Group-Level VIEW ONLY Permissions
While I'd like to see some more granular permissions in general, I would like to see at a minimum a VIEW ONLY option assigned to users in a Group / Plan.
Right now everyone is a contributor and everyone can do everything, but there are lots of situations where we want to give situational awareness to certain users, but not let them edit group documents, or potentially delete things (not out of malice, but just unawareness).
You already get at least the basic Viewer/Contributor model on most other services, like SharePoint team sites, Yammer groups, almost all of the project management tools, etc.
you can do this in SharePoint today (i.e. put all members into Read Only permission bucket)
Face it everyone, the whole office365 groups thing was a rushed feature, poorly thought out. The idea that all people involved in a project are going to be allowed to have the same permissions to to all data within the project is nonsensical in many many environments.
Add to that the different security models of the different apps (e.g., SharePoint with it's own internal groups and users) and the issue is just getting worse.
My users are already making a hash of this - realisticly we'll probably have to move ownership back to IT... which is kinda backwards from the intent eh?
The idea of creating a 'collection' of some kind, which grouped synergistic apps together was sound, but perhaps that should have been separate to the existing azureAD groups, and allowed existing groups to be used for permissions.
Perhaps even a set of standard groups (files r/o, files r/w, cal r/o, cal r/w) created with each parent team ( which maybe could have been something more like an ou? ), and a clear mechanism for owners to create new special case groups.
Why is it assumed that anyone that has access to a Group needs write access !! For governance, audit, or internal informational purposes a read/view only access ensures that those that that just need to read do not delete/edit/or generally mess things up by mistake. Not all our users are technically minded, nor do they have to be. Collaboration has more than one definition !!
Try this instead = This does not work completely as expected. For instance, If we move all members to Read only permission (Visitors group) on Public Office 365 groups. technically , Read only users in Public Office 365 group can elevate permission by adding themselves as Member by clicking "Add Members" button.
Try this instead = B.S. In a SharePoint Communication site you can have visitors but with a SharePoint Team site associated with an Office 365 group you cannot, it's either full member, owner or guest (external to the org). It would be great to have visitor (internal to the org and read-only) access for all things Office 365 Group including the SharePoint Team site and associated Planner board.
Tom Castiglia commented
The "Try this instead" won't work if in cases where users need to access Group resources (e.g. a Planner Plan) in addition to SharePoint content. A user who is on the SharePoint Visitors group as well as a member of the associated O365 group will still end up with Edit permissions.
This is possible in SharePoint, how about other apps like planner and teams. We're wanting to use Planner to publicise department projects but wouldn't want anyone other than selected staff to be able to modify the items or buckets.
The same for teams, we'd like read-only channels (replies would be acceptable) for things such as company announcements.
Nathalie Schiltz commented
I fully agree with Phentrin comment. O365/Yammer group members should have "contribute" (and not edit) permission in the sharepoint group site by default. This will be mandatory when e.g. all Yammer uploaded content will be stored on the sharepoint group site.
The "manual" workaround proposed by Admin does not fly, we cannot ask all group admins to change sharepoint permission settings to assign proper permission to group members, please make it automatic and easy for group owners, thanks!
This is really a must have feature for Governance perspective.
Users are creating lot of Groups, and every members have permissions to Edit the Home Page of the SharePoint Online Modern Site.
It would be great to let them only Add content on the Documents Library but not modified SitesPages.
Bastian Diederich commented
We would be really interested in read only permissions due to our internal governance. Is there any update on this topic or can we only use the workaround in SharePoint?
This topic has been dead for over a year. We really need the ability to at least designate some group members as being "read-only". Can anyone at Microsoft help us to do this more efficiently?
As proposed by Admin here in 28 April, 2017, if go with that solution, user will need to work in two different places (O365 Group and SharePoint Group) to grant permission. This give confusion and not user friendly approach. If O365 Group shall be the future membership service to manage permission across different resources in Office 365, the Read permission shall be made available at O365 Group level. The owner of the O365 Group shall only need to manage the permission at one place. If there are more granular permission required for specific document library or subsite in a Team Site, then user can continue use the SharePoint Group to do granular permission setup. The default resources like Team Site, Teams, PowerBI, Planner etc that belong to a O365 Group shall have Full Control, Edit and Read these three different permission as minimum. Really hope this can be considered by Microsoft.
Mary Ann Kowalczyk commented
Is the functionality to set files Read Only for Yammer set up yet? Will it ever be set up this way or will we always have to use SharePoint. Even in Teams we cannot do this unless we set up a subsite. My company is moving towards Teams and Yammer sites... but we have to use SharePoint to have read only files. Why can't this be available for Teams and Yammer too?
Jesús Achaerandio commented
For SharePoint Online, The permission level change for a group include only three (Edit, Read and Full Control) and is not covering all the possible levels.
Carlos Miyares IV commented
1) Log into your SharePoint site library
2) Click the gear in the top right corner
3) Click Site Permissions
4) Under Site members click the word "edit"
5) Enable Read This should allow the members of the Group Read only permission.
Ben Patrick commented
Ability to have a Read Only/Comment only function for Yammer and Planner. I'd like to use Yammer as an online noticeboard for the company and use Planner as a holiday and events calendar. Problem is everyone can edit planner and post in Yammer. Want the ability to lock the Planner and the uploading documents/creating posts to a select few people (admins), then everyone else can only comment on posts if its a public group, or only members can if it's a private group
Samuel Lockett commented
Below are the steps I used to set these permissions for read/write group and read only group.
-=:Setup Read Only Access for O365 Groups:=-
1. Setup a security group like TestGroupROG
2. Create regular O365 Group and add members that can read/write
3. Go into the group's Documents -> Click on the Gear -> Site Permissions -> Advanced Sharepoint Permissions
Note: You can go straight to the permissions through this link by changing the Group Name: https://domain.sharepoint.com/sites/TestGroup/_layouts/15/user.aspx
4. Click Grant Permissions -> (You will see Invite people) Type in name of person or group you want to have read only permissions -> Click "More Options"
Select the permission level [Read] and click Share
I am sure this would be a breeze with powershell if you need multiple groups.
New-MsolGroup -DisplayName “Test Security Group”
Rob U. commented
Hi, could someone confirm at MS confirm where you are with this please? There is a very real need for more granular permissions on Office 365 groups
Patrick Smalley commented
Where is this at? In 2016 you guys were working on it...
We could really use this management of groups.
Although I get the idea of collaboration, a Group owner should be able to at the very least, control what GUEST users can do simply and easily - in particular, to set them read-only. It's just common sense.
I get the idea is to allow quick collaboration but there are so many scenarios where read-only is going to be desired (presenting HR docs to staff as one example). I would ask is Microsoft trying to move away from traditional (classic) team sites? If so then having more granular ability to control permissions is going to be important to meet various use cases.