The Purpose of SharePoint Permissions
SharePoint permissions can be a little tricky to get a grasp on at first but you will find that they can be quite simple to understand. Whether you’re brand new to SharePoint site ownership or a seasoned vet, keeping permissions as simple as possible is always a best practice. Understanding how SharePoint permission levels work, what you can do with them and how to apply them appropriately can help you manage sites better.
The beauty of SharePoint and Office 365 is that they facilitate easy collaboration and access to information. SharePoint/Office 365 administrators have an essential role in maintaining the security and integrity of their company’s Sharepoint solution. SharePoint allows administrators to apply levels to different users and groups which determine what and how much they can see. In this article, I would like to explain how SharePoint permissions work and how to best manage them.
Default SharePoint Permissions Types
Knowing which permissions to apply and how to use them requires an intimate understanding of your organization’s needs and how different departments use the Stack. SharePoint and Office 365 include a number of default permission levels that will cover the needs of most organisations. You may wish to customize these permission levels for the specific needs of your business because of unique roles and jobs within your company or because certain employees carry out usual tasks. By default, SharePoint defines the following types of user permissions:
- Full access — The user can manage site settings, create sub sites, and add users to groups.
- Design — The user can view, add, update and delete approvals and customizations, as well as create and edit new document libraries and lists on the site, but cannot manage settings for the whole site.
- Contribute — The user can view, add, update and remove list items and documents. These rights are the most common rights for regular SharePoint users, enabling them to manage documents and information on a site.
- Read — The user can view list items, pages and download documents.
- Edit — The user can manage lists and list items and contribute permissions.
- View only — The user can view pages, list items and documents. Documents can be viewed only in the browser; they cannot be downloaded from a SharePoint server to a local computer.
- Limited Access — The user can access shared resources and specific assets. Limited Access is designed to be combined with fine-grained permissions (not inherited, unique permissions) to enable users to access a specific list, document library, folder, list item or document without giving them access to the whole site. The Limited Access permission cannot be edited or deleted.
There are two ways of assigning permissions to a SharePoint site via groups: The first one is by adding
a user to a SharePoint group and the second one is giving an AD security group access directly to the site or putting it in a SharePoint group that has permissions on the site.
SharePoint groups are great because it makes it easier to manage access to a particular page or pages, For example, it is easier to add a person to a security group then apply for permissions individually to all the pages requested.
In most cases, it is logical to use an AD group so you can use a more specific name to describe what access is being provided. There are also predefined SharePoint groups that do grant members specific access permissions. A set of predefined groups depend on the site template you are using. Here are the predefined groups for a team site and its default permissions to the SharePoint site:
- Visitors — Read permissions
- Members —Edit permissions
- Owners — Full Control permissions
- Viewers —View Only permissions
And here are the predefined groups for the publishing site template and their default permissions:
- Restricted Readers — Can view pages and documents, but cannot view historical versions or information about permissions.
- Style Resource Readers — Have Read permission to the Master Page Gallery and Restricted Read permission to the Style Library. By default, all authenticated users are members of this group.
- Designers — Can view, add, update, delete, approve and customize the layout of site pages using a browser or SharePoint Designer.
- Approvers — Can edit and approve pages, list items, and documents.
- Hierarchy Managers — Can create sites, lists, list items, and documents.
Note that all these groups and their permissions can be changed.
By default, subsites, libraries and lists inherit permissions from the site in which they were created (the parent site). In addition, there are the policies defined at the web application level that I described earlier. All site collections inherit permissions from the web application’s user policy and anonymous policy, which grants or denies access to user accounts. Web applications also inherit user permissions, which define which permission levels can be used for creating unique permissions for site collections. The web application level also has a permission policy, which defines the high-level permission types for user policy.
If you break permissions inheritance, the subsite, document library, website or file will be able to form its own unique permissions, but, as stated earlier, only the permissions levels regulated by the web application’s user permissions will be available.
Therefore, we have two types of inheritance, which are tied to policies configured on the web application level:
- User policy, which is inherited by all lower level site collections.
- User permissions, which are inherited by all site collections advanced permissions; this inheritance cannot be broken at lower levels.
Any permission changes at the parent level site (list of items, document library) will not affect the child elements with unique permissions, and unique permissions will always win when they conflict with parent ones.
Best practices for permissions inheritance
It is much easier to manage permissions when there is a clear hierarchy of permissions that are inherited from the parent. It becomes more difficult when some lists in a site have fine-grained (unique) permissions applied, and when some sites have subsites with unique permissions and others with inherited permissions. So, it is a best practice to, as much as possible, arrange sites and subsites, lists and libraries so they can inherit most permissions from the parent level.
The default groups and permission levels in SharePoint provide a general framework for permissions that is useful for many types of organizations. However, they might not map exactly how users are organized or the many different tasks they perform on your sites. If the default permission levels do not suit your organization, you can create custom groups, change the permissions included in specific permission levels or create custom permission levels.
SharePoint Site Permissions
These permissions affect site and personal settings, the web interface, access and site configuration:
- Manage Permissions — Create and change permission levels on a subsite and assign permissions to users and groups.
- View Web Analytics Data — View site usage reports
- Create Subsites — Create subsites such as team sites, publishing sites and newsfeed sites
- Manage Web Site — Perform all administration and content management actions for the site
- Add and Customize Pages — Add, change and delete HTML pages
- Apply Themes and Borders — Apply a theme or borders to the site
- Apply Style Sheets — Apply a style sheet (.CSS file) to the site
- Create Groups — Create a group of users that can be used anywhere within the site collection
- Browse Directories — Enumerate files and folders in a site using SharePoint
- Use Self-Service Site Creation — Create a site using self-service site creation
- View Pages — View pages in a site
- Enumerate Permissions —Enumerate permissions on a site, list, folder, document or list item
- Browse User Information — View information about site users
- Manage Alerts — Manage alerts for all site users
- Use Remote Interfaces — Use SOAP, Web DAV, Client Object Model or SharePoint Designer interfaces to access the site
- Use Client Integration Features — Use features that launch client applications in the site (users without this permission have to download documents locally, work with them and then upload the revised documents)
- Open — Open a site, list or folder and access items inside that container
- Edit Personal User Information — Change one’s own user information, such as by updating a telephone number or title or adding a picture
SharePoint List Permissions
These permissions affect the management of lists, folders and documents and the viewing of items and application pages:
- Manage Lists — Create and delete lists, list columns and public views of a list
- Override List Behaviors — Discard or check in a document that is checked out by another user
- Add Items — Add items to lists and documents to document libraries
- Edit Items — Edit items in lists and documents in document libraries, and customize web part pages in document libraries
- Delete Items — Delete items from lists and documents from document libraries
- View Items — View items in lists and documents in document libraries
- Approve Items — Approve or reject a new version of a list, item or document
- Open Items — Open documents using server-side file handlers (the documents will not be downloaded to the local computer)
- View Versions — View past versions of a list item or a document
- Delete Versions — Delete past versions of a list item or a document
- Create Alerts — Create alerts to track changes to lists, libraries, folders, files or list items
- View Application Pages — View forms, views, and application pages
SharePoint Personal Permissions
These permissions affect the configuration and management of personal pages:
- Manage Personal Views — Create, change and delete personal list views
- Add/Remove Personal Web Parts — Add or remove personal web parts
- Update Personal Web Parts — Add or edit personalized information in personal web parts