SharePoint
Feedback by UserVoice

I suggest you ....

Security-trim hub site association dropdown list

Currently if a site owner opens the Site Information flyout menu and opens the dropdown of Hub Sites available for association the user will see all Hub Sites in the tenant, even those the user has no permissions to view. This might reveal Hub Sites with confidential information (like R&D project names) the user otherwise would have never been able to see.

Thus, the dropdown list showing the Hub Sites should only the Hub Sites the current user has (at least) "view" permissions on.

22 votes
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)

We’ll send you updates on this idea

Eric Hindrichsen shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

4 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • Eric Hindrichsen commented  ·   ·  Flag as inappropriate

    Sorry for keeping you waiting. We tested scoping the hub site to a group, but still any site owner was able to see the hub site's name in the dropdown for associating hub sites.

  • AdminSharePoint UserVoice Admin (SharePoint UserVoice Admin, Microsoft SharePoint) commented  ·   ·  Flag as inappropriate

    Thanks for the quick response as well. The guidance is for the O365 admin to set a security group for each hub that gets created instead of relying on the permissions of the hub site itself. For hubs that should only be visible to a set of people, they should scope that hub via a security group. Relying on the hub permissions could not be ideal as there are cases when a lot of folks have access to the hub site but shouldn't have access to associate their sites to it.

  • Eric Hindrichsen commented  ·   ·  Flag as inappropriate

    Thanks for the quick response! We tested the approach you mentioned: As expected I (as a site owner of a random modern team site) was not able to join my site to the Hub Site. But after clicking "Site Information" on my site I was still able to see the name if this Hub Site - although it should be hidden from me. This could potentially disclose confidential information (as the Hub Site could bear the name of a secret project) and it confuses site owners, because they can select the Hub Site for association and only after saving this change they will be sent to an "Access Denied" page.

    In a nutshell: The "Hub Site Association" dropdown should only show Hub Sites the current site owner is allowed to associate his site to.

Feedback and Knowledge Base