SharePoint Permissions Simplified
Trying to understand how SharePoint permissions work sometimes feels like trying to understand how Facebook privacy settings work. You think you get it and then it turns out your wife has access to all the photos of you having way too much fun at your friend’s bachelor party. :-)
So with this post, I would like to explain how SharePoint permissions work. It is not that hard, trust me.
1. Three-group concept
This is a fundamental part of how SharePoint permissions work. This is how it worked for many years with SharePoint sites; this is how it works now with Office 365 Group Sites and Communication Sites. The concept is simple. Every site has these three default security groups associated with it:
- Site Owners
- Site Members
- Site Visitors
- Site Visitors are your read-only users. The only thing these users can do is read and download
- Site Members are your add/edit/delete users. These users can read and download and can also add, edit and delete content (documents, pages, announcements, events). They can also share stuff with others
- Site Owners are your full control users. These users can do everything Visitors, and Members can do, plus they can maintain site security, add additional web parts and manage navigation.
You can create own security groups and add them to the site to allow additional groups and unique permissions (which I talk about a bit later), but honestly, try to stay simple, just like the title of this post implies. Between work, home, family, and American politics, life is already complicated, why make it harder? :-)
2. Subsite Security Inheritance
This is coming less relevant now, with the flat site architecture concept. However, something you should still be aware of as it will cause you lots of grief, if you don’t. When you create subsites, you are given a choice to either create your own security for a site or inherit it from the parent. If you decide to inherit the security/permissions from a parent site, that means that whoever has access to the parent site, will now have access to the child subsite underneath.
This can become quite a matzo ball, when you decide to share one of these sites with others – it might be misleading, but by sharing a site with someone, you give them access to the other site as well (remember, security was inherited)! I can’t even tell you how many times I had to clean up the security mess for my clients with this.
3. SharePoint Groups cannot be nested
One common request I constantly hear on SharePoint permissions is a requirement to nest one SharePoint group inside the other SharePoint group. You cannot do that! Remember what I said above about “keep it simple”? With nested SharePoint groups it will be such a mess for you to manage.
With that being said, SharePoint Groups love all the other security groups! While you cannot add SharePoint Group inside of the other SharePoint Group, you can nest the following inside of a SharePoint Group:
- Office 365 Groups
- Office 365 Security Groups
- Mail-enabled security Groups
- Named users, of course
4. Content Inheritance on a site
This is probably pretty obvious, but by allowing someone access to the site, you allow them access to the whole site and all of its content: pages, lists, document libraries, all web parts. That’s because everything on a site inherits security from the site itself). Just like you give me keys to your room in a house, I will have access to everything you have in your room (chairs, table, couch, food, and alcohol), whatever you have in there.
5. Breaking inheritance at a site level is not recommended
Just like you can break inheritance from subsite to parent site, you can also break inheritance between various web parts and a site itself. Say, for example, you need to hide a document library or make it read-only to Site Members. What you can do is break inheritance from a library to the site and create unique security for it. I describe how to do this in this post. While sometimes this might be necessary, this should be an exception, not a rule. It is like you give me keys to the room in the house and tell me – you can’t sit on this couch or drink this wine – how would this make me feel? :-)
6. Default Permission Levels
This is kind of related to Point # 1 above. Every default security group has a default permission level assigned.
- Site Owners = Full Control
- Site Members = Edit
- Site Visitors = Read
There are other default permission levels that exist as well. Here is a complete list:
- Full Control – Has full control
- Design – Can view, add, update, delete, approve, and customize
- Edit – Can add, edit and delete lists; can view, add, update and delete list items and documents
- Contribute – Can view, add, update, and delete list items and documents
- Read – Can view pages and list items and download documents
- View – Can view pages, list items, and documents but not download
SharePoint Permission levels tell the group what users can or cannot do. While it is considered the best practice to only use default permission levels, you can also create custom ones. I explain how to do this here. This might be necessary if say, you need to create a custom permission level so the user can add and edit documents, but not delete.
7. Permission-driven concept
SharePoint Security is permission-driven. What that means is that if you don’t have access to something, it is invisible to you. So a Private HR Team Site which you do not have access to will never appear for you in the site navigation. Also, any keyword searches will never turn up content from this site to you. I explain this concept in greater detail here.
8. Sharing a site means adding users to the Members group
When your Site Members or Site Visitors click Share in the upper-right-hand corner of a site, and share a site with someone else, they inadvertently add those other users to the Site Members Group. So if you are a Site Owner and say added Mary to the Site Members group, Mary can easily click Share and invite her colleague, John, though you as a Site Owner did not mean to do this! It might be OK for Members to share a project site, but if this is a secure department site, you might want to control this behavior. So to prevent sharing – you can set up Access Request Settings.
9. Sharing files and folders creates unique security
Every time your users share files or folders in SharePoint, a security inheritance between that file or folder is broken.
10. Only Site Owner can un-share
As your members share sites, files and folders, they cannot un-share them. Only Site Owners can do this. I describe how to do it here.