Accounts and permissions required to manage MetaShare

MetaShare activation, configuration and administration could all be done by the same user-account but our recommendation is to use 3 different accounts. MetaShare’s activation and administration are normally done by system accounts. MetaShare configuration can however be done by several users with different privileges.

Activation of MetaShare

  1. The account that activates MetaShare must be a Global Administrator in a Microsoft 365 tenant.
  2. Observe that a Global Administrative account does not have, by definition, access-rights to all sites/workspaces and their documents. Such an account can however always grant itself permissions to any site/workspace. Click here to get instructions for the activation of MetaShare.

Configuration of MetaShare

  1. After MetaShare has been activated, you can configure/manage MetaShare with a normal Microsoft 365 user-account. Click here to see how to configure MetaShare.
  2. To be able to access and configure MetaShare, these privileges need to be assigned:
    1. Access to SharePoint’s root-site
      To be able to access MetaShare, all users need a minimum of “read” permissions on SharePoint’s root-site, https://[tenant’s-name]
    2. MetaShare roles in Azure
      In order to configure MetaShare, create MetaShare workspaces and get MetaShare to be displayed in Microsoft 365 app launcher, follow these instructions to assign there roles in Azure:
      A user that has been assigned all MetaShare roles
      Note that the user that activated MetaShare in your Microsoft 365 tenant is automatically assigned the necessary roles during the sign-up process.
    3. Term store administrator
      To be able to manage MetaShare’s taxonomy (term sets and terms) in SharePoint’s Term store, assign the users to the “Contributors” or “Group Managers” group in MetaShare’s term set groups. When MetaShare is activated, one term set group named “MetaShare” is created. Delegated administration of MetaShare’s taxonomy is managed by splitting MetaShare’s term sets into different term set groups and by assigning different users to the different term set groups “Contributors”.
      A term set group's administrators
    4. Content type hub administrator
      To be able to create MetaShare’s document metadata (site columns and site content types), the users needs “Full Control” permissions on SharePoint’s content type hub (at least the person that sets up the initial structure needs this privilege).
      If users are only to configure MetaShare and do not need to modify MetaShare’s document metadata, the users only needs “Read” permissions on the hub. If the logged in users do not have access to the hub, a simple way to grant the permissions is to click on any of the workspace configurations in MetaShare settings and to use one of the links that MetaShare provides in the missing permissions notification page’s instructions:User lacks permissions in SharePoint's content type hub
    5. MetaShare document template administrator
      In order to manage MetaShare’s document templates, a workspace for the document templates needs to be created, according to these instructions. The administrator of this library needs “Full Control” permissions on the document library and all users that are to be able to create documents based on these document templates need to have “Read” permissions on the library.

Administration of MetaShare

  1. By default, the account used when activating MetaShare is defined as the MetaShare administrator. If needed, it can be replaced with another account.
  2. The MetaShare administrator account will be granted full access-rights in all workspaces (added as Site Collection Administrator to the site collections MetaShare creates)
  3. Recommendations/prerequisites for the account:
    1. It should therefore preferably be a system account (not a normal user account).
    2. It should be a SharePoint Service Administrator (no SharePoint licence needed).
    3. As the account in some cases will be shown to the end-users, e.g. when unexpected errors occur, enabling end-users to send e-mails to the account, the account needs a Microsoft Exchange Online license and the account’s e-mail should also be monitored by an administrator.

Using MetaShare

For the end-users of MetaShare, the requirements are:

  1. The user need a Microsoft 365 account. See MetaShare’s Service Description, for a list of all supported Microsoft 365 subscriptions. If you are unsure which subscription your users have, click here.
  2. Have a minimum of “read” permissions on SharePoint’s root-site, https://[your tenant’s name]
  3. Are assigned the “MetaShare User” role, for MetaShare to be displayed in their Microsoft 365 app launcher.
  4. Have been assigned permissions on one or more workspaces, else MetaShare’s start page will not show any workspaces.
  5. Have “Read” permissions on the document templates library (in order for them to be able to create documents).