Blog written by:
SharePoint & .Net Consultant
Content Management is one of the major and widely used offerings of SharePoint. SharePoint portals are setup and used effectively for better content management. When the content comes in to the picture, the major area of focus is to present the right set of content to right users. Permission levels in SharePoint helps to define the governance around this.
In this article, we will explore what are permission levels, and best practices on how it can be setup effectively, how to assign permission levels to SharePoint group.
Planning the Permissions
SharePoint consists of many artifacts that represents a site, list, library, list item or document, or folder. These artifacts are generally referred as securable objects. Each of this securable object has its own role assignment. A role assignment represents a user (person) or a group.
SharePoint Permission levels are defined sets of actions a user can execute on a site, list or an item/document.
The permissions can be setup at as:
- Site Permissions
- List Permissions
- Personal Permissions
The permission levels include:
|Full Control||Includes all permissions.|
|Design||Includes permissions that enable users to view, add, update, delete, approve, and customize the layout of site pages by using the browser or SharePoint Designer 2013.|
|Edit||Includes permissions that enable users to add, edit and delete lists; can view, add, update and delete list items and documents.|
|Contribute||Includes permissions that enable users to add or change items on the site pages or in lists and document libraries.|
|Read||Includes permissions that enable users to view items and site pages.|
|Limited Access||Includes permissions that enable users to view specific lists, document libraries, list items, folders, or documents, without giving access to all the elements of a site. You cannot edit this permission level directly.|
|View Only||Includes permissions that enable users to view pages, list items, and documents.|
|Approve||Includes permissions to edit and approve pages, list items, and documents.|
|Manage Hierarchy||Includes permissions to sites and edit pages, list items, and documents.|
|Restricted Read||Includes permissions to view pages and documents, but not historical versions or permissions information.|
Custom Permission Levels
In the circumstances where out of the box permission levels are not sufficient, we can create custom permission levels as a set of available permission levels. Below are few scenarios, where in we can think of creating custom permission levels:
- Need to define unique set of permissions
- Exclude several permissions from predefined permission level
- Default permission level does not include permission that user should have
Access and Configure Permission Levels
User should have Admin privileges to site collection to access and configure permission levels.
- Navigate to root site collection
- Click Site Settings
- Under Users and Permissions, click Site Permissions
- The ribbon allows to view and configure the permission levels
- Click Permission Levels to see the available permission levels
SharePoint Group allows to manage set of users at once instead of managing them individually. The group can contain many individual users. Users can be organized in any number of groups depending upon business scenarios.
Below are out of box groups in SharePoint site.
|Group||Default permission level||Description|
|Owners||Full Control||Group with full control permissions on SharePoint site|
|Members||Edit||Group with edit permissions on SharePoint site|
|Visitors||Read||Group with read permissions on SharePoint site|
Publishing sites in SharePoint has additional set of SharePoint groups as below
|Group||Default permission level||Description|
|Restricted Readers||Restricted Read to the site, plus Limited Access to specific lists||Members of this group can view pages and documents but cannot view historical versions or review user rights information.|
|Style Resource Readers||Read to the Master Page Gallery and Restricted Read to the Style Library||Members of this group are given Read permission to the Master Page Gallery and Restricted Read permission to the Style Library. By default, all authenticated users are a member of this group.|
|Designers||Design, Limited Access||Members of this group can to view, add, update, delete, approve, and customize the layout of site pages by using the browser or SharePoint Designer.|
|Approvers||Approve, Limited Access||Members of this group can edit and approve pages, list items, and documents.|
|Hierarchy Managers||Manage Hierarchy, Limited Access||Members of this group can create sites, lists, list items, and documents.|
Users in the Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site. The Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.
Monitor and Control
- Identify and assign the roles to users in SharePoint portal.
- Define a process to periodically review the assigned permissions.
- If needed, use any tool for monitoring
In this article, we have developed a PowerShell script to get a ‘Entire Site Collection Permissions Report’ from SharePoint online in CSV format.
This script will:
- Check and print Site Collection (Root) site Permission to the CSV
- Iterates through Sub Sites recursively and print following properties [Site Name, Site URL, Group Name, Group Permission Level] to the CSV
This script will NOT:
- Iterate through Web Application
Note: To run this script one should have Site Collection administrator rights.
The script will iterate through each Site in the provided Site Collection URL. It will also iterate through all the subsites in the Site Collection recursively. Below is the screenshot of the permission report generated in CSV format.
You can download the entire PowerShell script from Here.
Never modify out of box SharePoint permission levels
Refrain yourselves from modifying the out of box permission levels, instead create a new one (use the Make a Copy option) irrespective of major or minor modifications.
Assign Permissions to Groups instead of individual users
Maintain the practice of creating SharePoint Groups and assign permissions to groups. Users can be added or removed from groups as needed and could help reduce ongoing maintenance as users change.
Assign permissions at the highest possible level
Arrange documents that requires unique permissions in document libraries which supports specific group permissions. Use Active Directory (AD) groups whenever possible. Use SharePoint Groups when there may not be an Active Directory group that fits your needs.
Permission Levels is an integral part of SharePoint permissions management and securing your content in SharePoint.
It is vital to have a solid understanding of Permission Levels used in your environment, and will ensure you and your team know what users can actually do, before they actually do them!