Community IT Innovators Nonprofit Technology Topics

Prep Your File Permissions for AI Tools with Steve Longenecker

Community IT Innovators Season 7 Episode 23

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 25:45

Carolyn sits down with Steve Longenecker, Director of IT Consulting at Community IT Innovators, to tackle a question that's suddenly urgent for many nonprofits: now that AI tools like Microsoft Copilot and Google Gemini can search your entire file system, are your permissions actually set up correctly?

The conversation covers the practical steps nonprofits can take to assess and clean up their SharePoint and Google Workspace permissions before — or after — turning on AI. Steve and Carolyn discuss:

  • Why AI tools like Copilot only surface files users are already permitted to see — and why that's not as reassuring as it sounds.
  • The "security through obscurity" problem: how files that were harmlessly buried for years can suddenly become visible to anyone.
  • How Microsoft tracks "anyone at my organization" share links — and why you should change your default sharing settings now.
  • What Restricted SharePoint Search is, and how it can help you safely roll out Copilot site by site.
  • Practical first steps for nonprofits with messy, organic SharePoint environments.

As Steve puts it, old SharePoint architecture represents technical debt that's going to have to get paid down eventually — and AI may be making that day come sooner.

Resources Mentioned:

_______________________________
Start a conversation :)

Thanks for listening. 


Carolyn Woodard

We were going to talk about cleaning up data permissions.

Steve Longenecker

Yeah.

Carolyn Woodard

How to start doing it

Carolyn Woodard

Welcome everyone to the Community IT Innovators Technology Topics podcast. I'm Carolyn Woodard, your host, and I'm happy today to be joined by my colleague, Steve Longenecker, who is our director of IT Consulting and a longtime employee of Community IT, employee owner. And we're going to discuss a little bit more about how to clean up your permissions if you are worried that AI is going to surface some files or information that not everyone at your organization should have access to.

Steve Longenecker

You know, in general, our recommendations right now to our clients is that the value of having your AI tool be integrated with your main productivity platform is so strong that that's probably the place to start. So if you're a Microsoft 365 customer for email and files, you might as well just use Copilot, even if it's not the strongest AI in the world. Although I think a lot of people um underestimate Copilot, or at least I have. I think it's I think it's not as bad. I mean, whatever, it's not as bad as people might have said or experienced in the past. Partly you can you can pick the specific model that's Copilot's using more easily than than I thought. So that's one thing.

Steve Longenecker

Similarly, though, just to close that loop, if you're a Google customer using Gemini, it makes a lot of sense too, right? So then when you ask Gemini a question, similar to asking Copilot a question, it can draw on the data that's in your Google Workspace or in your Microsoft 365 tenant, respectively. And if that's where your data is, that's makes for a power more powerful AI experience as if you're asking it questions pertaining to your work data.

Steve Longenecker

Now, if you're asking a general question like you're trying to, you know, vibe code code something, or you just want to know like a summary of a bunch of web pages, then you can use any model and it doesn't matter, your work data doesn't is not pertinent to that.

Steve Longenecker

But if you're asking a question about, you know, find me the files that you know we have as a as an organization about this customer or about this program or summarize them for me, then it having already having access to those files or to or to your emails. That's really a powerful thing about Copilot for me is that it'll it'll check my work against you know what I've been emailing with people, and that's kind of kind of cool. So um, but yeah,

Steve Longenecker

Then the then the risk that you're that this conversation starts with is all right, so you've hooked up, you're using an AI agent that can see your company's files. Well how how what are we worried that it's gonna like surface information that you actually shouldn't have access to? And both G emini with Google and Copilot with Microsoft promise that they will only surface data that the the user of the co of the of the AI is allowed to see.

Steve Longenecker

So if you ask a question about budgets of of Copilot, it's not going to show you budgets that list you know people's salaries, you know, only the CFO and the CEO or other departments. Like if you're not supposed to see those salaries, um you shouldn't be able to Copilot won't show them to you.

Steve Longenecker

The risk and concern is that um that you know organizations in the past may have been sloppy about about those permissions because they the Copilot or Gemini wasn't in the picture.

Steve Longenecker

And so no one even knew that this library um that has all this budget information um even existed, you know, besides the you know, the Microsoft team that um someone spun up, you know, that the CFO spun up in Microsoft team and invited um, you know, the accountant and the CEO to join the team. All right, great. All right, they are the only ones that even know this team exists. No one else is even really not that it's like a state secret, but it's like it's not advertised, it's not in any indexes or whatever. But, you know,

Steve Longenecker

When they created the team, it was like uh it was um not really a thought-out thing. They just clicked on the public team instead of the private team, right? And so that immediately sets up some permissions. And if no one knows that the team really exists and is looking for it, then it doesn't matter.

Steve Longenecker

But now that Copilot is on the scene, it does matter because Copilot views that team as public. You said it was. Um, all it doesn't, it is a maybe artificially intelligent, but it's not intelligent enough to like second guess the motives, it's just honoring the permissions that you gave.

Steve Longenecker

So almost any AI implementation plan will start with that kind of a readiness question. Do you feel confident that your file libraries are secured appropriately so that you know the AI is going to honor the permissions, but the permissions are correct?

Steve Longenecker

One thing that was really interesting to me that I learned recently, and I want to give a um a shout out to um to Dan Shank-Evans, the chief information officer at um the Carnegie Endowment for International Peace, it's a community ID client. I did actually ask him if I could give him this shout out because I wouldn't do that otherwise, but he said that's fine. But

Steve Longenecker

I had told him that if you share a file with someone, like if I share a file with you and I use what SharePoint calls the anyone at Community IT link, right? So that's one of the share links that you can um share a file with. That's right. And in again, the idea here is that this link, this link will work for anyone at Community IT.

Carolyn Woodard

Yeah. But I've just share it in like Teams or you send it in.

Steve Longenecker

Yeah, I send it as I sent it as an email to you, or I sent it as a private chat to you. So you're the only one with this link, right? And this link is extremely long and random. Like the URL starts with some familiar, you know, names and stuff. But then it's just a bunch of alphanumeric characters, right? And so

Steve Longenecker

I had told Dan, well, that link says that anyone at Community IT can have access to this file. And so Copilot's gonna find that file if someone asks, someone else besides you, asks um a question pertinent to that file. That's right. That's right. And, you know, the if that's your default sharing link, you just use it because it's it's like, yeah, I want Carolyn to be able to see this. She's in Community IT, so the link's gonna work great for her. It's the simplest thing, no extra clicks, just send, just grab the link and send it to her. And it works for her. And I know she's not gonna forward this link to anybody else because it's this is private, you know? Yeah, done and done.

Steve Longenecker

Well, I told Dan that's a problem. So, you know, what we need to do is find all those share links and weed them out, which there are, by the way. You can do that in PowerShell, you can get a listing of all the uh share links that have that particular thing, and then you can figure out which ones actually should be changed to specific people links, track them back to the track them back, yeah. Or maybe unshare them all together because it's no longer relevant to share it anyway. It's like a budget from three years ago, and just we don't we're not actually actively collaborating. We're not gonna delete the file, but we can remove the sharing kind of a thing.

Carolyn Woodard

Like make a policy anything over four years old. Maybe something, yeah.

Steve Longenecker

There's different ways that you could you could do that.

Steve Longenecker

So, anyhow, Dan was really concerned about this, and he so he did some experimenting, and it wasn't what I promised him would happen wasn't happening. That's true. So he did some more research and he found out that actually Copilot, and I can't speak to how Gemini would work with this, but with Copilot at least, it actually keeps track of who has who the link has been passed to. So yeah, so it's really cool.

Steve Longenecker

So if I have created an anyone at Community IT link to a file and I've shared it with you, Copilot knows it can watch, it can see the email with the link in it that is in your mailbox. So it knows that that link works for you.

Carolyn Woodard

But if you haven't actually forwarded, Joe Random like asks for it, it wasn't shared with Joe Random. So ...

Steve Longenecker

That's right. If you forward the link to someone else, then Copilot will find it. But it actually, Copilot has it just seems that just seems amazing.

Steve Longenecker

Not so much that it would that, I mean, just the the level of like having to enumerate like all this information, but that's what artificial intelligence is good at, right? It's like it can look at a million things at once very quickly and find the pattern. So that's one of the patterns it looks at.

Steve Longenecker

So it's not as dismal a situation as I was promising to Dan.

Steve Longenecker

Now, I pointed out to him, hey, but we've all been in the situation, right, where uh a thread that's like 20 emails long is now turned a corner and gone to a different issue, right? And someone at the thinks, oh, this now that the thread is asking this question, I should CC so and so. Yeah. So I'm I'm gonna say, you know, you're right. This is a really good question. Let me CC our colleague, you know, Henry. And now Henry gets this long thread. And if Henry bothers to scroll through the whole email, he realizes that this conversation has taken a number of meanders. And down there at the bottom is some information that he shouldn't see. Yeah, but he can.

Steve Longenecker

So it's still a risk, and you're still you're still um uh advised, you know, to maybe start new threads sometimes when you do that, or pay attention to that. And so and and

Steve Longenecker

Just in general, avoid the anyone at my organization link unless you actually mean that and use specific people links.

Steve Longenecker

And I would say change the default on your sharing links. The default is often anyone or anyone at my organization and make the default people with existing access so that they have to like actually change it to something if they mean to share it more widely than that. That's what we kind of go with now for the default sharing link.

Steve Longenecker

But back to your question, yes, you can you can again in Microsoft I'm more familiar with, but with Microsoft, you can run PowerShell commands to get lists of all of these um sharing links and you know go through and weed them out. You can look and you can look at the different libraries and see if folders are you know have sharing that they shouldn't, or if whole of whole libraries have sharing.

Steve Longenecker

One thing that Microsoft does that I think is um good in this respect is that this is not something that I see turned on much um at all, but it can be turned on. You can um turn on what's called restricted search, or what's it called? It's not necessarily called restricted search. Um restricted uh yeah, restricted SharePoint search.

Steve Longenecker

So you can turn on restricted SharePoint search, which basically says um I believe this is how it works. Uh is it an it's on and then off, I think. Let's see.

Carolyn Woodard

Is that something that each person turns on or that you can do it?

Steve Longenecker

No, it's a global it's a global admin setting. So it applies to the um entire uh tenant. And and

Steve Longenecker

I think what the idea here is, I'm just I'm looking at it real quick. I think what it's saying is that um when you turn it on, then Copilot can't see any sites. It can't see SharePoint, which of course is the whole point is that you want Copilot to be able to see your sites, but then you can then add to the list the sites that you have vetted and you're comfortable turning them on. So then you can, you know, little by little, I think I have that right.

Steve Longenecker

I think it's that it's the it's turns off for everything, and then you turn things on site by site. That's right, not the other way around.

Steve Longenecker

But in any case, you can you can validate the governance for a site and then add it to the allowed list, and then and then and then at some point you've done it for all of your sites, and at that point you can turn it turn the restricted search off because you've you've validated everything.

Steve Longenecker

So that's probably something that if I were if I were concerned, if I were, and I say that because it is an if like there are we have I know we have clients that have set up their SharePoint infrastructure with great care, yeah, and have already you know been very conscious well before Copilot, diligent about the you know, permissions and security. And so they can turn on as long as Copilot respects permissions, which it does, they can turn on Copilot for their end users with confidence.

Steve Longenecker

Yeah, but we definitely have clients that are not and should probably, you know, use the tools that these and I think Gemini has similar tools. I'm just not as familiar with it, but I I think Gemini has similar tools where you can manage it and to manage the transition. Yeah, yeah, yeah.

Carolyn Woodard

I I feel like this conversation speaks a little bit to the training, maybe onboarding, and revisiting your training of - how do we share files with each other and where do we store, like

Carolyn Woodard

If you join an organization and you are on the team, the program team, and then you have you know a SharePoint folder that's your folder for your team, and just a lot of those things in my experience is just kind of left to chance. Like maybe somebody else in your department will tell you how it works, but yes,

Carolyn Woodard

Maybe that's something in going along with looking at these permissions is to kind of revitalize or in like create an onboarding you know, reference that everyone can look at of like, here's how we share. I get confused in Teams because like you share a document with a chat that you're on in in Teams with your colleagues there, you know, and they have access to it. And then I don't know, it gets confusing, like, well, where do you put that file? And then it you're like sharing the file is like, oh, you already shared that with you know with somebody else. And if you don't have um, if you

Carolyn Woodard

If you don't have a kind of a philosophy and a policy of this is how we use Teams, this is how we use SharePoint, this is how we want you to share and and store your stuff you're working on, this is how we want you to archive it when it's you know done, then it's really hard to know like how people, if you have a staff of, you know, even just 15 people, they're probably sharing things 15 different ways.

Steve Longenecker

Yeah. Well, I think the the main shift, I mean, all of that is has is true and has been true for a long time.

Steve Longenecker

I think that the main shift, the the imperative is that before we had AI's ability to again find needles and haystacks, you know, very quickly with natural language requests, security through obscurity was it was a real thing. And and now it's just not. So like

Steve Longenecker

If there's some folder buried deep in a full file structure um that has you know personal information. I mean, PII is an example, right?

Carolyn Woodard

So like Social Security numbers, Social Security numbers all of your colleagues.

Steve Longenecker

They just it was it was it used to be that we did it that way. We organized things by that way, and we didn't worry about it because it it was fine, and yet the and and now and the files are still there, they're still in like that old library or that old, you know, and it might not even be a library that anyone's gone to, and maybe it used to be on a file server, yeah, and we migrated it to SharePoint and it got ported over, and it's just sort of there, and no one knows about it, and it doesn't matter, but now it does, you know. So maybe you need to like, and

Steve Longenecker

There's other things that you know, both Microsoft and Google can do, like just looking for PII, looking for Social Security numbers, like where are these things and are they somewhere that they shouldn't be? Um I mean,

Steve Longenecker

Every every organization will have files somewhere. Now it may not be in their SharePoint, it might be in their HR system, which is a maybe a separate system, but you know, this stuff resumes, yeah, they're gonna be saved, but are they saved somewhere securely? Well, that's the that's the question, you know.

Carolyn Woodard

So I think I have a last question for you on this, and it's kind of a hypothetical, but I think it might apply to some nonprofits, hopefully not very many of our clients. But

Carolyn Woodard

If you are at a nonprofit and your SharePoint is a mess, it's just grown organically, willy-nilly, no one explained it to you. Um, and maybe you don't have an MSP or you don't have a maybe there's no IT person. Um, IT is under your CFO, for example. Um, and you're if you're on that leadership team and you're worried about this issue, that the permissions will come up. You know, you have staff who are looking with Copilot to find, you know, information on this program from five years ago because it could help me today. Um

Carolyn Woodard

What would be your advice for like a first one or two steps that that executive team should take to start to deal with this?

Steve Longenecker

A lot of the steps I would advise do require a certain amount of technical ability. So I don't know whether I have great. I mean, like

Steve Longenecker

I would like to look at the structure of the SharePoint infrastructure and like you know, the the model that that is recommended now, which was not the model that you know, SharePoint sites that were built 10 years ago were necessarily built by, but is that you have a different site for different permission groups, right? So the finance team would have a finance site with the finance library, and the finance site has a specific membership that is very visible. And uh, but you know,

Steve Longenecker

Maybe sites that were built 10 years ago might just have a like a site for the whole company, and then there's just a finance and a finance folder where the permissions are kind of like different for that subfolder than they are for other things, and those are that can be very difficult to. I mean, it's not difficult to like find out what the permissions of a specific folder are, but each each finding out the permissions of that specific folder is like a series of clicks and it doesn't scale very well, okay, because that's just one folder. Now you have this other folder and this other folder, this other folder.

Steve Longenecker

So how do you find that out? So, you know, it might actually in some ways be wise to um you know take that whole make that whole site invisible to Copilot and then little by little move the stuff out to other other places that are secured and then make those places visible one by one. Um that might

Steve Longenecker

I mean it depends on it depends on on how um woolly your your SharePoint infrastructure is, but you the these you you would your hyper hypothetic hypothetical situation was you know a really rangey, like out of control organic SharePoint. And it probably does make sense to get your arms around that before you know Copilot can start. Yeah.

Steve Longenecker

And fortunately, there are ways in SharePoint to say, hey, we we want to like make this site unavailable to Copilot um without doing anything else. That's just a simple step. And then you can start to maybe port the stuff out um and and clean things up and start making things available. Yeah.

Carolyn Woodard

Well, that makes sense. And maybe this is your you know, wake-up call. I mean, I guess with a 12-step program, like the first step is to know you have a problem.

Steve Longenecker

Right. Right. I mean,

Steve Longenecker

The other thing you would I would do, I guess, in that situation, maybe is like, you know, deputize you can't really do this yourself with your own leadership because you have access to all these, all this stuff, you know, but deputize um an intern to like you know, hammer away at Copilot and see kind of what stuff they can find, and then bring that material to you. And you know, you can maybe start to see if there's I mean, especially, yeah,

Steve Longenecker

A young intern might be good at at asking Copilot to find stuff and see what they can questions, see what they can find. Yeah, kind of like it's kind of like the you know, the old red team uh approach to security. You know, you need to have a team that's like trying trying to get through your stuff, you know, they they're on your side, but you're you've deputized them to probe your defenses. That would be another interesting tack to take.

Steve Longenecker

And that's kind of what you know Dan Dan was doing. Like he was like, Yeah, Steve told me this, it makes sense, but let me test it, let me see how it is. And it wasn't working the way I said. And so that's when he did a little more research and found out that actually Copilot tracks where the link has gone. So yeah, that might be another thing to do. Like

Steve Longenecker

Have someone who does who shouldn't be able to find stuff. And see if they can. And see if they can and see what you what comes up. And it may not be, it may be that your situation is not as um bad as it seems because maybe there are more, even though you're not aware of them, maybe the permissions are working. Um yeah.

Carolyn Woodard

Yeah. And usually I it it seems like usually there is someone who knows something about SharePoint. So maybe find the person on your staff who knows the most about it and ask them to help you understand where the risks might lie. Right.

Carolyn Woodard

And or maybe, you know, as a leadership team, you sit up, you talk about it, and you're like, we need a consultant who's gonna just come in and help you.

Steve Longenecker

I do think that those that those sites that are built on kind of the old paradigms, and we built some sites with that with those old paradigms. I mean, it was just it was a different time, right? Yeah. But like that idea of having a single company site with folders that have different permissions, that does represent, and this is getting off the subject of of of Copilot and AI, but as a you know, Microsoft SharePoint consultant from time to time, I would say that those, that that architecture represents technical debt that's gonna have to get paid down sometime.

Carolyn Woodard

Yeah.

Steve Longenecker

Now, it may not need to get paid down today. It may not be your most top, your most urgent priority if it's basically working for you. I mean,

Steve Longenecker

Copilot might be, you know, raising the stakes a little bit or making it more, more of an imperative or more of an urgent matter, maybe. But even if it seems like the permissions are holding when you have your intern test it out, it still represents technical debt because you don't have visibility, it's hard to manage. At some point, you're gonna need to unwind that. Yeah. And start, you know,

Steve Longenecker

Move things out of that old architecture and into sort of the more modern architecture. SharePoint's a great platform, but that that original architecture, you know, didn't hold up all that well. And there's a reason that we don't do it that way anymore.

Carolyn Woodard

Yeah. I heard somebody say recently data is power. Like our nonprofits um have a lot more valuable data than they might think that they do.

Steve Longenecker

Right, right. So data is risk. Risk and power, right?

Carolyn Woodard

Yep, yep.

Steve Longenecker

Yeah.

Carolyn Woodard

Is something AI is kind of forcing us to have those conversations.

Carolyn Woodard

So well, thank you, Steve, so much for joining me today and um explaining a little bit more about this and giving us some steps to to think about.

Speaker 1

I hope it was helpful. Thank you, Carolyn.