SharePoint Permissions: A Comprehensive Guide for Managing Access Control


Overview


SharePoint is a widely-used collaboration and document management platform that allows businesses and organizations to manage and share their content effectively. One of the key aspects of SharePoint is its permission system, which ensures that the right people have access to the right information. In this comprehensive guide, we will explore the various aspects of SharePoint permissions, including default permissions, permission levels, site permissions, document library permissions, folder permissions, file permissions, and list permissions. We will also provide tips on best practices to help you manage SharePoint permissions effectively.


Default Permissions in SharePoint

By default, all SharePoint sites are created with three default security groups:

  • Owners – Have full control over the site
  • Members – Can add and edit the content (files, lists, etc.) on the site
  • Visitors – Can only read

When creating a new SharePoint site, there are typically two options to choose from: a Team site or a Communication site. SharePoint administrators may also have additional options. Depending on your choice, the following users have permission to the SharePoint site:

Site TypeOwnersMembersVisitors
Team Site (private)Selected usersSelected users
Team Site (public)Selected usersEveryone except external users
Communication siteSelected usersEveryone except external users

At least one owner must be selected when creating the SharePoint site. In the case of a Team site, you can also add members while creating the site. However, you can modify the owners, members, and visitors at any time.

SharePoint Permission Levels

Permission levels in SharePoint are a set of permissions that can be assigned to a user or group. There are seven predefined permission levels in SharePoint Online, which are suitable for most use cases. It is also possible to create custom permission levels, allowing you to fully customize the permissions you wish to grant.

The default permission levels in SharePoint are:

  • Full Control – Has full control
  • Design – Can view, add, update, delete, approve, and customize
  • Edit – Can add, edit, and delete lists; can view, add, update, and delete list items and documents
  • Contribute – Can view, add, update, and delete list items and documents
  • Read – Can view pages and list items and download documents
  • Restricted View – Can view pages, list items, and documents, but documents can only be viewed in the browser and not downloaded
  • Limited Access – Assigned to a user or group when sharing an item, allowing access to the site and view the selected item

To create your own custom permission levels, follow these steps:

  1. Click on the settings (gear icon) in the top right corner and select Site permissions > Advanced Permissions.
  2. In the permissions tab, click on Permissions Levels.
  3. It’s best practice not to change existing permission levels, but instead add a new permission level.
  4. Select the permissions you want to assign. Note that when you select a permission, other options may be automatically selected, as they are required for the user to access the site and view libraries.

Site Permissions

Site permissions provide the first level of access control in SharePoint, affecting all document libraries, lists, pages, and other elements. Permissions should always be set with the principle of least privilege in mind, granting users only the permissions they need.

To change site permissions, follow these steps:

  1. Click on the Settings menu (gear icon) and click on Site Permissions.
  2. This will show the basic permissions and allow you to add members and owners to the site. Click on Add members to search for users and make them Members or Owners of the SharePoint site.
  1. For more advanced options, use the Advanced Permissions Settings. This allows you to choose custom permission levels and add groups of users (security groups) to the SharePoint site.
    1. Click on Advanced Permissions Settings.
    2. Click Grant Permissions.
    3. Search for users or security groups. You can add multiple groups or users simultaneously.
    4. Select Show Options.
    5. By default, users will receive an invitation email, which can be turned off if desired.
    6. Select the permission level you want to assign.
    7. Click Share to grant the permissions.

Creating Custom Groups

By default, you can only add users or groups to the default security groups (owners, members, visitors). However, it is also possible to create your own security groups, which can be assigned one or multiple permission levels.

  1. Click on Create Group in the Advanced Permissions settings.
  2. Give the group a meaningful name and select who can view and add members to the group. At the end of the settings page, choose the permission level you want to assign to the group members (e.g., Restricted View).
  1. After creating the group, return to the permissions page and assign users to the newly created security group.

Document Library Permissions

If site-level permissions do not suit your needs, the next level of access control is available at the document library or list level in SharePoint. To change permissions for a document library, follow these steps:

  1. Open the document library.
  2. Click on Settings (gear icon) and choose Library Settings.
  1. Click on Permissions for this document library.
  1. First, stop inheriting permissions from the parent site. This will copy all existing permissions to the document library, making them unique. Note that changes made at the site level later will not apply to this document library after you stop inheriting.
  2. Click on Stop Inheriting Permissions and click Ok on the warning.
  1. Modify the permissions as needed, just as you did at the site level. This can involve adding a custom security group, granting additional permissions to users or groups, or changing the permission level of existing groups.

Folder Permissions

Custom permissions can also be applied at the folder level in SharePoint. However, keep in mind that folder permissions are harder to track and maintain, so use them sparingly and document them appropriately.

To set unique permissions on a folder in SharePoint, follow these steps:

  1. Select or hover over the folder.
  2. Click on the 3 dots (show action) and choose Manage Access.
  1. There are several options available, such as creating a shareable link to the folder or directly adding a user. To create unique permissions like those in a document library, click on Advanced.
  1. Stop inheriting permissions from the parent, then create custom permissions for the folder as needed.

File Permissions

In SharePoint, it is possible to add unique permissions to individual files. However, as with folder permissions, this can become difficult to manage and maintain. Use file permissions sparingly and document them appropriately. Setting file permissions in SharePoint follows the same process as folder permissions:

  1. Click on the 3 dots (Show actions) next to the file.
  2. Select Manage Access.
  3. Click on Advanced to create unique permissions.

Refer to the folder permissions steps above for more details on stopping inheritance and adding unique security groups, users, or permission levels.

List Permissions

List permissions in SharePoint function similarly to document library permissions, with the same permission structure allowing for unique permissions. However, lists also offer the unique feature of setting permissions at the item level.

To set list permissions, follow these steps:

  1. With the list selected, click on Settings.
  2. Open List settings.
  1. In the settings screen, open Permissions for this list. Also, note the Advanced Settings option, which will be used for item-level permissions.
  1. Stop inheriting site-level permissions before adding unique permissions to the list. Refer to the steps in the document library permissions section for more details.

Item-Level Permissions

A unique feature of lists in SharePoint is the ability to set permissions at the item level. These permissions are limited to determining if a user can view and/or edit only their items or all items. For example, you can give a user read-all access, allowing them to view all items in the list, but limit create and edit permissions to only the items they created.

To set item permissions, click on Advanced Settings in the List settings. Here, you can set the item-level permissions:

These permissions are more limited than those for sites, libraries, or folders, but they are sufficient for most use cases.


Wrapping Up


This comprehensive guide should help you manage your SharePoint permissions effectively. Aim to limit unique permissions to site and document library levels to maintain an organized system. When creating unique permissions at the folder or file level, be cautious and document them thoroughly to avoid confusion.

Now that’s another tip! Hope it helps somehow. Let me know if you have questions or just leave a comment if we missed something.

Happy SharePointing! #SharingIsCaring


Automation Check Current User Is External User CLI Content Type CopyExcelRecordToList DenyAddAndCustomizePages Design ExcelPowerAutomate Expand Flows Issues Javascript Limitation Limitations List Templates Metadata ModernScriptEditor Node NodeJs Node Versioning NVM O365 o365 Cli OneDrive People People Metadata Permission PnP Power Automate PowerShell Rest Endpoint Save as Template ScriptEditor Send an HTTP Request to SharePoint SharePoint SharePoint Architecture SharePoint Designs SharePointList SharePoint Modern SharePoint Online SPFX SPO Sync Versioning Workflows

Leave a Comment

Your email address will not be published. Required fields are marked *