Introduction
DeliverPoint is a SharePoint permissions reporting and management tool that is used to report and manage permissions across Sites, Lists, Folders & Items that you have the rights to report and manage permissions on
DeliverPoint offers many advantages over the SharePoint Online Out-of-the-Box permission reports including:
- Easy to understand permissions reports across single or multiple Sites, Lists, Folders and Items.
- Report and Manage Sharing links across multiple scopes
- Exporting of Permission Reports
- Account Management operations such as Transfer, Copy, Delete, Grant, and Revoke Permissions across multiple Sites, Lists, Folders, and Items.
- Permissions Summary (Overview reports for Sites)
- Scheduled Permission Reports
- Usage Reporting
- Permission Report Templates
The permission reports and permission operations run with your (current logged on user) rights, meaning that if you have the right in SharePoint to run permissions reports on a specific site, list, or item, then you will also be able to do so using DeliverPoint. Such rights are usually possible since you (current user) would be an Owner of one or more sites.
Permission reports including Discover Permissions and Sharing Link reports can be run contextually, meaning that from within the Site, List, and across folders & items, DeliverPoint permission reports can be run from within the site, list, or again multiple folders and items.
If you are a Site Owner or Site Collection Administrator for one or many Sites/Site Collections, you can also report and manage permissions across multiple Sites or Site Collections within one operation.
Within this getting started guide, you will learn how to use each of the features on offer within DeliverPoint.
Contextual Permission Reporting
Contextual Permissions Reporting can be performed from within a SharePoint Site, List or across single or multiple files & folders. If you are a Site Owner, you’ll be able to access some of the many permissions reports using the DeliverPoint menu icon in the top right hand corner of your site. The icon will only display for users with Full Control to the site. List or Library permission reports can be accessed from the Command Bar, and Folder/Item permission reports can be accessed using the elipses on each item.
Navigating DeliverPoint Contextually
Contextual Site Scoped Reports will be available in the top right corner of your SharePoint Site as shown in the below image. The Site Scoped Menu provides the following:
- DeliverPoint – opens the main DeliverPoint Application defaulting to the current site as the scope for reports and operations
- Discover Permissions – Runs the Discover Permissions Report for the current site only.
- Sharing Links – Shows List & Item Sharing Links within the scope of the current site.
- Permissions Summary – Displays a summary of the current sites permissions including how many sub sites exist with unique permissions, the number of unique files and folders, and the number of Sharing Links.
Contextual List or Library permission options can be found on the command bar within a list or library as shown below. Note, that the options available are:
- DeliverPoint– Open the main DeliverPoint application with the selected list or library as the scope for the reports and operations.
- Discover Permissions – Discover who has permissions to the list or library.
- Sharing Links – Discover the sharing links that exist within the list or library.
By selecting multiple list items, folders, or files, you can click the ellipses on any selected item, and then choose one of the three DeliverPoint options below:
- DeliverPoint – Opens the main DeliverPoint application with the selected items as the scope for any reports or operations.
- Discover Permissions – Opens the Discover Permissions report for the selected items.
- Sharing Links – Displays the sharing links for the selected items.
In the next section, we will explore each of these reports and how to use them.
Discover Site Permissions
The Discover Site Permissions Report will show a list of users who have permissions to the site. The report will not include other objects within the site such as Lists, Libraries, Folders & Items. However, a complete permission report to include everything within the site is available (See Advanced Permission Reports).
The Discover Permissions report displays the users in order of the permissions that they receive. E.g. Full Control, Edit, and Read. However, you can change the Sort order on any column by clicking the downward arrow next to each column.
The User Name column displays the end user including guest users. The guest user name will be in italics. You can also hover over the users avatar to see the people card which will in turn display the account information for the user. The far right column (Permissions Via) shows how the permission was assigned. You can expand each row from the permissioned via column to see how the permission was assigned to the user. Note that this will include Direct Permissions, SharePoint Groups, Microsoft 365 Groups, and Active Directory Security Groups. It is possible that a user may have duplicate permissions since they may have been assigned permissions with multiple methods. E.g. via a SharePoint Group, and via an Active Directory Security Group.
The Permission Report can be exported using Actions -> Export Report.
Discover List Permissions
The Discover Permissions report can also be run against a SharePoint list or Library from the command bar. When the Discover Permissions report is run at this scope, it will again show the users with permissions to the list/library, the permission level, and how the permissions were assigned.
In the far left column, you will see the name of the list or library. If the name is faded, it is an indication that the list or library inherits permissions from its parent e.g. The Site. If it is in full colour, then the list or library has Unique Permissions (Broken Permission Inheritance).
Discover Item & Folder Permissions
Within a SharePoint list or library, you can select multiple items and then click the ellipses to access the discover permissions report.
The report will run with the scope of all selected items. Notice in the below screenshot that the ‘Management Accounts’ folder is faded, whereas the ‘Financial Planning’ folder is in full colour. This indicates that Financial Planning contains unique permissions.
Sharing Links Reporting within Sites, Lists, and Items
The Sharing links report can be run at Site Scope, List or Library Scope, and also Item(s) scope by selecting multiple items. The report will show all lists or items within the scope that have Sharing Links. You can see who shared the link, when the link was shared, the type of sharing link, the permission granted, and the members who have access to the link. You can then select a Sharing link to remove it if required. Note that removing a Sharing Link, will remove that link for all users who have access to it.
Permissions Summary
The Permissions Summary report can be accessed at SharePoint Site level using the DeliverPoint menu in the top right-hand corner of your SharePoint Site.
Note: If you don’t see the DeliverPoint menu, it is likely that you do not have Full Control permissions to the current site.
The Permissions Summary report is an ideal report to get an overall understanding of the permissions within the SharePoint Site. From the Permissions Summary report, you can drill into some of the other reports such as Sharing Links, and Discover Permissions.
Once you click the Permissions Summary menu item, you will have the opportunity to refine the settings of the report before it runs. The options that you can select include:
- Show Unique Objects Count – Includes the number of ‘Objects’ (Subsites, Lists, and Items with broken permission inheritance)
- Show Top Scopes With Most Unique Objects – The scope is a container of other objects. E.g. A Site is a container of lists, and a list is a container of items. This option will display the scope (container) with the most contained objects with broken permission inheritance.
- Show Sharing Links Count – The number of Sharing links within the Site.
- Show Top Scopes With Most Sharing Links- The scope is a container of other objects. E.g. A Site is a container of lists, and a list is a container of items. This option will include within the report, the scope with the most amount of Sharing Links.
- Show Objects With Empty Role Assignments – This option includes objects such as Subsites, lists, and items that do not have any permissions configured. This could be the case if the last remaining person, or group with permissions was removed.
- Show Top Scopes With Most Unused Sites/Files – This option shows the top scopes such as a Site or a List that contains the most objects that have not been accessed/visited.
Once you have clicked Generate, the report will run as shown below:
The arrow icon next to each reported item will open the associated report. Below is a list of reports that will open for each summary item:
- Total Unique Sites – The link will display the Sites with unique permissions
- Total Unique Lists – The link will display the Lists with unique permissions
- Total Unique Items – The link will display the items with unique permissions.
- Total Sharing Links – Will display the sharing links for each list or item with sharing links.
The below example, shows the Sharing Link opened as a new tab from clicking the icon next to the Total Sharing Links.
Exporting Permissions Reports
Each of the permission reports within DeliverPoint can be exported as a CSV file, and opened within Microsoft Excel. Exporting the permission reports is useful if you would like an offline copy for further analysis, or to share as a audit report with other permission auditors.
You may export the report by clicking Actions -> Export Report from within any of the DeliverPoint reports.
Contextual Permissions Management
DeliverPoint provides multiple actions that you can use to manage permissions within a SharePoint Site or across multiple sites, and across multiple lists, folders, and items. Everyday occurrences such as new people joining your team, users leaving the organization, users requiring temporary escalated permissions, or users covering each others roles, can be frustrating to manage using native SharePoint. With DeliverPoint, you can perform actions such as Copy Permissions, Transfer Permissions, Delete Permissions, Grant Permissions, and Revoke Permissions. Each of these actions are described briefly below:
- Copy Permissions – Copy the permissions of one user to another within the scope of a SharePoint Site, List, or Item. The Source user retains their permissions, but the target user gains the permissions that the source user was assigned.
- Transfer Permissions – Transfer the permissions from one user to another within the scope of a SharePoint Site, List, or Item. The Source user loses their permissions, but the target user gains the permissions that the source user was assigned.
- Delete Permissions – Deletes all permissions for the selected scope from the user.
- Grant Permissions – Grants permissions either directly or through group membership on the selected scope.
- Revoke Permissions – Remove a specific permissions level from a specific user.
The Permissions Management Actions can be performed from the reports such as Discover Permissions by selecting a row containing the user that you wish to perform the action upon. The scope that the action will perform against is also taken from the context of the selected item.
After selecting the row within a report and choosing the desired action, the Action options page will be displayed where you can refine the options prior to running the job. The options are explained below:
- Process Subsites – When you perform a permission change, you can select whether you would like any subsites with unique permissions to also be affected by the changes.
- Process Lists – When you perform a permission change, you can select whether you would like any list with unique permissions to also be affected by the changes.
- Process List/Folder Items - When you perform a permission change, you can select whether you would like any list items, documents, and folders with unique permissions to also be affected by the changes.
- Force Break Permissions – If the source account contains permissions on a Site or other object that inherits permissions, DeliverPoint can break the permission inheritance in order to carry out the permission change. This option should be used with caution.
- Support Rollback– When you are performing an Action such as Transfer Permissions or Copy Permissions, you may want to make sure that you can reverse the job. Checking the ‘Support Rollback’ will record the actions taken so that they can be reversed in the Jobs view. This feature is useful as a ‘safety net’ but also could be used if you need to make temporary permission changes, such as when a user is on vacation.
- Modify SharePoint Groups – Checking ‘Modify SharePoint Groups’ will change the SharePoint Group membership if the Source account is a member of a specific SharePoint Group that is in scope for the action, and the target account isn’t a member of the same group. If Copy Permissions is the action, then the target account will become a member of the SharePoint Group, and the source account will remain a member of the same group. If the action is a Transfer Permissions action, the source account will be removed from the SharePoint Group, and the target account will be added as a member.
- Modify Microsoft 365 Groups - Checking ‘Modify Microsoft 365 Groups’ will change the Microsoft 365 Group membership if the Source account is a member of a specific Microsoft 365 Group that is in scope for the action, and the target account isn’t a member of the same group. If Copy Permissions is the action, then the target account will become a member of the Microsoft 365 Group, and the source account will remain a member of the same group. If the action is a Transfer Permissions action, the source account will be removed from the Microsoft 365 Group, and the target account will be added as a member.
- Stop After Error – There are several circumstances that could lead to an error when permission changes are occurring over large scopes. The logged in user may not have permission themselves to make changes to some of the objects in scope, an object may be corrupt, or may have been delete after the action was triggered. The ‘Stop After Error’ check box will instruct DeliverPoint to continue processing ignoring the object that caused the error.
Copy Permissions
The Copy Permissions is an action that can be triggered directly from within a Discover Permissions report, and is very useful when you have recruited a new member for your team. If there is an existing person with the permissions that are needed for the new member, you can copy permissions from that existing user to the new user.
An ideal way to do this is at the Discover Site Permissions report. Select the account that you wish to copy permissions from, and then choose Actions -> Copy Permissions as shown below. You will then have the opportunity to set the refinements as described on the previous page.
Tip: Checking ‘Process Subsites’, ‘Process Lists’, and ‘Process List/Folder Items’ will copy permissions on everything from this site down from the source account to the target account. Including ‘Modify SharePoint Groups’ and ‘Modify Microsoft 365 Groups’ will ensure that the new user has the required group membership. Checking ‘Support Rollback’ will allow you to reverse the Copy Permissions if you need to.
Transfer Permissions
The Transfer Permissions is an action that can be triggered directly from within a Discover Permissions report, and is very useful if you have someone leaving your team, and that persons role is being replaced by a new user.
An ideal way to do this is at the Discover Site Permissions report. Select the account that you wish to transfer permissions from, and then choose Actions -> Transfer Permissions as shown below. You will then have the opportunity to set the refinements as described on the previous page.
Tip: Checking ‘Process Subsites’, ‘Process Lists’, and ‘Process List/Folder Items’ will Transfer permissions on everything from this site down from the source account to the target account. Including ‘Modify SharePoint Groups’ and ‘Modify Microsoft 365 Groups’ will ensure that the new user has the required group membership. Checking ‘Support Rollback’ will allow you to reverse the Copy Permissions if you need to.
Delete Permissions
The ‘Delete Permissions’ operation will delete all permissions for the selected user account. Depending on the options that you select, this action can delete direct permissions, SharePoint Group memberships, and Microsoft 365 Group memberships.
Below are some typical scenarios to consider when deleting permissions:
Scenario: The user has left the department and should no longer have any permissions to anything within the site.
The users role will be replaced: If the users role is being replaced, use Transfer Permissions and optionally check ‘Process Subsites’, ‘Process Lists’, ‘Process List Folder Items’, ‘Support Rollback’, ‘Modify SharePoint Groups’, ‘Modify Microsoft 365 Groups’ to remove permissions from the current site and everything beneath the current site in the hierarchy. Then Refresh or Re-Run the Discover Permissions to see if any permissions remain through Active Directory Group membership. If so, your Active Directory Administrator can remove the user from the Active Directory Groups.
The users role will not be replaced: Run Delete Permissions, and optionally check ‘Process Subsites’, ‘Process Lists’, ‘Process List Folder Items’, ‘Support Rollback’, ‘Modify SharePoint Groups’, ‘Modify Microsoft 365 Groups’ to remove permissions from the current site and everything beneath the current site in the hierarchy. Then Refresh or Re-Run the Discover Permissions to see if any permissions remain through Active Directory Group membership. If so, your Active Directory Administrator can remove the user from the Active Directory Groups.
Scenario: The user has many direct permissions (permissions assigned directly and not through groups) and I wish to clean up these direct permissions.
Run the Delete Permissions action, and check ‘Process Subsites’, ‘Process Lists’, ‘Process List Folder Items’, and ‘Support Rollback’. Do not check ‘Modify SharePoint Groups’, or ‘Modify Microsoft 365 Groups’.
Scenario: The user has multiple permission levels assigned to them. They should only have Edit or Read, but I’ve noticed they have other permissions such as Design, Full Control which they don’t need.
Use Revoke Permissions, and specify the permission levels that you wish to remove. See the Revoke Permissions section.
Grant Permissions
DeliverPoint provides you with the ability to Grant Permissions at Site, List/Library, or Folder/Item level using the Grant Permissions Action. An advantage to using DeliverPoint to grant permissions is that you can grant permissions to multiple Folders, Items, in one action. You may also grant permissions to subsites, lists, libraries, and items that have unique permissions within the scope of the current site by setting the refinements to include Process Subsites, Process Lists, and Process List/Folder Items.
When you are granting permissions, you can either grant permission levels to a User Account or Group Account directly, or grant permissions by making a User Account or Microsoft 365 Group Account a member of a SharePoint Group.
The preference is usually to make a user a member of a group, and for the group to be assigned the permission level. However, if you need to grant permissions to a user directly to a Site, List or Item, you can using the Grant Permissions Action.
To Grant Permissions to a user account with direct permissions:
- Select the desired user account from the ‘Grant Permissions To’ field.
- Select the Permission Level from the Roles field.
- Optionally set your refinements such as Process Subsites, Process Lists, Process List/Folder Items.
- As a good practice, check the option to Support Rollback.
To Grant Permissions to a Microsoft 365 Group:
- Select the desired Microsoft 365 Group account from the ‘Grant Permissions To’ field.
- Select the Permission Level from the Roles field.
- Optionally set your refinements such as Process Subsites, Process Lists, Process List/Folder Items.
- As a good practice, check the option to Support Rollback.
To Grant Permissions to a user account via a Group account:
- Select the desired user account from the ‘Grant Permissions To’ field.
- Search and select the desired group from the Groups field.
- Optionally set your refinements such as Process Subsites, Process Lists, Process List/Folder Items.
- As a good practice, check the option to Support Rollback.
Revoke Permissions
Unlike the ‘Delete Permissions’ Action, you can use the ‘Revoke Permissions’ Action to remove just some of the permissions assigned to a user or group, whereas the ‘Delete Permissions’ Action will remove all permissions.
In the below screenshot, you can see that Demo User7 has been granted Full Control, Design, and Edit permissions. We only want Demo User7 to have the Edit permissions role. Therefore, we can use Revoke to remove Full Control and Design, and leave the user with Edit permissions only.
To remove the Full Control and Design permissions:
- Choose Revoke Permissions
- Select Demo User7 in the Revoke Permissions From field.
- Select the permissions that you wish to remove using the Roles field.
- Click Run.
After successfully running this action, the Demo User7 will be left with Edit permissions only.
Breaking & Inheriting Permissions
When you run a ‘Discover Permissions’ report against a SharePoint Site, SharePoint List, Folders or Items, you will see the name of the object on the far left hand side of the report. If the name appears dimmed, the object inherits permissions and therefore you would not be able to make any permission changes on that object without breaking the permission inheritance first. If the object name is in full colour, the object will have unique permissions.
When using DeliverPoint, you may see some objects that have unique permissions when they shouldn’t. Using DeliverPoint, you can select these objects, and then choose to Re-Inherit the permissions from the parent object.
Alternatively, you may wish to grant permissions specifically to one object, but that object inherits permissions. Therefore, your can also break the permission inheritance using DeliverPoint.
After selecting any row for that given object in the Discover Permissions report, choose Actions -> Permissions Management -> Break Permissions/Inherit Permissions. Before committing to the Action, you will be able to choose whether you process List/Folder Items that may appear as sub items, or just this specific object. Additionally, you will be able to Support Rollback to undo this Action should you need to.
Reporting Permissions Across Multiple Scopes
Within the previous sections, we focused on the Contextual Permission Reporting and Permission Management actions. Within this section, we will focus on reporting permissions centrally across multiple sites or site collection within your environment.
Despite DeliverPoint displaying the full treeview for your Microsoft 365 SharePoint environment, changes to permissions, and access to content is still determined by your (logged in users) permissions to each object.
To access DeliverPoint centrally, you can either navigate to DeliverPoint from any Site that you have Full Control to using the top right hand DeliverPoint menu, or you can add DeliverPoint as a web part on any SharePoint page.
Once you have accessed the main DeliverPoint page, you can click the ‘Show Treeview’ option which will allow you to select multiple scopes from the treeview.
Accessing DeliverPoint from the Shortcut Menu
- Navigate to a page that you have Full Control to.
- Click the DeliverPoint Menu in the top right corner of the page.
- Click DeliverPoint.
Adding DeliverPoint as a Web Part
- Create a new page within your SharePoint Site by clicking the cog icon in the top right corner of your SharePoint site, and choose ‘Add a Page’.
- Provide the Page a Title such as ‘My Permissions Reporting & Management Page’
- Click the + icon to add a web part.
- Select the DeliverPoint web part.
Adding DeliverPoint as a Personal App in Microsoft Teams
- Within Microsoft Teams, click the ellipses on the left hand navigation bar.
- Type DeliverPoint
- Click on DeliverPoint.
Note: If DeliverPoint does not display for you, it maybe that the App has not been syned to Teams from the SharePoint App Catalog.
Regardless as to which method has been used to access DeliverPoint, the application will act the same from this point forwards.
Using the Tree View
When you enter DeliverPoint, the scope will automatically be set to the Site that you navigated from. All of the reports on the reports menu, and the actions under the actions menu will run against this scope unless the scope is changes using the Tree View.
By clicking ‘Show Tree View’, you will be able to see all of the Site Collections within the Microsoft 365 Tenant. Whatever you select from this tree view, will become the scope for the reports and actions.
The Tree View will default to Tenant View. The Tenant view will display all Site Collections in alphabetical order with the exception of the first site collection. The first site collection is the current Site Collection. The Tenant View will display all site collections include classic site collections, modern sites, Teams, and Microsoft 365 Groups. Each type of site collection is depicted by its icon which is also explained in the Legend.
Using the View menu, you can change your treeview to ‘Classic Sites View’, Hub Sites View, Teams View, or Accounts View.
- Tenant View – Displays all Site Collections regardless of type.
- Classic Site Collections – Displays classic site collections including root site and subsites.
- Hub Sites View – Displays each Hub and their Associated Sites within the hierarchy.
- Teams View – Displays all Teams and their Private Channels
- Accounts View – Enables you to search on a user for user centric reports.
To change the scope of you reports or actions, you can select site collections, sites, and lists or libraries. When performing a report or an action with these scopes selected, the reports and actions will run against the selected scope. Note that a scope includes sub sites, lists, and items beneath that site/site collection within the hierarchy.
When you expand the Site Collections within the treeview, you will see the sites, sub sites, lists, and libraries within the site collection. Some of the subsites, lists, and libraries will have a dimmed icon, whereas others will have a full colour icon. The sites or lists/libraries with a full colour icon have unique permissions, whilst those with a dimmed icon inherit permissions. In the below screenshot, you will see the highlighted objects that contain unique permissions.
Advanced Permission Reports
From within the main DeliverPoint page, you will be able to run Advanced permission reports such as Discover Permissions (Advanced), and Sharing Links (Advanced). The Advanced Reports enable you to run the report against multiple scopes, but also child objects of the selected scopes that contain either inherited or unique permissions.
Discover Permissions (Advanced)
The Discover Permissions (Advanced) will provide you with filter options prior to the report running, and also settings to refine the output of the report.
The following configuration will display a Discover Permissions report on the selected site, and everything as a child object that contains unique permissions, but won’t include people with Read permissions only within the report.
The report contains a section for Sites, Lists, and Items that can be expanded and collapsed.
A useful version of this report is to filter purely on external users.
Sharing Links (Advanced)
The Sharing Links report can also be prefiltered and run against multiple scopes. When running the Sharing Links (Advanced), you can optionally include Sub Sites, and Hide List Sharing Links or Item Sharing Links.
Filter options include the ability to filter on the Sharing Type, Who the Sharing Link was created by, whether Editing is allowed etc.
The Report will include any lists or items with a Sharing Link within the selected scopes.
By selecting each row, you can remove any Sharing Links.
Unique Objects
The Unique Objects Report provides you with a list of Sites, Lists/Libraries, Folders/Items that have unique permissions within the selected scope. You can refine these options by including or excluding Subsites, Lists/Libraries, or Folders/Items from the report.
Once the report has run, you can select a row such as a Site or an Item that you wish to investigate. The Row that you selected becomes the new scope for new reports or actions such as the Discover Permissions report.
Unique Permissions
The Unique Permissions report is account centric, and allows you to focus on a user accounts assigned permissions and group memberships within a specific scope. The scope can either be ‘Current Site Collection’ and triggered from the Accounts View, or it can span multiple site collections from the other treeviews.
Included in the Unique Permissions Report is:
- Account Membership – Active Directory Security Groups, Microsoft 365 Groups, and SharePoint Groups that the selected user is a member of.
- Unique Site Permissions – The Sites that the user has been assigned permissions to, either directly, or through group membership.
- Unique List Permissions - The Lists that the user has been assigned permissions to, either directly, or through group membership.
- Unique Item Permissions - The Items that the user has been assigned permissions to, either directly, or through group membership.
It is possible to select a row within the unique permissions report, and to modify the permissions selected using actions such as Copy, Transfer, Delete, Revoke permissions. It is important to note, that we do not make changes to Active Directory Security Groups via DeliverPoint. Therefore, after removing permissions, you may want to refresh the report to see what permissions remain through Active Directory Security Group membership. You can then request that the user be removed from such groups from your Active Directory Administrator.
Run the Unique Permissions Report from the Account Centric Treeview
- From the View Menu in DeliverPoint, select ‘Accounts View’
- Search for the user name that you wish to report against.
- Select the user account from the results
- Choose Reports -> Unique Permissions
- The report will run against the current site collection as the scope.
Run the Unique Permissions Report from the Tenant View, Classic Sites View, Hub Sites View, or Teams View.
- From a view other than Account Centric View.
- Select the Site Collections, or Sites that you wish to run a report against from the treeview
- Choose Reports -> Unique Permissions
- Enter the name of the person that you wish to report against.
- Click Generate
The report contains three columns:
- Group/Account – The Group or Account that was used to assign the permission. E.g. If the permission was assigned to an individual person directly, the Group/Account column will contain the persons name. If the permission was assigned to a group that the user is a member of, the Group/Account column will show the Group Name.
- Site Collection/Site/List/Item – The URL to the object in question.
- Permissions – The permission assigned for the person or group on the object.
To make changes from the report, select the row that you wish to change, and then choose Actions -> Account Management ->
Owned Site Collections
The ‘Owned Site Collections’ is a report that will show every Site Collection that you (Current User) are an owner of. To report or manage permissions on one or more of the site collections, select the row(s) by clicking in the left hand margin. You can now report on the site collection using the Reports menu and your desired report.
Discover Usage
Discover Usage is a great report to run from the ‘My Owned Site Collections’ view, but can be run from any scope. The report demonstrates how many visits your Sites, and Files receive within a specified time span. This helps you determine how to get more engagement with your sites, and files, how to refine permissions to gain more visits, or highlights which sites you could retire.
After choosing Reports -> Discover Usage, you can optionally select the following:
- Include Sites – Includes all sites within the selected scope
- Include Files – Includes all files within the selected scope
- Include Usage by Users – Shows the unique visit count by user
- Start Date – Number of days or Date that you wish to start the report from. E.g. -182 is from 182 days ago.
- End Date – Number of days or Date to include up to within your report.
Once the report has generated, you will see the following (depending on the options you selected):
- Unused Objects – Sites or Files that have not been used in the given timeframe.
- Most Used Objects – The Sites or Files used the most in the given timeframe.
- Objects Used by Most Users – The Objects used by the most amount of unique users.
By selecting a row, you can produce a Permissions report on any of the objects.
Dead Accounts
The Dead account view can be run on a site collection(s) that you are a Site Collection Administrator for. The report will include all users that are assigned permissions somewhere in the Site Collection(s), but their Active Directory Account is either deleted or disabled. Such users do not pose a security threat since they cannot authenticate. However, the user will still be displayed as having permissions until the account is removed.
Note: Removing the account does not remove the history such as Last Modified or CreatedBy, but does remove permissions assigned to the selected user.
To remove an accounts permissions, select the row, and click ‘Remove Dead Accounts’
Unlicensed Users
The unlicensed users report will show each site collection where a user without a SharePoint license is permissioned. The user may be unlicensed as the user account is no longer in use.
Per site collection, you can select the user, and choose ‘Remove Unlicensed User’.
External Users
The External User report will show all external/guest users who are assigned permissions within the selected scope. Moving your mouse over the guest users avatar will display a people card allowing you to determine in more detail who the user is.
If you wish to remove the external user, select the row, and choose ‘Remove External User’.
Report Templates
Each report in DeliverPoint can be saved as a template. Saving a report as a template helps users who are Site Owners or Site Collection Administrators to quickly and easily reproduce a report on demand without the need to select scopes or set filters.
To save a report as a template
- From within any generated report, choose Actions -> Save as Template
- Provide a name for your template such as: Sales Site(s) Permissions Report
- Optionally check ‘Is Shared’ to allow other Site Owners or Site Collection Administrators to see and run the report.
To run a saved template
- Choose Reports -> Report Templates
- Select the saved report template that you wish to run.
- Click Generate.
To modify a saved template
- Click the (i) symbol next to the report that you wish to modify.
- The Side panel will display with the saved settings.
- From the Side Panel, you can change the report scope to include or exclude site(s), modify the Template Name, Refine the options and filters for the report template.
To clone a saved template
If you wish to have a similar report on a different site, or the same site with slightly different parameters or filters, you can clone an existing report template, and then modify it:
- Select an existing saved template, and click ‘Clone’
- Click the (i) for the new template, and modify it as you desire.
Managing Permissions Across Multiple Scopes
In addition to running permission reports across multiple Sites/Site Collections, you can perform bulk permission changes such as Copy Permissions, Transfer Permissions, Delete Permissions, Revoke Permissions, and Grant Permissions. You can also perform changes to the permission inheritance, or clone permission sets between objects.
In this section, we will explore the Account Management Actions which includes Copy, Transfer, Delete, Grant, and Revoke permissions, as well as the Permissions Management actions such as Clone Permissions and Permission Inheritance options.
To run an action across multiple scopes, select from the treeview the Site Collections, Sites, or Lists that you would like to perform the action against.
Account Management
The following Account Management Actions are available under the Actions Menu after a scope has been selected:
- Copy Permissions – Copy permissions from an existing account to a target account. This is a useful action to perform when onboarding a user. The Source account will retain their permissions when running the Copy Action. *Refinements apply
- Transfer Permissions - Transfer permissions from an existing account to a target account. This is a useful action to perform when a user is being replaced. The Source account will lose their permissions when running the transfer Action. *Refinements apply
- Delete Permissions – Delete Permissions will remove all assigned permissions to the selected scope. *Refinements apply
- Grant Permissions – Will allow you to grant permissions to objects with unique permissions within the selected scope. *Refinements apply
- Revoke Permissions – Will remove specific permission(s) from a selected user such as Remove Full Control but leave Edit. *Refinements apply
Refinements:
- Process Subsites – When you perform a permission change, you can select whether you would like any subsites with unique permissions to also be affected by the changes.
- Process Lists – When you perform a permission change, you can select whether you would like any list with unique permissions to also be affected by the changes.
- Process List/Folder Items - When you perform a permission change, you can select whether you would like any list items, documents, and folders with unique permissions to also be affected by the changes.
- Force Break Permissions – If the source account contains permissions on a Site or other object that inherits permissions, DeliverPoint can break the permission inheritance in order to carry out the permission change. This option should be used with caution.
- Support Rollback – When you are performing an Action such as Transfer Permissions or Copy Permissions, you may want to make sure that you can reverse the job. Checking the ‘Support Rollback’ will record the actions taken so that they can be reversed in the Jobs view. This feature is useful as a ‘safety net’ but also could be used if you need to make temporary permission changes, such as when a user is on vacation.
- Modify SharePoint Groups – Checking ‘Modify SharePoint Groups’ will change the SharePoint Group membership if the Source account is a member of a specific SharePoint Group that is in scope for the action, and the target account isn’t a member of the same group. If Copy Permissions is the action, then the target account will become a member of the SharePoint Group, and the source account will remain a member of the same group. If the action is a Transfer Permissions action, the source account will be removed from the SharePoint Group, and the target account will be added as a member.
- Modify Microsoft 365 Groups - Checking ‘Modify Microsoft 365 Groups’ will change the Microsoft 365 Group membership if the Source account is a member of a specific Microsoft 365 Group that is in scope for the action, and the target account isn’t a member of the same group. If Copy Permissions is the action, then the target account will become a member of the Microsoft 365 Group, and the source account will remain a member of the same group. If the action is a Transfer Permissions action, the source account will be removed from the Microsoft 365 Group, and the target account will be added as a member.
- Stop After Error – There are several circumstances that could lead to an error when permission changes are occurring over large scopes. The logged in user may not have permission themselves to make changes to some of the objects in scope, an object may be corrupt, or may have been delete after the action was triggered. The ‘Stop After Error’ check box will instruct DeliverPoint to continue processing ignoring the object that caused the error.
Permissions Management
Permissions Management Actions in DeliverPoint include:
- Copy Object Permissions – The Copy Object Permissions allows you to copy the entire permissions from one Site to another object(s), A List to another object(s), or an item to another object(s). Examples include Copy the entire permissions from Site A to Site B and Site C or from Site A to Documents in Site B.
- Break Permissions – Stop Inheriting Permissions on the selected Objects
- Inherit Permissions – Reset Permission Inheritance on the selected Objects.
Copy Object Permissions
To Copy Object Permissions, select the scope that you are copying the permission set from. Then choose Actions, Permissions Management, Copy Object Permissions. You can then select the Target Site(s)/List(s), or Target Item(s).
Note: The same refinements can be applied as to those for the Account Management Actions.
Breaking or Inheriting Permissions
To break permission inheritance, select the objects that you wish to break permission inheritance on, and then choose Actions -> Permissions Management -> Break Permissions. You can choose the following refinements:
- Support Rollback – Have the ability to under the action from the Jobs view.
- Stop After Error – Stop processing the action if an error occurs.
To inherit permissions, select the objects that you wish to inherit permissions on, and then choose Actions -> Permissions Management -> Inherit Permissions. You can choose the following refinements:
- Process Subsites – Re-inherit permissions on subsites within the scope that has unique permissions.
- Process Lists – Re-inherit permissions on Lists within the scope that has unique permissions.
- Process List/Folder Items – Re-inherit permissions on items within the scope that has unique permissions.
- Support Rollback – Have the ability to under the action from the Jobs view.
- Stop After Error – Stop processing the action if an error occurs.
Managing Jobs
Actions that have executed on the scope that you have selected will be displayed within the jobs view. You will be able to determine the type of job, the description of the job the status, whether or not rollback is supported, and the time the job was created and who by.
You can filter the list of jobs on any column, and also define the date range in which your wish to view jobs from.
Roll Back Permissions
If you wish to rollback a job, and Rollback was enabled at the time of performing the job, you can select the row that you wish to rollback, and click Rollback.
Scheduling Reports
If ‘Scheduling’ is enabled for DeliverPoint within your tenant, you will be able to Schedule Discover Permissions, Sharing Links, and Unique Permission Reports.
Most of the reports are better performed on demand and in realtime since you get up-to-date information, and the report is presented to you within a formatted page. However, if you want to run a permission report on a very large scope, and the report is likely to take a long time to produce, the report can be scheduled. The output of the report is a File. Therefore, you must specify a document library that will be the container for the reports.
To Schedule a report:
- Choose Schedule, and then the report that you wish to schedule.
- Provide the URL for the Document Library as shown in the screenshot below.
- Choose the frequency for your report.
You can view the Scheduled Reports by clicking Schedule -> Scheduled Reports. The report contains the following columns:
- Id – The Scheduled Report Identifier
- Type – Type of Report which is either Discover Permissions, Unique Permissions, or Sharing Links.
- Scope – The scope selected for the report
- Status – Either Pending, Processing, or Completed.
- Scheduled – The date the report is scheduled to run next
- Frequency – How often the report will run.
- Report – The link to the report.
Adding DeliverPoint as a Web Part
Rather than accessing DeliverPoint from the Sites shortcut menu, you can add DeliverPoint as a web part on any modern SharePoint page. To do so, make sure that the page is in edit mode, and then click the + icon to add a web part. Select DeliverPoint, and then Publish your page. DeliverPoint can now be accessed from a determined URL.
DeliverPoint withing Microsoft Teams
If your Tenant Administrator has deployed DeliverPoint to Microsoft Teams, you will be able to add DeliverPoint as a Personal App within your Microsoft Teams environment. To do so, Click the ellipses of the left hand navigation bar. Then search for DeliverPoint. Click DeliverPoint to make DeliverPoint available.
You can now access DeliverPoint within Microsoft Teams from the Personal App view on the left hand navigation bar.