Skip to main content

4 security roles of a SharePoint site

Fact: Understanding how security works in SharePoint continues to be the leading cause of high blood pressure among SharePoint users. OK, I just made it up, but judging by the number of questions and urgent emails I get from my clients and blog followers, this got to be the biggest matzo ball out there among those using SharePoint Online for collaboration. I have written several posts previously explaining how security works, and this one is just another one in a series to help you understand this better. So let me demystify the security roles of a SharePoint site in this post.

Explaining how security works is a bit of a challenge, because the way you would typically set up security on a SharePoint site depends on the type of site you have.  It works a certain way on a Team Site (connected to a Microsoft 365 Group, formerly Office 365 Group) vs. Communication Site. If you are curious about the difference is between the two – check out this post. So as I go through the various roles below, I will try to put them in context to explain it better.

Before you continue reading the paragraphs below, I also strongly suggest you read this post about permissions, specifically about thee 3-group security concept we have in SharePoint.

OK, that’s all for prerequisites, now grab some popcorn and your favorite drink and let’s try and understand security in SharePoint.

Site Visitors

Site Visitors is a security group that has read-only privileges to the site. If users are part of this group, the only thing they can do on a site is read and download. This applies to documents, pages, events, news, links – virtually any content you have.

Site Visitors can

  • Read and download content from a site
  • Share files and folders with existing users and others (but only after the Site Owner approves the request)

Site Visitors cannot

  • Add content
  • Edit content
  • Delete content
  • Delete a site
  • Share a Site

Site Visitors on a Communication Site

Site Visitors group is often utilized on Communication sites, as this type of site is used for mostly one-way communication. Usually, you would add users or Everyone except external users group into Site Visitors group for quick read-only access.

security roles of a SharePoint site

Site Visitors on a Team Site

Site Visitors Group on a Team Site connected to a Microsoft 365 Group is never used by default. It does exist in case you want to bypass the Microsoft 365 Group membership and allow someone into your site directly (more on this here). But by default, it is empty.

Site Members

Site members is a security group that usually would have the most site users. It is a group that allows users to add/edit/delete content on a site (among other things).

Site Members can

Site Members cannot

Site Members on a Communication Site

Site Members group on a Communication site typically would have users who need to manage content on a site – be able to add/edit/delete pages, news, documents, links, announcements, without being able to delete a site.

Site Members on a Team Site

Site Members group on a Team Site by default contains the Microsoft 365 Group Site Members who have been added as part of Group Membership. So if you click on Site Members – you would not see the names, just the name of a group embedded into SharePoint Security Group.

security roles of a SharePoint site

Site Owners

Site Owners are dangerous people. If they are in a bad mood, they can delete a site 😊. Seriously, though, that is the highest privilege you can get on a site level.

Site Owners can

  • Do everything Site members can +
  • Delete a Site
  • Manage Site Features
  • Have access to everything on a site – no content can be hidden from Site Owners (even if you set up folder-level permissions)

Site Owners cannot

Site Owners on a Communication Site

The group automatically contains the name of an individual who creates the Communication Site. You would not want to add many users here unless, of course, you do not care about your intellectual property. Make sure users understand what the possible consequences are (i.e., the ability to delete a site).

security roles of a SharePoint site

Site Owners on a Team Site

The Group automatically contains the Group Owners. Just like with Team Members, this security group includes Microsoft 365 Group Site users who have been added as part of Group Membership and promoted to be the Group Owners.

Site Collection Administrators

Now, I hope that everything I described above makes sense. That said, I also would like to explain an additional role we have in SharePoint, that are specific to the historical transformation of SharePoint + evolvement of Microsoft 365 Group (formerly Office 365 Group).

Background

You see, in the past, we had this concept of Site Collections. That is because, unlike the modern sites we have now, we had one big site with subsites underneath. So that site with subsites was called a Site Collection. So while each subsite could have its own Site Owners, Site Members, Site Visitors, the Site Collection itself also had a separate role called Site Collection Administrator.  Site Collection Administrators was truly the highest privilege you could get in SharePoint terms, and the SharePoint Site Collection Admins automatically had access to all sites (subsites) within the site collection.

Site Collection Administrators on modern sites

With modern sites, we no longer create subsites. Think of a modern site as a site collection you create without subsites underneath. The capability to create subsites is still there, but we just don’t do it due to the modern flat information architecture. Because Site Collections are more of a technical term and regular users do not understand it or even need to know about it, we simply dropped the “collection” part and now refer to the site collections as sites. That said, the site collection role still exists and serves a purpose. So below, I want to explain the context of the Site Collection Administrator role as it applies to Communication and Team Sites.

Site Collection Administrator on a Communication Site

Users who create a Communication Site automatically become a Site Owner + Site Collection Administrator of a site (site collection).

security roles of a SharePoint site

Site Collection Administrators on a Team Site

On Team Sites, the Group Owners become not only Site Owners, but also Site Collection Administrators! If you see in the image below, Site Collection Administrators group contains the members of the Office 365 Group who are owners.

security roles of a SharePoint site

Site Collection Administrators can

  • Do everything Site Owners Can +
  • Manage Site Collection Features
  • Manage Hub Navigation (if the site is a Hub)
  • Access Second-Stage Recycle Bin.

Site Collection Administrators cannot

  • Launch a rocket to the moon 😊. Seriously, Site Collection Administrator is the highest privilege you can get at a site level

How to become a Site Collection Administrator

  • Whoever creates a site – automatically becomes a Site Collection Administrator of that site (in case of a Team Site – Group Owner becomes the Site Collection Administrator)
  • Those with access to SharePoint Admin Center (users with global SharePoint Admin Role) can add themselves or anyone else to be SharePoint Site Collection Administrators – instructions here.

I hope you better understand the security roles of a SharePoint site now. It takes some time, so no worries. You are not the only one.

You may also like

Hub Navigation Best Practices

November 25th, 2020

You may also like

Why every SharePoint Site needs two Owners

November 23rd, 2020

You may also like

How to disable External Sharing on a User’s OneDrive

November 19th, 2020

Need SharePoint Help?

Hourly consulting, training and configuration services are available

Learn More