When using out-of-the-box SharePoint Online and SharePoint On-premises as an extranet, a common source of confusion and privacy issues is the difficult to control nature of the sharing features of the software.
Here is an example, with a detailed explanation below it:
Explanation of scenario and problem:
In the example shown above, Brenda Mason of AdventureWorks has created a contract document for a customer, XYZ Corp. She has used SharePoint Online’s sharing feature to share the document with Milo Weaver, her contact at XYZ Corp, who is an external user to AdventureWorks.
When Milo receives the invitation to view and edit the document, he notices that he has the ability to share the document with others. With some clicking of buttons and links, he also can get to a view that shows a list of everyone the document has already been shared with.
With much dismay, Milo discovers that the document has also been shared with someone at a company with a domain of @premierpointsolutions.com – who he doesn’t even know! His trust in AdventureWorks and Brenda is shaken, even though AdventureWorks may have had a legitimate business reason to share the contract with another party. What AdventureWorks needs is an external sharing system that offers much better privacy.
ExCM Extranet Online Solution to Problem
Now let’s look at the approach and a few of the features that ExCM Extranet Online uses to stop confusion and privacy problems like this from happening:
- In an ExCM Extranet Online site, neither internal users or external users will ever see any of SharePoint’s native “Share” or “Shared With” features – these UI elements have been completely removed from the interface.
- An owner of an ExCM Extranet Online site (by default the Requestor of the site) will have access to a site administration page with links to specialized “Request” workflows that can be used to submit a request to share the site with an internal user(s) and/or invite an external user to register for the site. Only site owners, who must be internal users, have access to this page.
- When a site owner submits a request to share a site with another internal user and/or invites an external user to register, he or she is not responsible for specifying the permissions. All permissions are applied to the site automatically based on your company’s pre-defined security policies that are stored in the system. This eliminates the chance that a site owner will make a permissions-related mistake, and ensures that the company’s security policies are uniformly applied.
- The only time an internal user will see a SharePoint “People Picker” control is when submitting certain types of requests on the “Extranet Requests” site, such as a request to share a site with another internal user (as shown in a screenshot above). Because the Extranet Requests site is only accessible by internal users, this eliminates any privacy issues that might occur if an external user was able to access the People Picker.
