SharePoint Permission Levels

Blog written by: 
Dhaval Shah
SharePoint & .Net Consultant

Overview

Content Management is the primary feature of SharePoint. SharePoint portals that are set up effectively, will in turn provide better content management. The major area of focus is to present the right set of content to the right users. Permission levels in SharePoint helps to define the governance around this, so that you do not allow certain users to see certain content.

In this article, we will explore what are permission levels, and best practices on how it can be setup effectively, how to assign permission levels to SharePoint group.

Planning the Permissions

SharePoint consists of many artifacts that represents a site, list, library, list item or document, or folder. These artifacts are generally referred as securable objects. Each of this securable object has its own role assignment. A role assignment represents a user (person) or a group.

SharePoint Permission levels are defined sets of actions a user can execute on a site, list or an item/document.

The permissions can be setup at as:

  • Site Permissions
  • List Permissions
  • Personal Permissions

The permission levels include:

Permission Level Description
Full Control Includes all permissions.
Design Includes permissions that enable users to view, add, update, delete, approve, and customize the layout of site pages by using the browser or SharePoint Designer 2013.
Edit Includes permissions that enable users to add, edit and delete lists; can view, add, update and delete list items and documents.
Contribute Includes permissions that enable users to add or change items on the site pages or in lists and document libraries.
Read Includes permissions that enable users to view items and site pages.
Limited Access Includes permissions that enable users to view specific lists, document libraries, list items, folders, or documents, without giving access to all the elements of a site. You cannot edit this permission level directly.
View Only Includes permissions that enable users to view pages, list items, and documents.
Approve Includes permissions to edit and approve pages, list items, and documents.
Manage Hierarchy Includes permissions to sites and edit pages, list items, and documents.
Restricted Read Includes permissions to view pages and documents, but not historical versions or permissions information.

PermissionBlockDiagram.png

Custom Permission Levels

In the circumstances where out of the box permission levels are not sufficient, we can create custom permission levels as a set of available permission levels. Below are few scenarios, where in we can think of creating custom permission levels:

  • Need to define unique set of permissions
  • Exclude several permissions from predefined permission level
  • Default permission level does not include permission that user should have

Access and Configure Permission Levels

User should have Admin privileges to site collection to access and configure permission levels.

  1. Navigate to root site collection
  2. Click Site Settings
  3. Under Users and Permissions, click Site Permissions
  4. The ribbon allows to view and configure the permission levels

PermissionLevelRibbon

  1. Click Permission Levels to see the available permission levels

PermissionLevels

SharePoint Group

SharePoint Group allows to manage set of users at once instead of managing them individually. The group can contain many individual users. Users can be organized in any number of groups depending upon business scenarios.

Below are out of box groups in SharePoint site.

Group Default permission level Description
Owners Full Control Group with full control permissions on SharePoint site
Members Edit Group with edit permissions on SharePoint site
Visitors Read Group with read permissions on SharePoint site

Publishing sites in SharePoint has additional set of SharePoint groups as below

Group Default permission level Description
Restricted Readers Restricted Read to the site, plus Limited Access to specific lists Members of this group can view pages and documents but cannot view historical versions or review user rights information.
Style Resource Readers Read to the Master Page Gallery and Restricted Read to the Style Library Members of this group are given Read permission to the Master Page Gallery and Restricted Read permission to the Style Library. By default, all authenticated users are a member of this group.
Designers Design, Limited Access Members of this group can to view, add, update, delete, approve, and customize the layout of site pages by using the browser or SharePoint Designer.
Approvers Approve, Limited Access Members of this group can edit and approve pages, list items, and documents.
Hierarchy Managers Manage Hierarchy, Limited Access Members of this group can create sites, lists, list items, and documents.

Users in the Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site. The Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.

ManagePermissionsBySPGroup.png

Monitor and Control

  1. Identify and assign the roles to users in SharePoint portal.
  2. Define a process to periodically review the assigned permissions.
  3. If needed, use any tool for monitoring

MonitorFlowPermissions

Script Intro

In this article, we have developed a PowerShell script to get a ‘Entire Site Collection Permissions Report’ from SharePoint online in CSV format.

This script will:

  • Check and print Site Collection (Root) site Permission to the CSV
  • Iterates through Sub Sites recursively and print following properties [Site Name, Site URL, Group Name, Group Permission Level] to the CSV

This script will NOT:

  • Iterate through Web Application

Note: To run this script one should have Site Collection administrator rights.

The script will iterate through each Site in the provided Site Collection URL. It will also iterate through all the subsites in the Site Collection recursively. Below is the screenshot of the permission report generated in CSV format.

ScriptExport

You can download the entire PowerShell script from Here.

Best Practices

Never modify out of box SharePoint permission levels

Refrain yourselves from modifying the out of box permission levels, instead create a new one (use the Make a Copy option) irrespective of major or minor modifications.

Assign Permissions to Groups instead of individual users

Maintain the practice of creating SharePoint Groups and assign permissions to groups. Users can be added or removed from groups as needed and could help reduce ongoing maintenance as users change.

Assign permissions at the highest possible level

Arrange documents that requires unique permissions in document libraries which supports specific group permissions. Use Active Directory (AD) groups whenever possible. Use SharePoint Groups when there may not be an Active Directory group that fits your needs.

Summary

Permission Levels is an integral part of SharePoint permissions management and securing your content in SharePoint.
It is vital to have a solid understanding of Permission Levels used in your environment, and will ensure you and your team know what users can actually do, before they actually do them!

Do you use SharePoint? Try our toolkit
Download SharePoint Essentials Toolkit Now
Download the SharePoint Essentials Toolkit
Dhaval Shah - MCD, MCSD
Follow me
Latest posts by Dhaval Shah - MCD, MCSD (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.