OVERVIEW
This article describes how you can use SFU Groups to automate membership and permissions on your SharePoint site.
WHAT I SHOULD KNOW
WHERE TO FIND MY SITES' SPO SECURITY GROUPS
Every SharePoint Online (SPO) site has three security groups available on SFU Groups:
- resource:app:ADSFU:AzureGroups:SPO:spo-<sitename>-members
- resource:app:ADSFU:AzureGroups:SPO:spo-<sitename>-owners
- resource:app:ADSFU:AzureGroups:SPO:spo-<sitename>-visitors
These should be accessible by site owners on SFU Groups (groups.sfu.ca) under Manage Your Groups > Security Groups.
Note: If you are a site owner and you don't have access to these Security Groups on SFU Groups linked to your site, request UPDATE and READ access to these groups by sending a support ticket using SharePoint - Ask a Question.
Note: By default, adding or removing members to your security groups on SFU Groups will not do anything. Site Owners will need to setup the syncing. See Setup Sync Connection for instructions.
MEMBERSHIP SYNCING AND MICROSOFT SECURITY GROUPS
About every hour, a membership sync will happen between your SFU Groups Security Groups and its linked Microsoft Security Group. These Microsoft Security Groups are named:
- spo-<sitename>-members
- spo-<sitename>-owners
- spo-<sitename>-visitors
These Microsoft Security Groups can then be used in various places in Microsoft 365 at SFU. In this context however, these Microsoft Security Groups can be used to manage permissions on your SharePoint Online site.
For an architectural diagram on the syncing:
Please note the following syncing behaviours:
HOW TO ADD AUTOMATION
For standard SFU Groups users:
Those who are not Grouper Admins will need to contact their local IT support staff for assistance with setting up automation. You may refer them to this page on how to add automation to your SPO site.
Once you are given a reference group with your specified automation needs from your local IT support staff (e.g., ref:dept:its:dto:my-site-group), you will need to add this group as a member to your SPO Security Group.
Visit SFU Groups Add or Remove Members for instructions on how to add a member to a SFU Group.
Visit Where to find my Sites' Security Group if you don't know where to find your SPO Security Group.
For technical group manager (Grouper Admins):
Grouper Admins are those who have access to the full-weight Grouper application (grouper.its.sfu.ca).
To add automation to SPO site membership or permissions, it is generally recommended to add a basis group as a member to the security groups for your site. Which basis group you should add depends who should be synced to the SPO site. Basis groups are usually auto-populated, group membership data coming from system of record, meaning, there will be automated on boarding and off boarding to your SPO site permissions once set up with a basis group.
For a more defined group, you may want to use composite groups to create filters or conditions to narrow down a particular basis group or multiple basis groups.
If you are setting up automation on behalf of a user, create a reference group with the appropriate basis group / automation based on the user's needs. Then, provide the user READ permissions to the reference group and the reference group (full path). This will allow the user to add the reference group as a member to their SPO Security Group on SFU Groups (groups.sfu.ca).
An example of the final result can be:
- resource:app:ADSFU:AzureGroups:SPO:spo-digital-transformation-office-members (which is managed by Site Owner)
- contains ref:dept:its:dto:my-site-group (which is managed by Local IT)
- contains basis:dept:12345 (automatically includes any SFU staff from a specified unit/dept. based on HR data)
Visit Technical Documentation for Grouper for more information about Grouper.
SETUP SYNC CONNECTION
To setup your Microsoft Security Groups onto your SPO site for a sync connection:
- On your SharePoint Online site, select Site Access near the top-right corner.
- Enter the name of your Microsoft Security Group for your SPO site, spo-<sitename>-members or spo-<sitename>-owners or spo-<sitename>-visitors.
- Select the Microsoft Security Group you wish to add.
- Apply the proper permissions to the group: Edit for site member permissions, Full Control for site owner permissions or Read for visitor permissions.
- Select Share.
- Confirm if the Security Group has been added. You may want to ask a member from the Security Group to try accessing your site.
Note: If you have recently made membership changes to the security group from SFU Groups, please wait an hour for the sync to finish.