Question

I'm trying to wrap my head around the Site Policies and the Site Closure and Deletion in SharePoint Online for non-Self Service created sites. It seems like it is nice in theory but looks like it is easily bypassed.

As a SCA (and global admin in O365), I can go in and create the policies. No problem. I can then assign the policy to the site. Since this Closure and deletion is under Site Administration, anyone listed in the owner group can simply remove the policy in place by setting it to No Site Policy.

We want to be able to use this feature to enforce retention, but this seems like a gaping security hole. What if any workarounds are out there? Remote CSOM on timers to check and set it every day if it is not found?

This seems to be reinforced here.

Was it helpful?

Solution

By default, Site Owners have Full Control of Site Administration, which is the same on SharePoint Server as SharePoint Online. Being a member of Site Owner means the user is trusted and have the knowledge and ability to create, read, update and delete Site Policies which should be used in Site Closure and Deletion. If you trust the user to be in the Site Owner group, then this shouldn’t be a problem and you can create a company policy for how Site Policies and Site Closure and Deletion is supposed to be used. That doesn’t create a technical restriction for changing the Site Policy themselves, but they violate company policy if they do. That should keep trusted users from changing policies by themselves.

If you want a technical restriction, you need to create a Custom Security Group without Full Control of Site Administration, but that will effectively stop them from other actions as well.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top