Skip to main content

How to create a custom permission level in SharePoint

I always advise my clients and loyal blog followers to stay out of the box as much as possible in SharePoint. The less deviation you have from the “norm,” the less headache it is for you and your colleagues down the road in terms of maintenance and memorizing who did what and why things do not work the way they should. That said, I realize that there are unique situations that pop-up here and there that might require some deviations. One such requirement and a common request is to create a custom permission level in SharePoint.

Use Case

Out of the box, on any given SharePoint site, we have three security roles/permission levels:

  • Site Visitors (Read Only)
  • Site Members (Add/Edit/Delete Content)
  • Site Owners (Full Control/ability to delete a site)

I described this in greater detail here.

However, there are situations when you need users to be able to add/edit the documents but not be able to delete them. Read Only allows for just read and download, and Edit allows for add/edit but also Delete. There is nothing in between. Luckily, we can create a custom permission level for such scenarios, and that is what I would like to explain to you.

Step 1: Create a custom permission level in SharePoint

  1. Click Gear Icon > Site PermissionsCreatecustompermissionlevelsharepoint1
  2. Expand all three SharePoint security groups – you will see the Members group with the Edit permission level (which, of course, allows to add/edit/delete content). We need this group of users to have a custom permission level that will allow them to Add and Edit, but not Delete.Createcustompermissionlevelsharepoint5
  3. Click Advanced permissions settingsCreatecustompermissionlevelsharepoint2
  4. Click on Permission levelsCreatecustompermissionlevelsharepoint3
  5. At this point, you will see out of the box permission levelsCreatecustompermissionlevelsharepoint4
  6. We need to create a custom permission level that is based on Edit, but does not have the ability to Delete. Click on the Edit Permission LevelCreatecustompermissionlevelsharepoint6
  7. DO NOT TOUCH OR UNCHECK ANY CHECK BOXES! You don’t want to break an out of the box permission level. We are not going to modify anything here. Instead, we will create a copy of this. Scroll all the way down and click on Copy Permission Level buttoncreate a custom permission level in SharePoint
  8. Give your new Permission level a name, provide a description (so everyone knows what the hell this does). Next, uncheck the boxes next to two actions that allow for deletions of items and their versions.create a custom permission level in SharePoint
  9. Scroll down to the bottom of the screen and hit CreateCreatecustompermissionlevelsharepoint10
  10. You will now notice the custom permission level created and existing next to the out of the box permission levelscreate a custom permission level in SharePoint

Step 2: Assign a custom permission level to users

This is where instructions differ based on the type of site you have. Steps are different for Group-connected sites and non-Group Sites. To understand the difference between various types of sites, please reference this article. We will start with an easy one.

Non-Microsoft 365 Group sites

These include classic SharePoint sites, Modern Team Sites without a Group, or Communication Sites.

  1. You will not be able to assign a custom permission level via the modern Site Permissions interface. So once again, we will need to navigate to the Advanced permission settings (classic interface).Createcustompermissionlevelsharepoint13
  2. Click the checkbox next to the Members Group and click Edit User PermissionsCreatecustompermissionlevelsharepoint12
  3. Uncheck the box next to Edit permission level, check the box next to the custom permission level you created, click OKcreate a custom permission level in SharePoint
  4. This is how it should look likeCreatecustompermissionlevelsharepoint15

Microsoft 365 Group sites

As stated above, the behavior is different for the sites connected to Microsoft 365 Groups. Let me explain.

  1. If you navigate to Advanced site permissions like we did above and try to edit permissions, you will notice that you can’t do that. The reason for that is that Microsoft does not want you to @#$% around with site security much as this will break the whole group membership model and will cause issues in other areas of the Group (Teams, etc.)create a custom permission level in SharePoint
  2. So here is a workaround. Back at the modern Site Permissions screen, change the Members Group permission from Edit to Read. This will move the group under Site visitors.Createcustompermissionlevelsharepoint24
  3. Next, navigate to Advanced permissions settings, and click Grant PermissionsCreatecustompermissionlevelsharepoint27
  4. On the next screen, type in the name of the Security group (same as project site name), and assign it the custom permission level you created previouslycreate a custom permission level in SharePoint
  5. Once the above is completed, this is how it should look like. So essentially, we left the out of the box security groups intact, since we can’t screw around with them and just added an extra security group with custom permission level. create a custom permission level in SharePoint
  6. So what ends up happening is that a Site member gets to have Read access (because they are inside Visitors group now per Step 2 above), and a Site member also gets AddEdit-Not Delete access because we added that extra permission to them as well. And since the highest permission level wins, they end up having AddEdit-Not Delete access, which includes Read. Makes sense?

What happens once you set up a custom permission level in SharePoint

This obviously depends on how you set up your permission level, but using the example above, the following are the consequences of it.

  1. As advertised, the members lose the ability to delete filescreate a custom permission level in SharePoint
  2. The ability to delete versions is gone as wellcreate a custom permission level in SharePoint
  3. The ability to move files is not available either (just Copy). This is because when you move files, they get deleted at the source and are moved to the Recycle Bin. Click here to learn more about this.create a custom permission level in SharePoint
  4. The ability to rename a file is goneCreatecustompermissionlevelsharepoint19
  5. Users will also not be able to share the files or folders with anyone elseCreatecustompermissionlevelsharepoint20Createcustompermissionlevelsharepoint21
  6. On the non-group connected sites, the modern Site Permissions panel will also disappear for the Site Owner (since we deviated away from out of the box Read/Edit/Full Control model). So Site Owners/Admins would need to navigate to Advanced permissions settings to make changes going forwardcreate a custom permission level in SharePoint

You may also like

2 ways to control page editing on a SharePoint site

October 14th, 2021

You may also like

3 security roles of a SharePoint Term Store

September 23rd, 2021

You may also like

15 ways to make your SharePoint Site more secure

June 22nd, 2021

Need SharePoint Help?

Hourly consulting, training and configuration services are available

Learn More