Security-trim hub site association dropdown list
Currently if a site owner opens the Site Information flyout menu and opens the dropdown of Hub Sites available for association the user will see all Hub Sites in the tenant, even those the user has no permissions to view. This might reveal Hub Sites with confidential information (like R&D project names) the user otherwise would have never been able to see.
Thus, the dropdown list showing the Hub Sites should only the Hub Sites the current user has (at least) "view" permissions on.


We already support scoping hub sites through the use of mail enabled security groups. Instructions on how to set it up: https://docs.microsoft.com/en-us/sharepoint/create-hub-site?redirectSourcePath=%252farticle%252fcreates-a-hub-site-92bea781-15d8-4bda-805c-e441e2191ff3
Can you provide more details on what’s missing?
5 comments
-
Anonymous commented
This is an extension on the audience targetting/managed access concept that really should be available. It's essential in corporate scenarios.
-
Eric Hindrichsen commented
Sorry for keeping you waiting. We tested scoping the hub site to a group, but still any site owner was able to see the hub site's name in the dropdown for associating hub sites.
-
Thanks for the quick response as well. The guidance is for the O365 admin to set a security group for each hub that gets created instead of relying on the permissions of the hub site itself. For hubs that should only be visible to a set of people, they should scope that hub via a security group. Relying on the hub permissions could not be ideal as there are cases when a lot of folks have access to the hub site but shouldn't have access to associate their sites to it.
-
Eric Hindrichsen commented
Thanks for the quick response! We tested the approach you mentioned: As expected I (as a site owner of a random modern team site) was not able to join my site to the Hub Site. But after clicking "Site Information" on my site I was still able to see the name if this Hub Site - although it should be hidden from me. This could potentially disclose confidential information (as the Hub Site could bear the name of a secret project) and it confuses site owners, because they can select the Hub Site for association and only after saving this change they will be sent to an "Access Denied" page.
In a nutshell: The "Hub Site Association" dropdown should only show Hub Sites the current site owner is allowed to associate his site to.
-
Anonymous commented
Hubs/Hub sites MUST be Security Trimmed.