4 security roles of a SharePoint site
Fact: Understanding how security works in SharePoint continues to be the leading cause of high blood pressure among SharePoint users. OK, I just made it up, but judging by the number of questions and urgent emails I get from my clients and blog followers, this got to be the biggest matzo ball out there among those using SharePoint Online for collaboration. I have written several posts previously explaining how security works, and this one is just another one in a series to help you understand this better. So, let me demystify the security roles of a SharePoint site in this post.
Explaining how security works is a bit of a challenge because the way you would typically set up security on a SharePoint site depends on the type of site you have. It works a certain way on a Team Site (connected to a Microsoft 365 Group, formerly Office 365 Group) vs. Communication Site. If you are curious about the difference between the two – check out this post. So, as I go through the various roles below, I will try to put them in context to explain it better.
Before you continue reading the paragraphs below, I also strongly suggest you read this post about permissions, specifically about the 3-group security concept we have in SharePoint.
OK, that’s all for prerequisites; now grab some popcorn and your favorite drink, and let’s try and understand security in SharePoint.
Site Visitors
Site Visitors is a security group that has read-only privileges to the site. If users are part of this group, the only thing they can do on a site is read and download. This applies to documents, pages, events, news, links – virtually any content you have.
Site Visitors can
- Read and download content from a site.
- Share files and folders with existing users and others (but only after the Site Owner approves the request).
Site Visitors cannot
- Add content
- Edit content
- Delete content
- Delete a site
- Share a Site
Site Visitors on a Communication Site
Site Visitors group is often utilized on Communication sites, as this type of site is used for mostly one-way communication. Usually, you would add users or Everyone except external users group into the Site Visitors group for quick read-only access.
Site Visitors on a Team Site
Site Visitors Group on a Team Site connected to a Microsoft 365 Group is never used by default. It does exist in case you want to bypass the Microsoft 365 Group membership and allow someone into your site directly (more on this here). But by default, it is empty.
Site Members
Site members is a security group that usually would have the most site users. It is a group that allows users to add/edit/delete content on a site (among other things).
Site Members can
- Do everything Visitors can do +
- Add content
- Edit content
- Delete content
- Create document libraries and lists
- Create or edit metadata on libraries and lists
- Add Apps
- Share Site with others (this is by default, unless the Site Owner disables this capability)
- Share files and folders with others
- Edit Site Quick Launch Menu
- Edit Site Pages (this is by default, unless the Site Owner disables this capability)
- Access and Restore documents from the Recycle Bin
- Manage document library and list settings
Site Members cannot
- Delete a site
- Restore a Document Library
- Manage Site Features
Site Members on a Communication Site
Site Members group on a Communication site typically would have users who need to manage content on a site – be able to add/edit/delete pages, news, documents, links, and announcements, without being able to delete a site.
Site Members on a Team Site
Site Members group on a Team Site by default contains the Microsoft 365 Group Site Members who have been added as part of Group Membership. So if you click on Site Members – you will not see the names, just the name of a group embedded into SharePoint Security Group.
Site Owners
Site Owners are dangerous people. If they are in a bad mood, they can delete a site 😊. Seriously, though, that is the highest privilege you can get on a site level.
Site Owners can
- Do everything Site members can +
- Delete a Site
- Manage Site Features
- Have access to everything on a site – no content can be hidden from Site Owners (even if you set up folder-level permissions).
Site Owners cannot
- Manage Hub Navigation
Site Owners on a Communication Site
The group automatically contains the name of an individual who creates the Communication Site. You would not want to add many users here unless, of course, you do not care about your intellectual property. Make sure users understand what the possible consequences are (i.e., the ability to delete a site).
Site Owners on a Team Site
The Group automatically contains the Group Owners. Just like with Team Members, this security group includes Microsoft 365 Group Site users who have been added as part of Group Membership and promoted to be Group Owners.
Site Collection Administrators
Now, I hope that everything I described above makes sense. That said, I also would like to explain an additional role we have in SharePoint, that is specific to the historical transformation of SharePoint + the evolvement of Microsoft 365 Group (formerly Office 365 Group).
Background
You see, in the past, we had this concept of Site Collections. That is because, unlike the modern sites we have now, we had one big site with subsites underneath. So, that site with subsites was called a Site Collection. So, while each subsite could have its own Site Owners, Site Members, Site Visitors, the Site Collection itself also had a separate role called Site Collection Administrator. Site Collection Administrators was truly the highest privilege you could get in SharePoint terms, and the SharePoint Site Collection Admins automatically had access to all sites (subsites) within the site collection.
Site Collection Administrators on modern sites
With modern sites, we no longer create subsites. Think of a modern site as a site collection you create without subsites underneath. The capability to create subsites is still there, but we just don’t do it due to the modern flat information architecture. Because Site Collections are more of a technical term and regular users do not understand it or even need to know about it, we simply dropped the “collection” part and now refer to the site collections as sites. That said, the site collection role still exists and serves a purpose. Below, I want to explain the context of the Site Collection Administrator role as it applies to Communication and Team Sites.
Site Collection Administrator on a Communication Site
Users who create a Communication Site automatically become a Site Owner + Site Collection Administrator of a site (site collection).
Site Collection Administrators on a Team Site
On Team Sites, the Group Owners become not only Site Owners, but also Site Collection Administrators! As you see in the image below, the Site Collection Administrators group contains the members of the Office 365 Group who are owners.
Site Collection Administrators can
- Do everything Site Owners Can +
- Manage Site Collection Features
- Manage Hub Navigation (if the site is a Hub)
- Access Second-Stage Recycle Bin.
Site Collection Administrators cannot
- Launch a rocket to the moon 😊. Seriously, Site Collection Administrator is the highest privilege you can get at a site level.
How to become a Site Collection Administrator
- Whoever creates a site – automatically becomes a Site Collection Administrator of that site (in the case of a Team Site – the Group Owner becomes the Site Collection Administrator)
- Those with access to SharePoint Admin Center (users with global SharePoint Admin Role) can add themselves or anyone else to be SharePoint Site Collection Administrators – instructions here.
I hope you better understand the security roles of a SharePoint site now. It takes some time, so no worries. You are not the only one.