This article describes the available out of the box SharePoint permission levels, discusses best practices, explains how user can take control of the levels, and also warns about a major mistake many organizations make when setting up security for their SharePoint sites.
January 2021 Update: Lots of changes have occurred in SharePoint Online since I originally published this post in 2015. As such, I highly recommend that you check out this most recent article on the same topic that reflects the recent architectural and visual updates in SharePoint.
What are SharePoint Permissions Levels?
Let’s first review what SharePoint permission levels are and then discuss the consequences. SharePoint Permission levels are essentially defined sets of actions a user can execute on a site, list, or an item/document. Below list is an example of just some of the possible actions available:
- Create a Site
- Delete Site
- Create a list or library
- Modify a view
- Add an item/document
- Delete an item/document
As you can imagine, this list can be quite extensive as SharePoint is quite a scalable and versatile content management system. To make our lives easier, Microsoft has chosen to package all the available actions into defined or default levels. The default levels available in SharePoint 2013 out of the box are:
- Full Control
OK, now that you understand what the default SharePoint permission levels are, let’s go one step further and understand how they can be accessed and configured. What we are going to discuss now is something that many don’t access or even know about.
Follow these steps to access and configure SharePoint Permission Levels:
- First, make sure you have Admin privileges to your site collection
- Go to the root of the site collection (you can’t be on a subsite of a site – you really need to be at the root (top-level) site of the site collection)
- Go to Site Settings
- Under Users and Permissions, click on Site Permissions
- On the horizontal ribbon that appears, you should see Permission Levels. Click on it.
The screen that appears will show all the default permission levels available in SharePoint as well as the corresponding brief description of each level.
But wait, there is more! Click on any of the available SharePoint permission levels (for example – Contribute). Another screen will open up and there you can see granular options that explain what that given level can do. They are grouped by categories (i.e. permission for a site, permissions for a list, etc.).
Can I change SharePoint permission levels?
Yes, you can! Changing SharePoint permission levels is pretty straightforward – just check or uncheck boxes next to actions and you are done. What that means is that you can create your own business-specific permission levels. Here are few examples:
- Scenario 1: You want your users to be able to add files to the library but not delete files from the library. Just take the Contribute permission level and uncheck “Delete Items” under the list permissions category.
- Scenario 2: You want some users to be able to view the files, but not download them to the computer. Just check off the appropriate box and you are done!
With that being said, here are a few best practices associated with the changes:
Best Practice # 1: Never change or alter default SharePoint permission levels.
If you really need to alter a permission level – DO NOT change the default one – create a new one instead. For example, say you alter a default permission level “Contribute” and remove the ability to delete files from it. That means that any library that utilizes this default permission level will inherit the change you made. That might mean disaster as users now won’t be able to delete files across the whole SharePoint footprint!
Best Practice # 2: Never, ever roll out sites or subsites with default “Edit” permission level.
If you ignore this message, you got a major security flaw in your SharePoint environment, where any team members might inadvertently delete a library you worked so hard to create, customize, and configure. This is the major mistake many organizations make when setting up SharePoint Security. Let me explain.
By default, when you roll out new site collections or sites, SharePoint creates 3 security groups (Members, Owners, Visitors) and assigns corresponding permission levels. Each group of course is expected to have users added to them. Below is a screenshot for a sample site at the root of a site collection.
Now notice that by default, the group “Members” is assigned Edit permission level. Naturally, you would assume that Team site members would have the ability to edit documents in a library, which makes perfect sense. Until you go back to the permission level itself and read the description of what Edit permission means. It says that Edit permission level can “Add, edit and delete lists, in addition to adding and deleting documents”. Let me rephrase this: The user or group with Edit permission level can wipe out, completely remove the library of documents you setup and create a new library instead.
I honestly don’t know why Microsoft decided to give such powers to site team members, it does not make sense to me. I am all for team collaboration, but the ability for someone to delete the library on a project, department, or team site is a bit too much for me. Just for the record, previous versions of SharePoint (2010, etc.) defaulted members to Contribute permission level.