of the group? Suggested value: Group Owner
- Allow requests to join/leave this group? Suggested value: No
- Keep other default values (all unchecked) for “Choose the permission level group members get on this site …”.
- Press button “Create” to create the new SharePoint group.
3.5 You may add the member into the newly created Sharepoint group, e.g. ‘DS-operator’ in the following example.
And then, input the membership by using HKU Portal ID. You may skip for “Send an email invitaion”.
Press “Share” if you have finished the input of membership.
4. Create specific folder
4.1 Login DDAS with your specific document library and corresponding folder, e.g. “https://isdm.workspace.hku.hk/sites/XXXX/SL1/confidential”, where “XXXX” is the department abbreviation code.
4.2 Select the tab “FILES” and press button “New Folder”.
4.3 Input the name of specific folder, e.g. “Test-folder”, and then press “Save”.
4.4 The new folder will be created, e.g. “Test-folder”.
5. Stop inheritance
5.1 For the newly created folder, e.g. “Test-folder”, press “…” -> “…” -> “Shared with”.
5.2 Press “Advanced” when the following the dialogue box is shown.
5.3 Press button “Stop Inheriting Permissions”.
5.4 At this point, the newly created folder, e.g. ‘Test-folder’ in the above, is using the ‘unique permission. You may continue on next section.
However for some reason, if you may want to go back “Inheriting Permission”, you can press the button “Delete unique permissions” to revert back the default setting.
6. Assign access rights to the specific folder
6.1 Press “Grant Permissions”.
6.2 Assign corresponding rights to the newly created SharePoint group, e.g. “DS-Operator”.
Press option and uncheck “send email invitation”.
Suggested permission level:
- Data Owner/Steward: Full control
- Data Custodian: Edit
- Data User: Contribute
7. Remove the unnecessary access rights
7.1 Select the group of unnecessary permissions, e.g. “CG1” and “UG1”.
7.2 Press “Remove User Permissions” and “OK” if you are sure to remove the SharePoint Group permissions.
7.2 The result of unqiue permissions will be displayed. You may verify whether the assigned persmissions are correct or not.
The assignment of unique permissions has been completed. Please note that the files or sub-folders created in the above folder will inherit the newly created unique permissions.
Date and Security Team, ITS, 8 May 2018.