As organizations grow and projects become more complex, managing access to files and information becomes increasingly important. SharePoint, Microsoft’s web-based collaboration platform, offers powerful tools for controlling access to resources, but great power comes with great responsibility. In this comprehensive guide, I will walk you through everything you need to know about SharePoint permission levels, from understanding the default permission levels to creating custom permission levels and managing access at the folder and item levels.
Table of contents
- What is Permission level in SharePoint?
- SharePoint default permission levels
- Creating Custom Permission Levels in SharePoint
- Editing and Managing Permission Levels in SharePoint
- Defining Folder Level Permissions in SharePoint
- How to Change Permission Levels of Users and Groups?
- Understanding Item Level Permissions in SharePoint
- Get all permission levels in SharePoint
- Best Practices for Mastering SharePoint Permission Levels
What is Permission level in SharePoint?
Permission levels are a set of permissions that a particular user or group is allowed to perform specific actions. Each permission level consists of several detailed permissions (such as: Create Items, Delete Items, etc.). SharePoint provides these default permission levels: Full Control, Design, Edit, Contribute, and Read (Sorted highest permission level to the lowest). These levels can be modified to suit your organization’s needs, but it’s important to understand what each level means before you start tinkering with them.
Users and groups must be granted some level of permission to get access to SharePoint sites. Which can be in one of two ways:
- Add the user directly to the SharePoint site/list/list item with the specific permission level
- Add the user or security group to a SharePoint group (which is already assigned with a particular permission level)
Why do we need permission levels in SharePoint? Security! It defines who can do what. The level of access is controlled by the permission level, which you can think of as a security role.
SharePoint default permission levels
- Read – Users Can Open & view SharePoint content, including documents, pictures, and lists. They’ll not be able to create, modify, or delete. This is the default permission level assigned to site visitors.
- Contribute – Allows the user to view, add, update, and delete content, but not create new lists and libraries or manage permissions. This is appropriate for most users who need to collaborate on a project or contribute content to a site.
- Designer – Can do everything contributors do. Plus, create new document libraries, columns, and views and change the website’s layout by adding or moving web parts.
- Edit: This permission level allows users to manage lists and document libraries, and to edit pages in a site. Assigned to site members by default.
- Full Control – Users can perform any action on the site, including creating and deleting lists, and libraries, adding/deleting members, creating alerts, and changing their access. This gives complete control over a site – This level is typically reserved for site owners.
- View Only: Users can view items, web pages, lists, etc. but can’t download documents. This level is appropriate for users who only need to view content, such as stakeholders or clients.
In addition to the above permission levels for the Team Sites template, we get three more with publishing site templates:
- Approve – Users may approve pages, list items, or documents submitted by others.
- Manage Hierarchy – Users may edit pages, list items, and documents. Manage Hierarchy permissions also allow the users to create sites.
- Restricted Read – Users may view pages and documents; however, historical versions are unavailable.
Creating Custom Permission Levels in SharePoint
While the default permission levels in SharePoint are useful, they may not be enough for your organization’s needs. Fortunately, SharePoint allows you to create custom permission levels that can be tailored to your specific requirements. To create a custom permission level, you’ll need to navigate to the site where you want to create it (as permission levels are scoped at the site level), then follow these steps:
- Click on the gear icon in the top-right corner of the page and select “Site Permissions”.
- Under the “Site Permissions” panel, click on “Advanced Permission Settings”.
- Click on “Permission levels” in the ribbon at the top of the page
- Pick any existing permission level and click on its name. E.g., “Contribute”. Scroll down to the bottom and click on “Copy Permission Level”.
- Give your new permission level a name and optional description. E.g., “Contribute without delete”.
- Select the permissions you want to grant to users at this level. You can select/unselect any available base permissions. E.g., “Open items”, “Edit Items”, “Client integration features”, “Personal views”, “view application pages”, etc.
- Click “Create” to finish creating the custom permissions.
Once you’ve created your custom permission level, you can assign it to individual users or groups, just like any other permission level.
Refer to my other post to add a new permission level in SharePoint using the web browser and PowerShell, How to Create a Custom Permission Level in SharePoint?
Editing and Managing Permission Levels in SharePoint
Once you’ve created your custom permission level, you may find that you need to make changes to it over time. Fortunately, SharePoint makes it easy to edit and manage permission levels. To edit the permission level, follow these steps:
- Navigate to the site collection where you want to edit the permission level
- Click on the gear icon in the top-right corner of the page and select “Site Permissions” and then “Advanced Permissions Settings”.
- Click on “Permission levels” in the ribbon at the top of the page
- Find the permission level you want to edit and click on its name
- Make the desired changes to the permissions
- Click “Save”
This allows you to update permissions that are assigned to users and groups, making it easier to manage access to resources across your organization.
Defining Folder Level Permissions in SharePoint
While permission levels are a powerful way to control access to resources in SharePoint, they are not only for sites and lists. You can also define folder-level permissions to further restrict access to specific folders within a site collection. To set folder permissions, follow these steps:
- Navigate to the site or site collection where you want to configure folder level permissions
- Find the folder you want to restrict access to and right-click on the folder and choose “Manage Access”.
- Click on the “…” and choose the “Advanced Settings”
- Click on “Stop Inheriting Permissions”.
- Remove any users or groups that you don’t want to have access to the folder
- Add any users or groups that you want to have access to the folder
- Click “OK”
Once you’ve defined folder level permissions, users can only access the folder if they have been explicitly granted permission to do so. If you want to grant list permissions, refer: How to Grant Permissions to SharePoint List or Document Library?
How to Change Permission Levels of Users and Groups?
As your organization’s needs change, you may find that you need to change the permission levels of individual users or groups. SharePoint makes it easy to edit permissions. To change a user or group’s permission level, follow these steps:
- Navigate to the site or site collection where you want to change the permission level.
- Click on the settings gear icon in the top-right corner of the page and select “Site Permissions”.
- Under the “Permissions” panel, click on “Advanced Permissions Settings”.
- Find and select the user or group whose permission level you want to change.
- Click on “Edit User Permissions”.
- Select the new permission level you want to assign (or remove any existing permission levels assigned) to the user or group.
- Click “OK” to save your changes.
Once you’ve changed a user or group’s permission level, they will have access to the resources associated with their new permission level.
Understanding Item Level Permissions in SharePoint
In addition to folder level permissions, SharePoint also allows you to set permissions on individual items within a list or library. This can be useful if you want to restrict access to specific files or items within a project. How do I set item level permissions in SharePoint online? To set item level permissions, follow these steps:
- Navigate to the list or library where you want to set item level permissions
- Find the item you want to restrict access to and right-click on the item and choose “Manage Access”.
- Click on ellipsis (…) on the page and click on “Advanced Permisions”
- Click on “Stop Inheriting Permissions”
- Remove any users or groups that you don’t want to have access to the item
- Add any users or groups that you want to have access to the item
- Click “OK” to commit your changes.
Once you’ve set item level permissions, users will only be able to access the item if they have been explicitly granted permission to do so.
Get all permission levels in SharePoint
To get all permission levels available on your SharePoint site collection, follow these steps:
- Log on to your SharePoint site collection as a site owner.
- From Site Settings, click on Site Permissions and then click on “Advanced Permission Settings”.
- In the ribbon, click on “Permission Levels”. You will see all the different permission levels for the site collection.
Microsoft Reference to managing permission levels: https://learn.microsoft.com/en-us/sharepoint/understanding-permission-levels?source=recommendations
Best Practices for Mastering SharePoint Permission Levels
Now that you have a solid understanding of SharePoint permission levels and how to manage them, here are a few best practices to keep in mind:
- Use custom permission levels to tailor access to your organization’s needs
- Regularly review and update permissions to ensure that users have the access they need and nothing more
- Use folder and item level permissions to further restrict access to resources
- Train users on how to use SharePoint’s permission system correctly to avoid common mistakes
- Use SharePoint’s built-in tools for managing users and groups to make permission management easier
SharePoint provides a powerful set of tools for managing access to resources within your organization, but it’s important to use them correctly to avoid common mistakes and ensure that users have the access they need. By understanding the default permission levels, creating custom permission levels, and using folder and item level permissions, you can create a robust access control system that meets your organization’s needs. Remember to regularly review and update SharePoint permissions to ensure that users have the access they need and nothing more, and train users on how to use SharePoint’s permission system correctly to avoid common mistakes. With these best practices in mind, you’ll be well on your way to mastering SharePoint permission levels.
Limited Access is a special type of security role that a user or group is automatically granted when getting access to a specific list/library/item, but not to the site itself. Say, for example, When we grant access to a specific list, but not the site, users will get read access to the list and limited access to the site. Because user must get access to the site in order to access the list, isn’t it?
Permission levels are created at site collection level (in RootWeb) and inherited by its subsites. Each site collection has its own set of default permission levels. When you change or add new permission levels, they will be automatically replicated to all subsites in the site collection.
Contribute access in SharePoint allows users to add, edit, and delete items in a list or library, but they cannot approve or reject items, create new lists or libraries, or manage permissions. It is a mid-level permission level that gives users more control than read-only access, but less control than full control access.
Restricted view and view only are permission levels on SharePoint online that allow users to view content, but not edit or delete it. Restricted view allows users to view only specific content, while view only allows users to view all content on a site or document library. These permission levels are useful for controlling access to sensitive information and ensuring that users only have access to the content they need.
SharePoint has three default permission groups: Owners, Members, and Visitors. Owners have full control over the site, including the ability to add and remove users and change permissions. Members can contribute content to the site, but do not have administrative privileges. Visitors can view content on the site, but cannot make any changes.
SharePoint’s “Contribute” permission level allows users to add, edit, and delete items in a list or library, but they cannot manage the site itself. “Edit” permission level, on the other hand, allows users to do everything that “Contribute” allows, but also gives them the ability to manage lists, add and remove web parts, and customize pages. In short, “Edit” gives users more control over the site than “Contribute.”