Because SharePoint has a different permissions model than Jive, you need to understand the permissions of Jive places in order to correctly set up SharePoint-side permission groups.
CAUTION:
After you set up your Jive and SharePoint connection according to the
permissions recommendations described here, be careful about making changes made to permissions
outside the automatic provisioning of the system. You should also block regular users from being
able to modify the shared permissions of files within Jive-associated document libraries.
When you connect SharePoint to Jive, you're connecting a site collection to a place. Jive has three types of places that can be linked to a SharePoint site: groups (sometimes called social groups, to distinguish them from permission groups), spaces, and projects. Groups have a different permissions model from spaces and projects.
Jive Space and Project Permissions
Access to Jive spaces and projects is governed by associating it with a Jive permission group (not to be confused with a social groups, which is a Jive place)There are three types of permission groups in Jive. A single Jive instance may contain all three kinds of permission groups.
- A custom permissions group configured in Jive.
- A custom permissions group provisioned from LDAP or another directory server.
- The built-in Jive groups Everyone and All Registered Users. Everyone includes all users in Jive: All Registered Users excludes external and anonymous users.
Note: Spaces and projects exist in a hierarchy
and are subject to permissions that are set in the Jive admin console: spaces and projects
inherit their permissions from any space that contains them. For example, if people belonging to
the All Registered Users permissions group in Jive have access to a space, they also have access
to any subspaces and projects located in that space, unless a permissions override is created. If
you create a Jive project or space linked to SharePoint, you may want to make sure it is a
restricted space. A project that inherits permissions from an unrestricted space could grant
access to every member of the community.
On the SharePoint side, each site created on the Jive side is provisioned with the following three SharePoint permission groups:
- [site name] Jive Contributor Users
- [site name] Jive Full Control Users
- [site name] Jive Read Users
- For places that grant access to custom permissions groups created in Jive, each member of the Jive permission group is assigned to Jive Contributor Users or Jive Read Users according to whether their rights to the space are read/write or read/only rights. The user who created the space is assigned to the Jive Full Control Users group for the linked SharePoint site.
- For Jive places that grant access to LDAP-provisioned permission groups, it is assumed that SharePoint is integrated with LDAP and can directly access the same permissions for each user. These permissions are then used to assign rights to the linked SharePoint site.
- For Jive places that grant access to the built-in Jive permissions groups Everyone or All Registered Users (note that this is the default behavior in Jive when creating a space), Jive grants access to the Everyone principal in SharePoint. This principal can be mapped using the Office 365 Integration add-on settings during the Jive-side setup. If the principal is NOT specified in this setup, it will be identical to the default SharePoint Everyone principal. If you need the number of users with access to Jive content to be smaller than the total number of SharePoint users defined in the default Everyone principal, you should map the Everyone principal to a smaller group during add-on setup. For more information about how to do this, see Setting Up the Office 365 Integration Add-On.
Jive Group Permissions
Jive groups, also known as social groups, do not exist in a hierarchy or inherit permissions from anywhere else in the community. Instead, access is controlled by the type of group and by group membership. The following table shows who can access the four group types.
Implications of Groups for SharePoint Permissions
- When a restricted (Members Only, Private, or Secret) group is created, users have rights to the content on the SharePoint side according to their Jive-side group membership.
- By default, only people who are members of (or are following) an Open group will have access to content on the SharePoint side. Until users join or are added to the group, Open group content is not visible on the SharePoint side. If this does not reflect your security model, you have the option when configuring the Office 365 add-on to identify the Everyone principal. Specifying the Everyone principal defines the list of users who have read-write access to Open group content.
- Members of the SharePoint Online Full Control Users group have full rights to all SharePoint-connected places in the Jive community and can also delete content on either side of the integration. Jive group membership does not affect their permissions to content on the SharePoint side.
| Jive Group Type | SharePoint Full Control Users | SharePoint Contributor Users | SharePoint Read Users |
|---|---|---|---|
| Open | Group Creator | Everyone* | |
| Members Only | Jive Admins**, Group Creator | All group members | Everyone* |
| Private | Jive Admins, Group Creator | All group members | |
| Secret | Jive Admins, Group Creator | All group members |
**Requires the Full Control principal in SharePoint to be mapped in the add-on settings during Jive-side setup.