Microsoft Purview Disposition Review and Permissions

This post is sourced from questions from my RM customers. It is created by me and not AI. 🙂

The ability to trigger a disposition review at the end of a retention period is an option available while configuring a retention label in Microsoft Purview Records Management. A disposition reviewer has the ability to take action on an item based on their knowledge of the content and the compliance requirements surrounding it. This is an important role.

Disposition reviewers require special permission to view pending dispositions assigned to them as well as preview the document from within the mini-review panel. These permissions are so special, in fact, that even global administrators do not have them.

With the multi-stage disposition feature, records managers must be familiar with what this means for assigning permissions to business users they wish to be part of a disposition review stage.

Refer to this official link from Microsoft for details: Permissions for disposition

I’ve summarized the key points in an easy-to-consume table which I’m showing below. I’ve also added this to my DLM/RM Tip sheets.

TL;DR… key takeaways:

• Global Admins do NOT have access to the Dispositions feature. They need to be granted permission like everyone else.
• You don’t need access to the SharePoint site/OneDrive site/Exchange mailbox where the pending disposition is located to approve the disposition.
• Adding a user/mail-enabled security group into a disposition stage does NOT automatically grant them permission to the disposition page.
• Adding an additional reviewer during the review process does NOT automatically grant them permission to the disposition page.
• If a reviewer is removed from a disposition stage or leaves the organization, any pending items assigned to them remain.

Below are questions I frequently hear from Records Managers relating to disposition permissions both for themselves as well as for business users… this post will answer them.

Records Manager Access

Many records managers (RMs) I work with place their RM group at either the first stage or last stage of the disposition review process. Understanding what they have access to when given the required disposition review permissions prompts this question…

Question 1: “As a Records Manager, when I’ve been assigned the required permissions to access the Dispositions tab and view the item in the preview pane (I’m a member of the Records Management and Content Explorer Content Viewer role groups), will this also grant me permission to the source location (SharePoint site/OneDrive site/Exchange mailbox) where the item exists?”

Answer: Yes, but only from within the Disposition tool.

Given the permissions described above, a Records Manager will be able to preview the item and take disposition action on the item (approve disposal, relabel, extend, add reviewers) from within the Pending items tab, but they will NOT automatically have access to browse directly to the SharePoint site/OneDrive site nor access the Exchange mailbox directly where the pending item exists.

With no access to the SharePoint site, even if they were to navigate to the second tab of the preview pane, Details, and click the direct Location link to the document on that page, they would receive a You need permission to access this item message (clicking the link is an easy way for an RM to request access to the site owner if it is required by the way).

Business Owners Access

With the multi-stage disposition feature, many records managers include content business owners in stages within the disposition review process. Understanding what, if any, additional permissions are required for the business owner prompts these questions…

Question 2: “If I add a user or mail-enabled security group to a disposition stage, will this also grant them the required permissions to do the disposition?”

Answer: No. You must also assign the required permissions as described in the Permissions for Disposition Reviewers table at the beginning of this post.

Question 3: “When I add a reviewer  during the review process (image), will this also grant the reviewer permission to the disposition page?”

Answer: No. You must also assign the required permissions as described in the Permissions for Disposition Reviewers table at the beginning of this post.

Question 4: “If you grant a business owner who already has access to the SharePoint site the Disposition Management role so they can access the Dispositions tab, do you also need to add them to the Content Explorer Content Viewer role group so they can see the item preview in the disposition list screen?

Answer: Yes. Without being a member of the Content Explorer Content Viewer role group, a user will only see the list of items assigned to them in the disposition review Pending dispositions tab, but will not be able to view the document in the preview pane even if they already have access to the SharePoint site where the item resides. (image below)

To view the file content, the reviewer could navigate to the second tab, Details, and click the direct Location link on that page (image below). Alternatively, add them as a member in the Content Explorer Content Viewer role group so they can view it in the preview pane from the Source tab.

Question 5: “If there are pending items assigned to a business user and the user is either removed from a disposition stage for a retention label OR the user leaves the organization, what happens to the existing pending items for that label?”

Answer: For now, nothing (look at the auto-approval preview feature described below). They remain in place still awaiting action; however, depending on your setup no one may be reviewing them anymore. You can do 2 things to help with this scenario:

1. When adding your review stages, use mail-enabled security groups with multiple users rather than individual users
2. Add Record Manager admins into a mail-enabled security group into the Records Management disposition setting (image). With this access, Records Managers can see all pending items across all retention labels, even those without a current user assigned.

Note: With this insight, the retention label review stage can be updated to reference a mail-enabled security group that has existing users in it or add users into the existing group defined.

Currently in Preview (August 2023): the Auto-approval for disposition option in a retention label will allow for an auto-approval to happen which could help address the scenario described above. If designated reviewers don’t take manual action during this time period by using the standard disposition review process, the item will automatically passes to the next review stage. If the item is in the final review stage, the item is automatically disposed with permanent deletion.

 My recommendations:

• Add records managers into a mail-enabled security group into the Records Management disposition setting to allow Records Managers to see all pending items across all disposition stages.
• Use mail-enabled security groups for assigning reviewers into the retention label’s review stages instead of individual users.
• For both Business Owner reviewers and reviewers added in-the-moment during the review process, ensure they have these permissions:
•  
  • Disposition Management role (can be part of a custom role group, Contoso Disposition Reviewers)
  • Member of the Content Explorer Content Viewer role group (optional, but nice to have)
• When the auto-approval feature is available, consider whether you want to use this for each retention label configured for disposition review

Summary

Share this with your Records Management and IT teams so they understand the permission model for disposition review. Check out my DLM/RM infographic where I show the required permissions for disposition review and a few other helpful tips about disposition in Purview.

Will you automate these permissions? What will be the process in your organization for granting these permissions to business owners added during the review process? That’s the tricky part.

Thanks for reading.

-JCK