Software Product

SharePoint Security Trimming Quicklinks

Quicklinks that hide SharePoint destinations the viewer cannot access—curated in a visual editor, driven by advanced JSON, or auto-generated from the current site’s libraries and lists. Multiple layouts and optional browser caching.

Enquire about this product Back to products

Watch on YouTube if the embed does not load.

Pricing

$1 USD per user per year. For example, a 100‑user company is $100 USD/year.

Get this now, on the Microsoft Marketplace

›Install and evaluate

For a trial license, send your Tenant ID via contact (see licensing states below). To purchase, use the Microsoft Marketplace.

Setup steps (download & install)

Overview

Quicklinks that hide SharePoint destinations the viewer cannot open—whether you curate links in a visual editor, drive them from advanced JSON, or auto-generate them from the current site's libraries and lists.

Out-of-the-box quicklinks show the same tiles to every visitor. That leads to “Access denied” clicks, help-desk noise, and a weak experience on hub pages or mixed-audience sites. ISS — Security Trimming Quicklinks is a SharePoint Framework (SPFx) web part that evaluates each viewer's effective permissions on SharePoint targets (at least Read) before rendering a link, so one shared page can serve many roles.

Capabilities

Per-user security trimming for SharePoint destinations the viewer can open (at least Read)
Layouts: List, Compact, Grid, Tiles, Button, and Filmstrip; optional descriptions, icons, and caching
Data sources: curated visual editor, auto from this site (libraries & lists), or custom JSON

Included in the product

True security trimming for SharePoint in your tenant — Evaluates each viewer's access to SharePoint destinations (files, folders, libraries, lists, and sites), including cross-site URLs on your tenant where the web part can resolve the target.
Curated links — Visual editor — Add, reorder, and edit links with a dedicated panel (icons, optional images, open in new tab).
Auto from this site — Libraries & lists — Build links from document libraries and generic lists on the current site, with excluded library/list names; generated links remain trimmed per user.
Advanced — Custom JSON — Full control for power users and automation-friendly workflows.
Layouts — List, Compact, Grid, Tiles, Button, and Filmstrip.
Display options — Optional web part title, columns for grid-style layouts, descriptions, icon/image sizing, optional hide-labels-on-tiles (hover titles).
Optional browser caching — Cache permission results for faster repeat visits; configurable duration; changing data source or relevant settings clears that configuration's cache.
Where it runs — SharePoint modern pages as a web part and full-page app experiences supported by the SPFx package.
Licensing — Entitlement check with NOT LICENSED, trial (via Tenant ID), and Marketplace licensed states; administrators approve API permissions as declared in the solution package.

Who it's for

Intranet and communications teams publishing one page for broad audiences
Compliance- and privacy-conscious organizations aligning navigation with effective permissions
Site owners who need flexible layouts and optional caching without giving up permission-aware behavior

Problems we solve

Same quicklinks for everyone

Links are filtered per signed-in user for SharePoint destinations.

“Access denied” after a click

Destinations without Read are not shown as links when the URL is trimmable in SharePoint.

Support noise from “broken” tiles

Fewer misleading links; clear empty states when nothing matches the viewer.

Rigid navigation

Multiple layouts, optional descriptions and icons, curated or auto-generated link sets.

Trust and deployment

SharePoint destinations are shown only when the signed-in user has sufficient access for the resolved resource; unclear or failed checks err on the side of not advertising the link.
Delivered as a tenant App Catalog SPFx package. Administrators approve API access required for license validation as declared in the solution.
For procurement, deployment assistance, or trials: Contact Incode Software Solutions.

Policies: Privacy statement · Terms of service

Demo

The walkthrough video is at the top of this page. Below are screenshots—click any image to view it larger. You can also open the demo on YouTube.

Multiple layout types (list, compact, grid, tiles, button, filmstrip), JSON configuration, and optional caching for performance.

Users only see quick links to content they can access. The same page can show different tiles to different people without SharePoint audiences on every link.

Quick and easy to use: add the web part from the toolbox, then choose the visual link editor, JSON editor, or automatic links from this site's libraries and lists.

Six layout types—list, compact, grid, tiles, button, and filmstrip—so you can match hub pages, department sites, and intranet home pages.

›Support — site owners and end users

Using the web part (site owners and editors)

Quick and easy to get started: add the web part, choose how links are supplied, pick a layout, then publish. Links to SharePoint content are automatically hidden from users who do not have access.

1) Add the web part to your page

Click Edit on your SharePoint page.
Click the + control where you want the web part (between sections or in a column).
Search for and select ISS — Security Trimming Quicklinks (toolbox name may match your catalog entry). The description notes that quicklinks are shown with security trimming based on user permissions.

2) Add your links (choose one option)

Open the web part properties and pick a Data source:

Visual link editor — Choose Curated links — Visual editor, then click Manage links to add, reorder, or remove links; set icons or images and open-in-new-tab per link. Use Add All missing Lists and Libraries to append site libraries and lists not already in your list.
JSON editor (advanced) — Choose Advanced — Custom JSON and edit the link array (title, url, openInNewTab, and optional description, iconName, imageUrl). Fix invalid JSON before saving or using merge helpers.
Automatic links — Choose Auto from this site — Libraries & lists, set Content to display (libraries only, lists only, or both), and list excluded library or list display names (one per line). Default exclusions apply when the exclusion fields are empty on first use of this mode.

Add the web part from the page toolbox, then configure links with the visual editor, JSON, or automatic mode from this site.

3) Select your layout type

In the property pane, open Layout type and choose the style that fits your page:

List — Vertical list with icons and descriptions.
Compact — Tight grid with small icons.
Grid — Cards with centered content.
Tiles — Large image tiles with labels (optional hide labels on hover).
Button — Horizontal buttons.
Filmstrip — Horizontal scrolling cards.

Also set columns (for grid-style layouts), show or hide icons/images and descriptions, image/icon size, and optional caching (see below).

Six layout types help you match hub pages, team sites, and intranet home pages.

Caching

Optional browser caching stores permission results for faster repeat visits. Higher cache duration means permission or link changes may take longer to appear for viewers. Turning caching off forces fresh checks. Cache is scoped per user and web part instance; changing the data source or relevant settings clears the cache for that configuration.

What end users see

Loading — Short “Loading links…” while permissions resolve.
Licensed or trial — Links and optional title; no NOT LICENSED banner (see licensing states).
Not licensed — Full functionality with a prominent NOT LICENSED banner (Tenant ID and support details may be shown). Request a trial or purchase via licensing states.
No links configured — “There are no links to show yet.” Editors in edit mode see a hint to open properties.
Everything trimmed — “Nothing here matches your access right now.”
Error — For example invalid JSON in the advanced source.

›Technical reference — security trimming

How security trimming works

Documentation note: trimming behavior, supported link types, and caching can vary slightly by package version. Treat the shipped web part, your deployment notes, or Incode support as the final authority.

The web part implements true security trimming for Security Trimming Quicklinks in SharePoint Online: for each in-tenant SharePoint destination, it checks whether the signed-in user has at least Read access before displaying the link.

Which links are evaluated

Trimming applies to SharePoint URLs in your tenant that the web part can resolve—sites, document libraries and their files, site pages, folders, and lists (including custom lists)—including cross-site links on your organization's SharePoint hosts. Public sites, mailto:, tel:, and destinations in another tenant are not validated the same way; editors can still add them as curated navigation when that fits your page.

Example shapes (substitute your tenant hostname): a site root such as https://your-tenant.sharepoint.com/sites/YourSite, library or folder paths ending in / or a file name, and list URLs under /Lists/….

What happens for each link

The web part resolves the destination in your tenant (file, folder, library, list, or site as appropriate).
It evaluates whether the current user has sufficient access to open that destination.
The link is shown only when Read-level access is confirmed; otherwise it is hidden for SharePoint targets.

Security model

Fail-closed: if a check fails or the outcome is unclear for a SharePoint target, the link is hidden.
Read required: links are shown only when the user has at least Read on the resolved resource.
Cross-site: works across sites within the same tenant where the web part can resolve the target.
Errors: errors during evaluation result in hiding the link for SharePoint targets.

Examples (JSON link entries)

With access, the link appears; without Read on that target, it is hidden.

Document library

{
  "title": "Shared Documents",
  "url": "https://your-tenant.sharepoint.com/sites/SiteName/Shared Documents/"
}

Specific file

{
  "title": "Budget Report",
  "url": "https://your-tenant.sharepoint.com/sites/SiteName/Shared Documents/report.pdf"
}

SharePoint list

{
  "title": "Project Tasks",
  "url": "https://your-tenant.sharepoint.com/sites/SiteName/Lists/ProjectTasks/"
}

Troubleshooting and performance

Link not showing (but the user has access)

Confirm the link opens for that user when they browse to the same address directly in SharePoint.
Verify the URL is a valid SharePoint address for your tenant (correct site path, library or list name, and file name if applicable).
Confirm the user has Read (including via groups and permission inheritance).
If the issue persists, try another account, clear optional caching for the web part, and contact your administrator or Incode with the steps you tried.

Link showing (but the user should not have access)

Re-check effective permissions—the user may have access through inheritance or a group.
Review site collection–level permissions.
Confirm whether permissions are inherited from a parent container.

Performance and service limits

Multiple links: each SharePoint target typically requires its own permission check; large sets affect first load.
Caching: optional browser caching (web part properties) speeds repeat visits; access or link changes may lag until the cache expires or you disable caching.
Rate limits: Microsoft 365 may throttle heavy SharePoint usage—design pages and caching accordingly.

Best practices

Use descriptive titles so users know what each link opens.
Test with accounts that have different permission levels.
Monitor performance when many links are configured on one page.
Use optional browser caching on stable pages with many links when a short delay before permission changes appear is acceptable.
Document which resource types and URLs you publish (especially mixed curated + SharePoint links).

Limitations

External URLs: not verified like in-tenant SharePoint resources; treat non-SharePoint links as editor-curated (see which links are evaluated above).
Performance: many SharePoint targets mean many lookups; mitigate with layout choices and optional caching.
Rate limits: subject to Microsoft 365 / SharePoint throttling.
Permission inheritance: inherited permissions are included in effective permission checks.
Dynamic permissions: with caching on, changes may lag until cache expiry or refresh; without caching, updates generally follow the next load or render.

›FAQ

›Why do I see no links?

Possible reasons: nothing configured; everything was security-trimmed for your account; licensing; or an error such as malformed JSON. Editors should verify the data source and JSON validity.

›Why does my colleague see different links than I do?

Permissions differ. The web part only shows SharePoint targets you can read (for URLs it can evaluate).

›Do external (non-SharePoint) links get security trimmed?

No. External links are not verified the same way. They are shown when editors add them—treat them as curated public navigation. Use SharePoint URLs when trimming matters.

›Will this work in Microsoft Teams?

The web part is SPFx for SharePoint hosts. If your organization surfaces the same SharePoint page inside Teams, behavior should match SharePoint—confirm with your administrator.

›Is my data sent somewhere for permission checks?

Permission checks use SharePoint APIs in your Microsoft 365 environment. License validation (when enabled) uses the Entra-backed API configured with the solution; unlicensed users may see diagnostic details for support.

›Why is the page slow the first time?

Each SharePoint link may require a permission lookup. Many links mean more work—optional caching helps stable pages with many links.

›What are the licensing states (NOT LICENSED, trial, licensed)?

Not licensed: the web part works fully but shows the NOT LICENSED banner. Trial: send your Tenant ID to Incode for a trial entitlement—the banner is hidden for the trial period. Licensed: purchase on the Microsoft Marketplace so your tenant is entitled and the banner is not shown. See licensing states below.

›What should I send support if licensing fails?

Copy the text from the NOT LICENSED banner (reason, tenant id, correlation reference, details). For a trial, send your Tenant ID via Incode support.

›Can I use sharing-style SharePoint URLs?

Prefer standard SharePoint URLs (site, library, file, folder, list). Permission checks are based on the viewer's actual access to the resolved item.

“Sharing links” (copy link / share URLs) don't grant access by themselves and aren't used as the basis for trimming—treat them as curated links. That means they can still be displayed even when the viewer ultimately can't open the destination.

Licensing and the NOT LICENSED banner

When your tenant is not entitled, the web part displays a prominent NOT LICENSED message at the top of the control. The web part remains fully functional in this state—you can evaluate every feature—but the banner stays visible until your organization is on a trial or paid license. The banner may include your Tenant ID (directory ID) and support details for activation.

Three licensing states

1. Not licensed

Default after deployment if no trial or purchase is active. All product functionality works; viewers and editors see the NOT LICENSED banner until entitlement is granted.

2. Trial

Contact Incode Software Solutions with your Tenant ID (from the banner or Azure AD) and we will gladly activate a trial license for your tenant. You get full functionality and the NOT LICENSED message is hidden for the duration of the trial.

3. Licensed

Purchase a license for your organization via the Microsoft Marketplace. Once entitlement is active for your tenant, the banner is not shown and users see only the web part content.