SharePoint
Feedback by UserVoice

I suggest you ....

← Sites and Collaboration

Security-trim hub site association dropdown list

Currently if a site owner opens the Site Information flyout menu and opens the dropdown of Hub Sites available for association the user will see all Hub Sites in the tenant, even those the user has no permissions to view. This might reveal Hub Sites with confidential information (like R&D project names) the user otherwise would have never been able to see.

Thus, the dropdown list showing the Hub Sites should only the Hub Sites the current user has (at least) "view" permissions on.

17 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    Eric Hindrichsen shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    4 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Forgot password?
      Create a password
      Signed in as (Sign out)
      Close
      Close
      Submitting...
      • Eric Hindrichsen commented  ·   ·  Flag as inappropriate

        Sorry for keeping you waiting. We tested scoping the hub site to a group, but still any site owner was able to see the hub site's name in the dropdown for associating hub sites.

      • AdminSharePoint Experiences Team (spexcustomerengagement@service.microsoft.com, Microsoft SharePoint) commented  ·   ·  Flag as inappropriate

        Thanks for the quick response as well. The guidance is for the O365 admin to set a security group for each hub that gets created instead of relying on the permissions of the hub site itself. For hubs that should only be visible to a set of people, they should scope that hub via a security group. Relying on the hub permissions could not be ideal as there are cases when a lot of folks have access to the hub site but shouldn't have access to associate their sites to it.

      • Eric Hindrichsen commented  ·   ·  Flag as inappropriate

        Thanks for the quick response! We tested the approach you mentioned: As expected I (as a site owner of a random modern team site) was not able to join my site to the Hub Site. But after clicking "Site Information" on my site I was still able to see the name if this Hub Site - although it should be hidden from me. This could potentially disclose confidential information (as the Hub Site could bear the name of a secret project) and it confuses site owners, because they can select the Hub Site for association and only after saving this change they will be sent to an "Access Denied" page.

        In a nutshell: The "Hub Site Association" dropdown should only show Hub Sites the current site owner is allowed to associate his site to.

      Sites and Collaboration: Hub Sites

      Feedback and Knowledge Base

      (thinking…)

      Powered by UserVoice
      SharePoint Tech Community

      UserVoice Terms of Service & Privacy Policy