SharePoint Permissions

Some sites in an enterprise probably contain content that should not be available to all
users. For example, proprietary technical information should be accessible only on a
need-to-know basis. An intranet portal for employee benefits should be available only
to full-time employees, whereas the home page of an Internet Web site is accessible by
anonymous clients.

Permissions control access to sites and site content. You can manage permissions by
using SharePoint groups, which control membership. Fine-grained permissions also help
to secure content at the item and document level.

Companies are now all too aware that protecting their data, even if it
is stored in On-Premises systems, is a priority for all staff not just the
traditional admin role.
These days, the situation is very different. Tools like SharePoint and
Office 365 allow users to create their own sites and content
repositories, almost everyone carries a tablet or smartphone at work.
Even more delicate, tools like Dropbox make it easy for end users to
poke holes in an organization's well thought out security policies
without too much effort.
SharePoint security best practice states that you should use Groups as
much as you can when assigning permissions. Using Groups creates a
more maintainable security model, meaning permissions are applied to
the Group as a whole, not individual people. When the time comes to
adjust permissions, you just need to adjust the Group not individual
people.
You can also easily remove or add users to the Group, without having
to worry about specific permissions levels

Some sites in an enterprise probably contain content that should not be available to all users.
SharePoint is useful for thousands of organizations worldwide because it facilitates sharing
documents on private web servers

SharePoint has excellent features to share or restrict access to different structural elements.
When it comes to permissions, a common means of controlling productive collaboration, users
can be granted different levels of control of Sites, Lists/Libraries, Folders or List
Items/Documents, known as objects.

Such permissions can be granted directly to individual user accounts, or to a group of users, or
by Active Directory groups. You can grant access to the whole site, restrict access to a specific
library and configure unique permissions for certain items to share them for everyone. Or split
information in different folders of one library and share their content to different groups of
users in your organization.

There are five level of permissions:

1. Site collection
2. Site
3. List / Document library
4. Folder
5. List Item / Document

Permissions can be inherited from the top level to bottom, so you can share access to a site for
a group and all users from that group will be able to manage documents in any library of this
site. However, on any level, you can break inheritance and configure unique permissions, that
will be in force on this level and all nested objects below this level.

It is highly recommend using the built-in SharePoint groups for communication sites and managing team
site permissions through the associated SharePoint groups.

A SharePoint group is a collection of users who all have the same set of permissions to sites and content.
Rather than assign permissions one person at a time, you can use groups to conveniently assign the
same permission level to many people at once.

f you work on a site, you are working inside a site collection. Every site exists in a site collection,
which is a group of sites under a single top-level site. The top-level site is called the root site of
the site collection.

Inheritance

An important concept to understand is permissions inheritance. By design, all the sites and site
content in a collection inherit the permissions settings of the root or top-level site. When you
assign unique permissions to sites, libraries, and items, those items no longer inherit
permissions from their parent site. Here's more information on how permissions work within
the hierarchy:

 A site collection administrator configures permissions for the top level site or root site
for the whole collection.
 If you are a site owner, you can change permission settings for the site, which stops
permission inheritance for the site.
 Lists and libraries inherit permissions from the site to which they belong. If you are a site
owner, you can stop permissions inheritance and change the permission settings for the
list or library.
 List items and library files inherit permissions from their parent list or library. If you have
control of a list or library, you can stop permissions inheritance and change permissions
settings directly on a specific item.

It is important to know that a user can interrupt the default permission inheritance for a list or
library item by sharing a document or item with someone who does not have access. In that
case, SharePoint automatically stops inheritance on the document.

Just like you can break inheritance from subsite to parent site, you can also break inheritance
between various web parts and a site itself. Say, for example, you need to hide a document
library or make it read-only to Site Members. What you can do is break inheritance from a
library to the site and create unique security for it. While sometimes this might be necessary,
this should be an exception, not a rule

Every site has these three default security groups associated with it:

 Site Owners
 Site Members
 Site Visitors

 Site Visitors are your read-only users. The only thing these users can do is read and
download
 Site Members are add/edit/delete users. These users can read and download and can
also add, edit and delete content (documents, pages, announcements, events). They can
also share stuff with others
 Site Owners are your full control users. These users can do everything Visitors, and
Members can do, add additional web parts and manage navigation
 Every default security group has a default permission level assigned.

 Site Owners = Full Control

 Site Members = Edit
 Site Visitors = Read

There are other default permission levels that exist as well. Here is a complete list:

 Full Control – Has full control

 Design – Can view, add, update, delete, approve, and customize
 Edit – Can add, edit and delete lists; can view, add, update and delete list items and
documents
 Contribute – Can view, add, update, and delete list items and documents
 Read – Can view pages and list items and download documents
 View – Can view pages, list items, and documents but not download

SharePoint Permission levels tell the group what users can or cannot do. While it is considered
the best practice to only use default permission levels, you can also create custom ones

 Full Control- These users have all possible SharePoint permissions, and this
permission is granted to all members of the Owners group by default. Be
careful about which users you place in the Owners security group or otherwise
grant Full Control permission. The best practice here is to only grant a limited
number of administrators this permission.
 Edit- This permission enables users to add, edit, and delete lists, and to view,
add, update, and delete documents and list items. By default, all users in the
Members security group have this permission. So don’t place users in the
Members group who only need to view, read, or contribute documents.
 Design- Users with this permission can create lists and document libraries.
They can also make sites look pretty by editing pages, applying themes, style
sheets, and borders. No security group is assigned this permission
automatically. So if you want some users to be able to make aesthetic
changes to your SharePoint site pages who aren’t administrators in your
Owners group with Full Control, then you’ll have to manually assign this
permission to another group or to individual users.
 Contribute- This is a more limited version of the Edit permission. Users with
the Contribute permission can add, update, view, and delete documents and
list items.
 Read- This permission should be granted to users who just need to view and
download documents, and  may also need to see historical versions of
documents.
 Restricted Read- These users can view pages and documents, but they can’t
see historical versions of documents or user permissions. In most cases
where a user only needs to be able to read the documents on a site, this is the
best permission to grant them.
 View Only- These users can view pages, items and documents. They
can only download documents that cannot be viewed in their web
browser.
 Limited Access- This permission only grants users some access to a
specific page or file as opposed to an entire site. This level is
automatically assigned by SharePoint when you provide access to one
specific item. You can’t directly grant this permission to any user or
group. If you grant a user edit or open permissions to a document, by
default they’ll receive Limited Access to other required locations in order
to open that document, such as other areas on the site.
 Approve- These users can edit and approve documents, list items, and
pages. By default, members of the Approvers security group acquire
this permission. Users in your Approvers group can be thought of as
sub-administrators and you should limit the number of Approvers as you
limit your number of administrators with Full Control.
 Manage Hierarchy- This permission allows users to create sites and edit
pages, list items, and documents. By default, this permission level is
assigned to the Hierarchy Managers group. Like your Approvers group,
you should also think of these users as sub-administrators and limit the
number of those users accordingly.
With SharePoint security in mind, permissions can be granted to SharePoint
users in a similar way that permissions are granted to Windows users. You
can think about site collections being equivalent to volumes, sites being
equivalent to folders, and documents being equivalent to individual files if
you’re used to using Active Directory to administer NTFS permissions within
your organization. Permission inheritance works according to that hierarchy.
So for example, if you grant a user an Edit permission to a site collection, by
default they also may edit within each site within the collection and all of the
documents in all of those sites

If you don’t have access to something, it is invisible to you. When your Site Members or Site Visitors
click Share in the upper-right-hand corner of a site, and share a site with someone else, they
inadvertently add those other users to the Site Members Group.

 Roles and responsibilities (ex: You need the approval of

whom to create a new team site.)
 Rules (ex: You can't upload a very big file without the
approval of the administrator.)
 Guidelines (ex: Files that haven't been modified for # days
must be checked and deleted if not useful.)
 The platform allows administrators to apply levels to different
users and groups which determine what and how much they can
see. These levels are an essential part of managing security and,
when managed correctly, mean administrators can sleep easy,
knowing security is taken care of
 here are a variety of permission levels which allow users to
access the resources they need. They tend to group actions and
define what users can and can’t see within your enterprise IT
solution. You may not want some users to be able to see a certain
site at all, or in other cases you might just want to let them see
certain lists and libraries but not be able to change or contribute
to them
 SharePoint and Office 365 include a number
of default permission levels which will cover the needs of
most organisations. You may wish to customize these permission
levels for the specific needs of your business because of unique
roles and jobs within your company or because certain
 employees carry out usual tasks. While customization is
possible, it can be complex as administrators need to ensure that
there are no breaks in inheritance and that the permission levels
are secure

Default permission levels 

Below is a complete list of the permission levels, what they do and
who they are for:
Full control 

 For Site collection owners. 

 Contains all available SharePoint permissions, meaning

individuals and groups can carry out any activity - from
creating sites to editing lists and libraries or deleting
documents. 
Design 

 For IM teams, IT and Site collection owners if they wish. 

 Allows users to edit pages and change their format (style,
borders, and theme). Also lets users create lists and
document libraries. 

 
Edit 

 For Group Members - typically heads of departments/the

person running a department’s site. 
 Lets users add, edit, and delete lists. 

      
Contribute 

 For anyone invited to work on a project, usually more junior

staff members. 
 Lets you view, add, update, and delete list items and
documents, but no more. 

      
Read 

 Usually for someone invited to participate on work but not

to make changes. 
 It is only possible to view pages and items in existing lists
and download documents. 

 
Limited access 

 Unusual in that it only allows access to specific content

opened to specific users. 
 Lets users navigate to a particular page and only see the
content available there. 

 
Approve 

 The approvers group are usually more senior staff who

give the final ‘go-ahead’ to documents. 
 This permission level lets them edit and approve pages, list
items and documents. 

 
Manage hierarchy 

 Also for administrators. 

 Lets you create sites, edit pages, list items and
documents. 

 
Restricted read 

 Again, for low level employees or external parties. 

 Lets users view pages and documents but not see
historical versions or other user permissions.   
View only 

 The most limited access type, only for those who have the
most limited permissions. 
 Can only view pages, items and documents, and these can
only be viewed if the individual has a server-side file
handler - it’s not possible to download them. 

Customize permissions for a SharePoint list or library

As an administrator or owner of a library, list, or survey, you can change permissions to let the right
people access the data they need data while restricting others.

By default, all sites, lists, and libraries in a site collection inherit permissions settings from the site that is
directly above them in the site hierarchy. This means a site inherits permissions from the root site of the
site collection, and a subsite inherits permissions from its parent site. Folders, lists and documents
inherit permissions from the site that contains them, and so on
To assign unique permissions to a list, library, or survey, you have to first break permissions inheritance,
then assign unique permissions. You can do all of this on the Permissions page.

Note: When a user shares a document or other individual item, inheritance is automatically broken for
that item. Inherited permissions are copied to the item, and permissions for the users with whom the
item was shared are added. But if changes in permissions are made to the parent item, those changes
are not be applied to the item.

For a list or library

1. Go to the library or list and open it.

2. Select Settings , and then Library settings or List settings.

If you don't see Settings , choose the Library or List tab to open the ribbon, and then
select Library Settings or List Settings on the ribbon.
On the Settings page, under Permissions and Management, select Permissions for this list or
Permissions for this document library.

For a survey

1. Open the survey.

2. Select Settings.

3. Select the dropdown, and select Survey Settings.

4. On the Settings page, under Permissions and Management, select Permissions for this
survey.
Break permission inheritance

When you break permissions inheritance for a list, library, or survey and then define new permission
settings, the list (or library) becomes a parent for items in it. Items under that parent now inherit the
new permission settings (unless the items have uniquely defined permissions.)

To break inheritance and assign unique permissions, follow these steps:

1. Go to the list, library, or survey and open it.

2. Go to the Permissions page.
3. To break permissions inheritance from the parent, select Stop Inheriting Permissions.

Assign unique permissions

You must break inheritance from the parent site before you can grant unique permissions.
Once you've broken inheritance using the steps in the section above, follow these steps to
grant unique permissions:

1. Go to the list, library, or survey and open it.

2. Go to the Permissions page.
3. Select Grant Permissions on the Permissions tab.

Note: If the list or library is inheriting from the parent, you won't see Grant Permissions.

4. In the Share... dialog box, make sure Invite people is selected, and then type the names
of the people or group you want to grant access to in the Enter names or email
addresses... box.
 5. Select the group you want to grant access to in the Enter names or email addresses...
box.

6. Add a personal message if you like.

7. Check or uncheck Share everything in this folder, even items with unique permissions.
This will grant or restrict access to items you already set unique permissions for. (This
option is only available for folders.)
8. The permission level granted is set to Edit by default, which means the people you invite
can make some changes to the list, library, or survey. If you want to grant a different
permission level like Read only, click Show options and change the selection in the
Select a permission level box.
9. An email message will be sent to everyone in the Invite people box. If you don't want
this to happen, click Show options, and uncheck Send an email invitation.

When you're done, click Share.

In some cases, you might want to create a Windows Active Directory security group and grant access to
a library or list for all the people in the Windows security group. For example, you might want to grant
your whole team access to a list by adding the team security group to a SharePoint group. Then, when
new people join your team, you grant them appropriate permissions by just adding them to the
appropriate Windows security group.
Change permissions

You must break inheritance from the parent site before you can change unique permissions.
Once you've broken inheritance using the steps in the section above, follow these steps to
change permissions:

1. Go to the list, library, or survey and open it.

2. Go to the Permissions page for the list, library, or
3. In the Name list, select the checkbox next to the name of the user or group that you
change permission levels for.

4. Select Edit User Permissions.

5. Under Permissions, check the box for the permission level you want for the users or
groups you selected.
Remove user permissions

To remove permissions from users or groups that you have granted access to, follow these
steps:

1. Go to the list, library, or survey and open it.

2. Go to the Permissions page for the list, library, or survey
3. In the Name list, select the checkbox next to the name of the user or group that you
want to remove permissions from.
 4. Select Remove User Permissions.

The permissions page updates to show that the group or user no longer has permissions to the
list.

Restore inheritance to delete all unique permissions

When you break permissions inheritance between a site, folder, list, library, list item, or
document and its parent, you can restore inheritance at any time, which removes any custom
permissions you set.

1. Go to the list, library, or survey and open it.

2. Go to the Permissions page for the list, library, or survey
3. On the Permissions tab (for a list or a library), select Delete unique permissions.

4. select OK.

Source

https://sharepointmaven.com/sharepoint-permissions-simplified/

https://support.microsoft.com/en-us/office/customize-permissions-for-a-sharepoint-list-or-
library-02d770f3-59eb-4910-a608-5f84cc297782

https://docs.microsoft.com/en-us/sharepoint/sites/user-permissions-and-permission-levels

https://sharegate.com/blog/five-crucial-sharepoint-security-tips-to-know