Atlas provides a number of different workspace templates to meet different sets of requirements. When managing permissions for a particular workspace you should first understand which type of workspace it is. If you are unsure, you can always use the Workspace type filter in ConneX to determine it. If you are still unsure, please contact your Implementation Manager, Customer Success Agent or support team.
In this article:
- Permissions Best Practice
- Managing Atlas Workspaces
- Communication workspaces
- Knowledge Workspaces (SharePoint)
- Knowledge Workspaces (Teams) / (Group)
- Collaboration workspaces
- Dynamic Group Membership
Permissions Best Practice
In the past, permissions best practice has always been to use Entra ID Groups rather than granting permissions to individual users, which allows those permissions to be managed via other processes that are already in place, such as your IT team adding new users joining the organisation to Entra ID Groups for their Department or Office Location.
However, with the rise of Microsoft Teams and its integration into M365 workspaces this advice has changed because Microsoft 365 Groups and Microsoft Teams do not currently support Entra ID groups and requires that users be granted permissions as individuals.
We expect Microsoft to support Entra ID groups for these workloads at some time in the future, but we do not have any visibility of when this might happen.
Managing Atlas Workspaces
In terms of Atlas workspaces, this means that Communications workspace permissions can be controlled entirely through Entra ID groups, but Knowledge and Collaboration workspaces cannot. Only the Visitors to Knowledge and Collaboration workspaces can be managed using Entra ID groups, while their Members and Owners must be controlled using individuals. In the following diagram this is represented using blue for the permission levels that cannot be controlled using Entra ID groups, and green for those that can:
Granting Visitor Access
If you want to give all users inside your organisation Visitor access to a specific workspace of any type, you can add the Everyone except external users group (or an Entra ID group of your choice) to the relevant SharePoint Visitors group to provide that access.
Note: If you create a Public Communications workspace then the Everyone except external users' group will automatically be added to the Visitors for the workspace, so you don't need to add it.
All internal users in your organisation are part of the Everyone except external users' group automatically, and no Guest or External users will be included, but you may want to use a different group if you need to restrict further.
To do this, go to the workspace, then go to the top right settings menu and click on Site permissions:
To add Users or Groups to the workspace, click the Share site button, then find the User or Group you need using the search box. Once you choose a User or Group check that they have the Read permission level in the dropdown. Generally, we recommend unchecking the Send email box to avoid confusing users, but if you want to send the email you can customise the message:
Finally click Add at the bottom of the panel to add the permissions:
Breaking Inheritance
In general, we do not recommend breaking the permissions inheritance unless there is a good reason to do so, but it is supported by both SharePoint and Atlas. If you need this flexibility to restrict access to specific lists, libraries or individual folders or items in a workspace this can be achieved by following the instructions found here: Checking permissions and breaking permissions inheritance
Communication workspaces
Communications workspaces are often made visible to the entire organisation via the Everyone except external users' group as explained above, which automatically grants your internal users access to view the workspace and its content. However, managing the Members and Owners will be specific to the requirements for your organisation.
Permissions management for Communications workspaces can be done via the SharePoint permissions screens or via ConneX.
SharePoint permissions
To get started, navigate to the workspace whose permissions you want to manage, then go to the top right settings menu and click on Site permissions:
This will open a panel on the right side of the page. You can expand each permission level here to see the current Owners, Members and Visitors:
To add Users or Groups to the workspace, click the Share site button, then find the User or Group you need using the search box. Once you choose a User or Group you can click the dropdown to choose their permission level (Read, Edit or Full Control).
In most cases we recommend unchecking the Send email option to avoid confusing users, but if you want to send an email to the users you're adding, you can type a message to those users in the box.
When you're ready, click the Add button at the bottom of the panel to add the chosen User or Group with the selected permission level. If you made any mistakes you can click Cancel and start again.
ConneX permissions
To manage permissions via ConneX, find your workspace in ConneX then choose the Edit option from the ellipsis in the top right of card. Add or remove Users or Groups in the different permission levels in the Workspace security section as you wish, then click View summary and verify that the new permissions are correct. Click Apply changes to submit them and ConneX will edit the workspace permissions for you.
For an example of editing a workspace via ConneX please see: Edit a workspace with ConneX
Knowledge Workspaces (SharePoint)
Knowledge workspaces based on the Knowledge Workspace (SharePoint) template can be managed in the same way as Communications Workspaces as explained in the previous section. The rest of this section refers to the difference when managing all other Knowledge workspaces.
Knowledge Workspace (Teams) / (Group)
Knowledge Workspaces based on Microsoft 365 Groups or Microsoft Teams need to be managed in a different way as of Atlas 3.X. The Microsoft workloads behind the workspaces only support management via individuals and if you add Entra ID groups in the Members and/or Owners groups they will be "expanded" into the individuals in that group at that time.
This means that the reference to the Entra ID group is not maintained, and any users added to the group later will not be automatically given access to the workspace.
It is important to be aware of this point as you may need to have a process in place to ensure that new users are given permissions to the correct workspaces.
Use ConneX to manage permissions
The best way to manage permissions for these workspaces is using ConneX. To manage permissions via ConneX, find your workspace in ConneX then choose the Edit option from the ellipsis in the top right of card. Add or remove Users from the different permission levels in the Workspace security section as you wish, then click View summary and verify that the new permissions are correct. Click Apply changes to submit them and ConneX will edit the workspace permissions for you.
For an example of editing a workspace via ConneX please see: Edit a workspace with ConneX
To give Visitor permissions you can still use Groups, please see the section above; Granting Visitor Access.
Collaboration workspaces
Collaboration workspaces are based on Microsoft Teams, so the permissions for these workspaces should always be managed directly from Microsoft Teams.
As an Owner of the Team, go to Microsoft Teams, find your Team, then click the ellipsis (...) next to it and choose Manage team. To add members, click Add member in the top right and search for users or groups to add. To change the permissions for a user or group (between Member and Owner), click the dropdown next to their Role and choose the one you want to give them.
Dynamic Group Membership
It is possible to configure dynamic groups with particular rules for automated permissions management and improved governance, for membership (edit rights) only. We are currently advising this is a great way to set-up and manage edit permissions to workspaces where an Azure Active Direcotry user attribute can be leveraged, such as office, department, manager, extension, etc.
For detailed information about dynamic group memberships, please see our article here.
Comments
0 comments
Please sign in to leave a comment.