Are you confused with SharePoint permission levels?
Take a deep breath. Understanding the permission levels is often a challenge to new users and even to old users who don’t manage their own sites.
In this article, I’ll do what I can to explain SharePoint permissions in the simplest way possible. Rest assured, it’s easier than you imagine.
Let’s get started.
Table of Contents:
- What are permission levels in SharePoint?
- What are the benefits of SharePoint permissions?
- What do different SharePoint permission groups mean?
- What are the default permission levels available in SharePoint?
- How to manage the site owner group
- How to manage the site member group
- How to manage the site visitor group
- Keep SharePoint Permissions simple
Technically, the concept of permission levels refers to how much “permission” you give to a particular user or group to do specific actions.
Each “level” pertains to how much “administrative” access groups or users have (which then reflects on what they can actually do).
In SharePoint, there are two ways to grant a permission level to someone:
- Adding the user to a SharePoint group with an assigned permission level
- Adding the user directly with a specific permission level to a site, library, list, or item
When you look at the security of the site, ideally, adding a user to a group is more manageable. Unfortunately, what usually happens is that users share sites with outsiders.
This can pose a risk to the security of the site, especially when confidentiality is a must to all the resources and content within the site.
If you want to learn more about site security, I wrote a best practices guide for SharePoint security that you can implement right away.
Imagine your SharePoint site to be a building:
As the owner, you can restrict others from certain parts of your building. They will not be able to see what’s in those restricted areas.
But besides those areas, visitors can freely see what’s in your building. Others with special privileges might be able to bring some things back home.
However, most of the inner workings in your building are hidden to most people, even to you as the owner (unless you ask someone to give you a tour guide).
The same is true in your SharePoint site. Many of the elements in your site are protected from the prying eyes of other people.
This is the primary reason why SharePoint permission levels are important — they help maintain site security and enable you to manage who sees what.
Other specific reasons include the following:
- It’s easy to provide users with centralized information. If you need to share some document, simply upload it to the document library and everyone with a “view” permission level will be able to see it.
- Sharing links to a site or to a file to people who are not supposed to access it won’t see anything. On the other hand, they can request permission to see what’s shared with them (but you don’t have to give in).
- Your drafts are safe. With correct permissions, no one is supposed to see what you wrote in the drafts and what information it contains until you publish it (and only then, only those with the correct permission level will be able to see it).
- Setting up access to a team site is easy. In fact, you won’t need to change each team member’s access to change the permission level since you can simply assign the team member to an existing permission group.
- If you already have user groups on the Active Directory, you can import them to SharePoint. That means you don’t need to give people access again (less giving out permissions, fewer mistakes).
- SharePoint groups can also be used across your tenant (on different sites that you manage). No need to create new groups. You only have to update the existing ones and sites will know it automatically through a central group roster.
Since we can all agree that site security is important, then it makes sense for SharePoint permissions to be important as well.
However, you can only make use of this feature if you use it properly and actually assign users to specific permission level groups.
Permission levels in SharePoint follow the three-group concept as it gives you three groups for every new site.
- Site visitors
- Site members
- Site owners
From the name alone, site visitors pertain to “temporary” visitors in the site, often people who are not part of the company.
Site visitors can’t do so much as they only have read-only permission. Literally, they can only read and download content from the site.
Site members have limited control over the site as they can add, edit, and delete some content (like pages, events, documents, etc.).
It’s important to know that site members have one special privilege — the ability to share the site or its content with others.
Site owners have full control over the site and everything it contains. They can do everything site visitors and members can do.
They can also manage the site and maintain site security. They can edit and manage navigation and edit site pages (add, delete, or edit web parts).
Every default permission group has a specific permission level assigned.
- Site visitors: Read
- Site members: Edit
- Site owners: Full control
Here is some explanation on the other default permission levels that exist:
- View: This is the lowest permission level in SharePoint. Users with this permission level can only view pages, documents, and list items, but can’t download anything. These users are not able to create new content and modify or delete existing ones.
- Read: Users with this level can open and view the SharePoint site (including its documents, lists, and images) shared with them. Those with this level can download documents, but they can’t add new content and edit or delete existing ones.
- Contribute: This is a step higher than read-only users since those with contribute access can add, update, and delete list items and documents on the site.
- Edit: Those with this access are similar to contributors, but editors can add, update, and delete lists on the site (in addition to list items and documents).
- Designer: Those with this level can do what contributors can do. They can also create other elements like libraries, views, columns and can even add and move web parts (which basically changes the site layout).
- Full control: This is the highest permission level in SharePoint. Full-control users can do anything on the site — including changing the permission levels of others and adding or deleting members.
Here’s some advice:
Stick with how the default permission group (site visitors, members, owners) for specific permission levels are made (unless it’s necessary to change the permission levels).
Since it’s easy to understand, it follows that it’s easy to manage as well. In addition, those that will take over this task will have an easier time understanding it.
There’s only one exception to this — changing site members’ edit access to contribute only. More about this in the site member group section below.
Below are some of my specific tips on how to manage specific permission level groups in your site so you will have an easier time managing it.
How to manage the site owner group
Since site owners can practically do anything on the site (even deleting the site itself), they hold an important role (even if they may not be the company’s owners).
One thing to remember is this:
You must only have a maximum of three site owners per site. More than that is a risk.
Even if you say there are a lot of people who must have site owner access to update the site and do specific things, the reality is this:
Those people don’t need site owner access to do many of those things. They don’t need to be site owners.
Here are specific reasons why having only a maximum of three site owners work:
- You can’t be the sole site owner. If you’re not present or can’t work for some reason, then someone has to step in (which they can’t unless you or the tenant sets it up).
- Not all users are made the same. If you assign a user with site owner access and he or she doesn’t have much experience in SharePoint, that person may end up breaking something in the site.
- Having only three site owners means you have more control over the changes on the site. Those who request changes in the site only have three people to approach and you can easily track who approved what.
Keeping the number of site owners down is also great for true site ownership and accountability (bonus if you count training to the list of things to do for co-site owners).
Now, before you go off, you might want to keep the identities of all the site owners public (and even publish them on the home page if possible).
The rationale behind this is that it makes it easier for members and visitors to contact a site owner when there’s an important reason to do so.
How to manage the site member group
Users with a member’s access may not wield the same creator (and destructive) capabilities as site owners, but they can still make changes to the site.
Basically, they can take part in content creation like adding new documents and updating lists and libraries.
For team sites, here’s my suggestion:
As much as possible, add all members of the team to the members’ group so they can collaborate on documents and other content within the site.
Since they are all working together as a team, they must have access to available resources and change or edit the content as they need to.
For communication sites, here’s my suggestion:
Opposite with team sites, the members’ group must have as few members as possible (keep it empty when you can).
The reason is simple — since the content of the site is mostly finished documents, announcements, and policies, only a few people must have the ability to edit them.
In addition, it’s ideal if you create separate document libraries for particular functions and only give out member access to those who are responsible for updating the content in those libraries.
Before you rush off, do this one important suggestion:
Change the default permission level of members from editors to contributors.
This is the one exception to what I wrote earlier about “keeping the default permission level as they were made”.
Since 2013, the edit permission level gives users the ability to create a new list and even update or even delete existing ones.
You can already see the problem with this — some users might mistakenly edit a list which might be catastrophic to your company.
This is why it’s important to restrict members to contributor access only so they can update only the list items (and not the list itself).
How to manage the site visitor group
Site visitors can only have read access to the site. They can only open documents and download them, but they can’t change anything.
Managing this group is quite simple:
For team sites, nobody in the team must be on the site visitor group since they all have to collaborate and work on the documents together.
On the other hand, if there are outsiders in the group (who are there for a variety of reasons), then the site visitor group is enough for them.
This is the opposite in communication sites — most people have to be on the site visitor group since the content on these sites is meant to be consumed.
The only people who must not be on this group are those who need to update content (so they must be on the site member group).
Like I told you in the beginning, understanding SharePoint permission levels aren’t really that hard.
What’s hard is when you try to mix and match everything — and customize every possible detail within the permission level.
This defeats the purpose since it burdens you with more management work to do. That’s why it’s important to stick to the default permission level groups.
Specifically, what you need to remember is that:
- Only have a maximum of three site-owners (less than that is lacking and more than that is too risky).
- Make every team member in a team site a site member since they need access to work on the documents and files.
- For a communication site, most of the users must only have read-only access (and belong to the site visitor group).
Do you have some questions regarding SharePoint permissions? Throw them below and we’ll talk about them.
For inquiries and concerns, send me a message through my contact page and I’ll get back to you as soon as possible.