AvePoint Learn
Request article
Contact support
Request article
Contact support
English

    Home > SharePoint Security Management > Manage Permissions Service

    Export to PDF

    Manage Permissions Service

    Configure Manage Permissions services to define the Manage Permissions service request template for business users. You can choose to allow business users to manage SharePoint groups and manage permissions.

    To create or manage services, click Service in the Request Management group within Settings.

    On the page for creating or editing a Manage Permissions service, configure the following settings.

    NOTE

    For information about common service settings that exist in all types of services, refer to Common Service Settings.

    1. Scope – Expand the tree to select your desired containers or site collections. Business users can submit requests for this service to manage permissions of SharePoint objects (from the site collection level down to the folder/document/item level) within the selected scope.

      You can also choose to Use SharePoint Online context to automatically populate the service request scope. Select this checkbox to retrieve and use the SharePoint Online context in the service request scope. For requests triggered from the Site Information Card app part, the URL of the site where the Site Information Card resides will be retrieved. The site URL will be automatically used as the request scope. Choose one of the following options:

      • Allow Business User to Edit the URL – The site URL will be automatically filled into the text box, and the requester can edit it.

      • Show as Read-Only to Business User – The site URL will be displayed as read-only, and the requester cannot edit it.

      • Hide from Business User – The site URL will be hidden from the requester.

    2. People Picker Filter Profile – Select a people picker filter profile if you want to limit the users or groups that the requesters will specify when they:

      • Add SharePoint group owner and members

      • Grant permissions to users or groups

      You can create a people picker filter profile in the modern Cloud Governance admin center > Management > Profiles & templates. For details, refer to Configure People Picker Filter Profiles.

    3. User/Group Scope – Choose how you want to allow requesters to manage users’ and/or groups’ permissions on specific SharePoint objects within the selected scope above. Select one of the following options from the drop-down list:

      • Users and Groups – Allows requesters to manage permissions of users and Microsoft Entra groups.

      • Only Users – Only allows requesters to manage permissions of users.

      • Only Groups – Only allows requesters to manage permissions of Microsoft Entra groups.

      Then, choose one of the following options to define the scope of the users and/or groups whose permissions can be managed:

      • Allow any user/group – Choose this option to allow business users to manage permissions of any user or any Microsoft Entra group.

      • Allow any user – Choose this option to allow business users to manage permissions of any user.

      • Allow peers and direct or indirect reports – Choose this option to allow business users to manage permissions of users managed by the requester and the users of the same title as the requester.

      • Allow direct or indirect reports – Choose this option to allow business users to manage permission of users managed by the requester.

      NOTE

      If you select Users and Groups or Only Groups, you can also choose whether to Show members of Microsoft Entra groups. If you enable this option, requesters can see members of Microsoft Entra groups in the request form.

    4. Permissions to Exclude – Choose whether to Exclude specified permissions levels from the request page. With this option enabled, select your desired permission levels by selecting the corresponding checkboxes. When business users grant or edit permissions or create SharePoint groups, the selected permission levels will not be available to business users.

      You can also choose to Hide the objects with the excluded permissions. In the request form, the users, Microsoft Entra groups, or SharePoint groups whose permissions to the request scope are what you want to exclude will not be shown.

      Note: The displayed permission levels are retrieved from Settings > SharePoint Permission Level Management. If you have custom permission levels, add the permission levels in SharePoint Permission Level Management first.

    5. SharePoint Group Management Options – Choose how you want to allow requesters to manage SharePoint groups. You can enable the following options:

      • Create SharePoint group

      • Delete SharePoint group

      • Manage SharePoint group settings

      • Manage SharePoint group members

      If you select the Create SharePoint group and/or Manage SharePoint group settings checkboxes, complete the following settings:

      1. Group owner – Enter one of the following roles to be assigned as the group owner. By default, the $Requester role is specified as the group owner.

        • $Requester

        • $Manager of requester

        • $Primary site collection contact

        • $Secondary site collection contact

        • $Primary site collection administrator

        • $Primary site contact

        • $Secondary site contact

        Choose whether to allow business users to configure this field in the request form. Choose from the following:

        • Assign by IT Admin – The user role specified in this service will be assigned as the group owner of the SharePoint group. Select either Show as Read-Only to Business User or Hide from Business User.

        • Assign by Business User – Allows business users to assign a user or group as the SharePoint group owner when they submit requests for this service.

      2. Who can view the membership of the group – Choose Group members or All users to be allowed to view the membership of the group.

      3. Who can edit the membership of the group – ChooseGroup owner orGroup members to be allowed to edit the membership of the group.

        Choose to apply your options for Who can view the membership of the group and Who can edit the membership of the group to requests for this service, or allow business users to configure these settings when submitting requests for this service. Choose from the following:

        • Assign by IT Admin – The options you selected here will be applied to requests for this service. Select either Show as Read-Only to Business User or Hide from Business User.

        • Assign by Business User – Allows business users to select the options when submitting requests for this service.

      4. Allow users to request for joining or leaving the group – Choose whether to allow users to request for joining or leaving the group within SharePoint. Choose Yes or No.

      5. Automatically accept requests – If you chose Yes above to allow users to request for joining or leaving the group, you must choose whether to allow those requests to be accepted automatically. Choose Yes or No.

      6. Send membership requests to the following email address – If you chose No above to not allow requests to be accepted automatically, enter an email address used to receive membership requests in the text box.

        Choose whether to apply your options for Allow users to request for joining or leaving the group, Automatically accept requests, and Send membership requests to the following email address to requests for this service. Choose from the following:

        • Assign by IT Admin – The options you selected here will be applied to requests for this service. Select either Show as Read-Only to Business User or Hide from Business User.

        • Assign by Business User – Allows business users to select the options when they submit requests for this service.

      If you select the Manage SharePoint group members option, choose whether to Send welcome email to new members. With the option selected, select an email template from the drop-down list that will be used to send the notification email.

    6. Permission Management Options – Choose how you want to allow business users to manage permissions. You can enable the following options:

      • Grant permissions – Select this option to allow business users to grant permissions to users, SharePoint groups, Microsoft Entra groups, or Microsoft 365 Groups.

      • Edit permissions – Select this option to allow business users to edit permissions of users, SharePoint groups, Microsoft Entra groups, or Microsoft 365 Groups.

      • Remove permissions – Select this option to allow business users to remove permissions from users, SharePoint groups, Microsoft Entra groups, or Microsoft 365 Groups.

      • Stop inheriting permissions – Select this option to allow business users to break permission inheritance for the request scope.

      • Delete unique permissions – Select this option to allow business users to delete the unique permissions from the request scope and inherit permissions from its parent.

      If you select the Grant permissions checkbox, you must choose one of the following permission types:

      • Permanent permissions – The permissions will be granted to the selected users/groups permanently.

      • Temporary permissions – The permissions will be granted to the selected users/groups temporarily.

      Choose whether to allow business users to select the permission type in the request form. Choose from the following:

      • Assign by IT Admin – The Permanent permissions or Temporary permissions option selected here will be applied to requests for this service.

      • Assign by Business User – Allows business users to select Permanent permissions or Temporary permissions.

      If you choose the Temporary permissions option, you can further configure the Temporary permissions settings:

      • Specify the default duration – Enter a number in the text box and select Day(s), Week(s), Month(s), or Year(s) from the drop-down list.

      • If Temporary permissions is assigned by the IT administrator, you can choose one of the following options:

        • Allow business users to specify the duration – When submitting requests for this service, business users can enter desired permission duration, regardless of the default duration. You must set the maximum permission duration. Enter a number in the text box and select Day(s), Week(s), Month(s), or Year(s) from the drop-down list

        • Business users can only request with the default duration – When submitting requests for this service, the default duration is mandatory and business users cannot change the permission duration.

      • If Temporary permissions is assigned by the business users, you can set the maximum permission duration. Enable The permission cannot be granted longer than, then enter a number in the text box and select Day(s), Week(s), Month(s), or Year(s) from the drop-down list.

      • Notify the person who was granted the permissions about permission expiration – Select this checkbox and define the time that the person will be notified in advance. Enter a number in the text box and select Day(s), Week(s), Month(s), or Year(s) from the drop-down list. Then, select an email template that will be used to send the notification email.

      • Allow requesters to assign the site collection administrator role – With this option enabled, requesters can assign the site collection administrator role to users when they grant temporary permissions in the request form.

      Whether you choose Permanent permissions or Temporary permissions, you can enable Send welcome email to the new users and then select a method to configure the welcome email:

      • Select an email template – The welcome email will be sent from your selected email template.

      • Customize the welcome email – Enter the Subject and Personal message in the corresponding text boxes to customize the welcome email.

      You can choose whether to allow business users to configure this field in the request form and choose from the following:

      • Assign by IT Admin – The Send welcome email to the newusers settings configured in this service will be applied to requests for this service. Select either Show as Read-Only to Business User or Hide from Business User.

      • Assign by Business User – Allows business users to configure the settings when they submit requests for this service.

    7. When you have finished configuring settings for this service, choose one of the following options:

      • Click the arrow on the left-hand side to go to the previous steps to review and modify your configurations.

      • Click Save to save all of the configurations and return to the Service Management page.

      • Click Save and Activate to save all of the configurations and activate this service, which allows users to submit requests for this service.

      • Click Cancel to return to the Service Management page without saving any configurations.