SharePoint - Automating Membership with SFU Groups

grouper sfu-groups automate-membership sync-members SharePoint SP

OVERVIEW

This article describes how you can use SFU Groups to automate membership and permissions on your SharePoint site.

What I should know?
Setup Sync Connection

NOTE: If your SharePoint site is connected to MS Team, please review Manually- & Group-Managed Teams.

WHAT I SHOULD KNOW

WHERE TO FIND MY SITES' SECURITY GROUPS

Every SharePoint site has three security groups available on SFU Groups:

resource:app:ADSFU:AzureGroups:SPO:spo-<sitename>-members
resource:app:ADSFU:AzureGroups:SPO:spo-<sitename>-owners
resource:app:ADSFU:AzureGroups:SPO:spo-<sitename>-visitors

These should be accessible by site owners on SFU Groups (groups.sfu.ca) under Manage Your Groups > Security Groups.

SFU Groups

If you are a site owner and you don't have access to these Security Groups on SFU Groups linked to your site, request UPDATE and READ access to these groups by sending a support ticket using SharePoint - Ask a Question.

NOTE: By default, adding or removing members to your security groups on SFU Groups will not do anything. Site Owners will need to setup the syncing. See Setup Sync Connection for instructions.

MEMBERSHIP SYNCING AND MICROSOFT SECURITY GROUPS

About every hour, a membership sync will happen between your SFU Groups Security Groups and its linked Microsoft Security Group. These Microsoft Security Groups are named:

spo-<sitename>-members
spo-<sitename>-owners
spo-<sitename>-visitors

These Microsoft Security Groups can then be used in various places in Microsoft 365 at SFU. In this context however, these Microsoft Security Groups can be used to manage permissions on your SharePoint site.

For an architectural diagram on the syncing:

Please note the following syncing behaviours:

By default, adding or removing members to your security groups on SFU Groups will not do anything. Site Owners will need to setup the syncing. See Setup Sync Connection for instructions.
Contrary to the behaviour in Microsoft Teams, any users added directly in SharePoint via Site Access are not affected by the sync from security groups.

HOW TO ADD AUTOMATION

For standard SFU Groups users:

Those who are not Grouper Admins will need to contact their local IT support staff for assistance with setting up automation. You may refer them to this page on how to add automation to your SharePoint site.

Once you are given a reference group with your specified automation needs from your local IT support staff (e.g., ref:dept:its:dto:my-site-group), you will need to add this group as a member to your SharePoint Security Group.

Visit SFU Groups Add or Remove Members for instructions on how to add a member to a SFU Group.
Visit Where to find my Sites' Security Group if you don't know where to find your SharePoint Security Group.

For technical group manager (Grouper Admins):

Grouper Admins are those who have access to the full-weight Grouper application (grouper.its.sfu.ca).

To add automation to SharePoint site membership or permissions, it is generally recommended to add a basis group as a member to the security groups for your site. Which basis group you should add depends who should be synced to the SharePoint site. Basis groups are usually auto-populated, group membership data coming from system of record, meaning, there will be automated on boarding and off boarding to your SharePoint site permissions once set up with a basis group.

For a more defined group, you may want to use composite groups to create filters or conditions to narrow down a particular basis group or multiple basis groups.

If you are setting up automation on behalf of a user, create a reference group with the appropriate basis group / automation based on the user's needs. Then, provide the user READ permissions to the reference group and the reference group (full path). This will allow the user to add the reference group as a member to their SharePoint Security Group on SFU Groups (groups.sfu.ca).

An example of the final result can be:

resource:app:ADSFU:AzureGroups:SPO:spo-digital-transformation-office-members (which is managed by Site Owner)
- contains ref:dept:its:dto:my-site-group (which is managed by Local IT)
  - contains basis:dept:12345 (automatically includes any SFU staff from a specified unit/dept. based on HR data)

Visit Technical Documentation for Grouper for more information about Grouper.

SETUP SYNC CONNECTION

To setup your Microsoft Security Groups onto your SharePoint site for a sync connection:

On your SharePoint site, select Site Access near the top-right corner.
Enter the name of your Microsoft Security Group for your SharePoint site, spo-<sitename>-members or spo-<sitename>-owners or spo-<sitename>-visitors.
Select the Microsoft Security Group you wish to add.
Apply the proper permissions to the group: Edit for site member permissions, Full Control for site owner permissions or Read for visitor permissions.
Select Share.
Confirm if the Security Group has been added. You may want to ask a member from the Security Group to try accessing your site.
Note: If you have recently made membership changes to the security group from SFU Groups, please wait an hour for the sync to finish.