Professional Documents
Culture Documents
Some sites in an enterprise probably contain content that should not be available to all
users. For example, proprietary technical information should be accessible only on a
need-to-know basis. An intranet portal for employee benefits should be available only
to full-time employees, whereas the home page of an Internet Web site is accessible by
anonymous clients.
Permissions control access to sites and site content. You can manage permissions by
using SharePoint groups, which control membership. Fine-grained permissions also help
to secure content at the item and document level.
Companies are now all too aware that protecting their data, even if it
is stored in On-Premises systems, is a priority for all staff not just the
traditional admin role.
These days, the situation is very different. Tools like SharePoint and
Office 365 allow users to create their own sites and content
repositories, almost everyone carries a tablet or smartphone at work.
Even more delicate, tools like Dropbox make it easy for end users to
poke holes in an organization's well thought out security policies
without too much effort.
SharePoint security best practice states that you should use Groups as
much as you can when assigning permissions. Using Groups creates a
more maintainable security model, meaning permissions are applied to
the Group as a whole, not individual people. When the time comes to
adjust permissions, you just need to adjust the Group not individual
people.
You can also easily remove or add users to the Group, without having
to worry about specific permissions levels
Some sites in an enterprise probably contain content that should not be available to all users.
SharePoint is useful for thousands of organizations worldwide because it facilitates sharing
documents on private web servers
SharePoint has excellent features to share or restrict access to different structural elements.
When it comes to permissions, a common means of controlling productive collaboration, users
can be granted different levels of control of Sites, Lists/Libraries, Folders or List
Items/Documents, known as objects.
Such permissions can be granted directly to individual user accounts, or to a group of users, or
by Active Directory groups. You can grant access to the whole site, restrict access to a specific
library and configure unique permissions for certain items to share them for everyone. Or split
information in different folders of one library and share their content to different groups of
users in your organization.
1. Site collection
2. Site
3. List / Document library
4. Folder
5. List Item / Document
Permissions can be inherited from the top level to bottom, so you can share access to a site for
a group and all users from that group will be able to manage documents in any library of this
site. However, on any level, you can break inheritance and configure unique permissions, that
will be in force on this level and all nested objects below this level.
It is highly recommend using the built-in SharePoint groups for communication sites and managing team
site permissions through the associated SharePoint groups.
A SharePoint group is a collection of users who all have the same set of permissions to sites and content.
Rather than assign permissions one person at a time, you can use groups to conveniently assign the
same permission level to many people at once.
f you work on a site, you are working inside a site collection. Every site exists in a site collection,
which is a group of sites under a single top-level site. The top-level site is called the root site of
the site collection.
Inheritance
An important concept to understand is permissions inheritance. By design, all the sites and site
content in a collection inherit the permissions settings of the root or top-level site. When you
assign unique permissions to sites, libraries, and items, those items no longer inherit
permissions from their parent site. Here's more information on how permissions work within
the hierarchy:
A site collection administrator configures permissions for the top level site or root site
for the whole collection.
If you are a site owner, you can change permission settings for the site, which stops
permission inheritance for the site.
Lists and libraries inherit permissions from the site to which they belong. If you are a site
owner, you can stop permissions inheritance and change the permission settings for the
list or library.
List items and library files inherit permissions from their parent list or library. If you have
control of a list or library, you can stop permissions inheritance and change permissions
settings directly on a specific item.
It is important to know that a user can interrupt the default permission inheritance for a list or
library item by sharing a document or item with someone who does not have access. In that
case, SharePoint automatically stops inheritance on the document.
Just like you can break inheritance from subsite to parent site, you can also break inheritance
between various web parts and a site itself. Say, for example, you need to hide a document
library or make it read-only to Site Members. What you can do is break inheritance from a
library to the site and create unique security for it. While sometimes this might be necessary,
this should be an exception, not a rule
Every site has these three default security groups associated with it:
Site Owners
Site Members
Site Visitors
Site Visitors are your read-only users. The only thing these users can do is read and
download
Site Members are add/edit/delete users. These users can read and download and can
also add, edit and delete content (documents, pages, announcements, events). They can
also share stuff with others
Site Owners are your full control users. These users can do everything Visitors, and
Members can do, add additional web parts and manage navigation
Every default security group has a default permission level assigned.
There are other default permission levels that exist as well. Here is a complete list:
SharePoint Permission levels tell the group what users can or cannot do. While it is considered
the best practice to only use default permission levels, you can also create custom ones
Full Control- These users have all possible SharePoint permissions, and this
permission is granted to all members of the Owners group by default. Be
careful about which users you place in the Owners security group or otherwise
grant Full Control permission. The best practice here is to only grant a limited
number of administrators this permission.
Edit- This permission enables users to add, edit, and delete lists, and to view,
add, update, and delete documents and list items. By default, all users in the
Members security group have this permission. So don’t place users in the
Members group who only need to view, read, or contribute documents.
Design- Users with this permission can create lists and document libraries.
They can also make sites look pretty by editing pages, applying themes, style
sheets, and borders. No security group is assigned this permission
automatically. So if you want some users to be able to make aesthetic
changes to your SharePoint site pages who aren’t administrators in your
Owners group with Full Control, then you’ll have to manually assign this
permission to another group or to individual users.
Contribute- This is a more limited version of the Edit permission. Users with
the Contribute permission can add, update, view, and delete documents and
list items.
Read- This permission should be granted to users who just need to view and
download documents, and may also need to see historical versions of
documents.
Restricted Read- These users can view pages and documents, but they can’t
see historical versions of documents or user permissions. In most cases
where a user only needs to be able to read the documents on a site, this is the
best permission to grant them.
View Only- These users can view pages, items and documents. They
can only download documents that cannot be viewed in their web
browser.
Limited Access- This permission only grants users some access to a
specific page or file as opposed to an entire site. This level is
automatically assigned by SharePoint when you provide access to one
specific item. You can’t directly grant this permission to any user or
group. If you grant a user edit or open permissions to a document, by
default they’ll receive Limited Access to other required locations in order
to open that document, such as other areas on the site.
Approve- These users can edit and approve documents, list items, and
pages. By default, members of the Approvers security group acquire
this permission. Users in your Approvers group can be thought of as
sub-administrators and you should limit the number of Approvers as you
limit your number of administrators with Full Control.
Manage Hierarchy- This permission allows users to create sites and edit
pages, list items, and documents. By default, this permission level is
assigned to the Hierarchy Managers group. Like your Approvers group,
you should also think of these users as sub-administrators and limit the
number of those users accordingly.
With SharePoint security in mind, permissions can be granted to SharePoint
users in a similar way that permissions are granted to Windows users. You
can think about site collections being equivalent to volumes, sites being
equivalent to folders, and documents being equivalent to individual files if
you’re used to using Active Directory to administer NTFS permissions within
your organization. Permission inheritance works according to that hierarchy.
So for example, if you grant a user an Edit permission to a site collection, by
default they also may edit within each site within the collection and all of the
documents in all of those sites
If you don’t have access to something, it is invisible to you. When your Site Members or Site Visitors
click Share in the upper-right-hand corner of a site, and share a site with someone else, they
inadvertently add those other users to the Site Members Group.
Edit
Contribute
Read
Limited access
Approve
Manage hierarchy
Restricted read
The most limited access type, only for those who have the
most limited permissions.
Can only view pages, items and documents, and these can
only be viewed if the individual has a server-side file
handler - it’s not possible to download them.
As an administrator or owner of a library, list, or survey, you can change permissions to let the right
people access the data they need data while restricting others.
By default, all sites, lists, and libraries in a site collection inherit permissions settings from the site that is
directly above them in the site hierarchy. This means a site inherits permissions from the root site of the
site collection, and a subsite inherits permissions from its parent site. Folders, lists and documents
inherit permissions from the site that contains them, and so on
To assign unique permissions to a list, library, or survey, you have to first break permissions inheritance,
then assign unique permissions. You can do all of this on the Permissions page.
Note: When a user shares a document or other individual item, inheritance is automatically broken for
that item. Inherited permissions are copied to the item, and permissions for the users with whom the
item was shared are added. But if changes in permissions are made to the parent item, those changes
are not be applied to the item.
If you don't see Settings , choose the Library or List tab to open the ribbon, and then
select Library Settings or List Settings on the ribbon.
On the Settings page, under Permissions and Management, select Permissions for this list or
Permissions for this document library.
For a survey
4. On the Settings page, under Permissions and Management, select Permissions for this
survey.
Break permission inheritance
When you break permissions inheritance for a list, library, or survey and then define new permission
settings, the list (or library) becomes a parent for items in it. Items under that parent now inherit the
new permission settings (unless the items have uniquely defined permissions.)
You must break inheritance from the parent site before you can grant unique permissions.
Once you've broken inheritance using the steps in the section above, follow these steps to
grant unique permissions:
Note: If the list or library is inheriting from the parent, you won't see Grant Permissions.
4. In the Share... dialog box, make sure Invite people is selected, and then type the names
of the people or group you want to grant access to in the Enter names or email
addresses... box.
5. Select the group you want to grant access to in the Enter names or email addresses...
box.
In some cases, you might want to create a Windows Active Directory security group and grant access to
a library or list for all the people in the Windows security group. For example, you might want to grant
your whole team access to a list by adding the team security group to a SharePoint group. Then, when
new people join your team, you grant them appropriate permissions by just adding them to the
appropriate Windows security group.
Change permissions
You must break inheritance from the parent site before you can change unique permissions.
Once you've broken inheritance using the steps in the section above, follow these steps to
change permissions:
5. Under Permissions, check the box for the permission level you want for the users or
groups you selected.
Remove user permissions
To remove permissions from users or groups that you have granted access to, follow these
steps:
The permissions page updates to show that the group or user no longer has permissions to the
list.
When you break permissions inheritance between a site, folder, list, library, list item, or
document and its parent, you can restore inheritance at any time, which removes any custom
permissions you set.
4. select OK.
Source
https://sharepointmaven.com/sharepoint-permissions-simplified/
https://support.microsoft.com/en-us/office/customize-permissions-for-a-sharepoint-list-or-
library-02d770f3-59eb-4910-a608-5f84cc297782
https://docs.microsoft.com/en-us/sharepoint/sites/user-permissions-and-permission-levels
https://sharegate.com/blog/five-crucial-sharepoint-security-tips-to-know