I was wondering if anyone could help me decide how to best implement SharePoint permissions for the site I'm working on. I am using SharePoint Classic for Office365. It is an intranet site with different departments, which means that we have unique permissions at almost every level, or at least at the first level. An example structure of the site with the required permissions is as follows:
0-Home: Administrators (AD group); All employees (AD group)
1 employee: administrators (AD group); All employees (AD group)
2-HR: Admins (AD group); HR Manager (AD Group); HR staff (AD group); Username1 (user); adhocemployee1 (User)
3-Manager: Administrators (AD-Group); HR Manager (AD Group)
3 employees: Admins (AD group); HR staff (AD group); All employees (AD group)
2-IT: administrators (AD group); IT staff (AD group)
1-Non-Employees: Administrators (AD Group); All employees (AD group); All non-employees (AD group)
Where 0,1,2 and 3 are the different levels of locations, where 0 is the top level and 3 is the third level of the child site. Since the most important permissions we will use are Read, Contribute, and Full Control, I plan to create 3 SharePoint groups for each subsite. So 3 for employees, 3 for HR and so on. I am not sure if this is the right approach. Would it be better to assign permissions to all users / AD groups individually than to organize them into groups? We also have library-level permissions assigned to users / AD groups because users in our organization access them. This makes it a bit complicated and difficult to manage requests and send ad-hoc queries that repeatedly come in to access specific subordinate groups. Websites / Libraries.
Authorizations for the HR base
HR administrators (group) -> full access -> users: administrators (AD group)
HR reader (group) -> read -> user: HR manager (AD group); HR staff (AD group)
HR employee (group) -> Contribute -> User: HR Manager (AD Group); Username1 (user)
The other approach to which I am not inclined is this:
HR Manager (AD Group) -> Participate
Username1 (User) -> Read
HR staff (AD group) -> reading
Administrators (AD Group) -> Full Control
adhocemployee1 (User) -> Read
I hope someone can tell me which approach suits my scenario better.
Thanks a lot!