SharePoint Online Permissions – A Comprehensive Guide!

Introduction

One of the key features of SharePoint Online is its robust permissions system, which allows administrators to control who has access to specific content and what actions they can perform on that content. This guide will provide an overview of SharePoint Online permissions, including how to set and manage permissions, how to effectively manage them, and common scenarios for using permissions in SharePoint Online.

Types of SharePoint Online Permissions

There are four main types of permissions in SharePoint Online:

  1. Site permissions: Site permissions control who has access to a specific SharePoint site and what actions they can perform on the site. Site permissions are usually set at the root level of a SharePoint site, but they can also be set at the subsite level.
  2. List permissions: List or library permissions control who has access to a specific list or library within a SharePoint site and what actions they can perform on the list or library. List permissions can be set at the list or library level.
  3. Folder Permissions: Folder permissions in SharePoint Online work similarly to how permissions work for other objects such as site or document library; users can be granted different levels of access to folders, such as Read, Contribute, or Full Control.
  4. Item permissions: Item permissions control who has access to a specific item or document within a list or library and what actions they can perform on the item or document. Item permissions can be set at the item or document level and can override list permissions.

To set permissions for a site or item, you will need to be the site owner or have permission to manage the site. In SharePoint Online, permissions are granted at the site level and can be inherited by subsites, lists, libraries, and individual items within those lists and libraries. This means that administrators can set permissions for a site and have those permissions apply to all of the subsites, lists, and libraries within that site, unless specific permissions are set for a particular subsite, list, library, or item.

SharePoint Online Permission Levels

In SharePoint Online, permission levels are used to determine what actions a user or group can take within a site, list, library, or item. SharePoint Online comes with several built-in permission levels, such as Full Control, Edit, and Read, but you can also create custom permission levels if needed.

The built-in permission levels in SharePoint Online are:

  • Full Control: This permission level allows users to view, add, update, and delete any content within the site, list, library, or item. Users with Full Control permissions can also create and delete lists and libraries, change the look and feel of the site, and manage site, list, library, or item-level security settings.
  • Design: This permission level allows users to view and edit any content within the site, list, library, or item, as well as create and delete lists and libraries. Users with Design permissions can also change the look and feel of the site, but cannot manage site, list, library, or item-level security settings.
  • Edit: This permission level allows users to view and edit any content within the site, list, library, or item. Users with Edit permissions cannot manage site, list, library, or item-level security settings.
  • Contribute: This permission level allows users to view and edit any content within the site, list, library, or item, but they cannot create or delete lists and libraries. Users with Contribute permissions cannot change the look and feel of the site or manage site, list, library, or item-level security settings.
  • Read: This permission level allows users to view content within the site, list, library, or item, but they cannot add, update, or delete items. Users with Read permissions cannot manage site, list, library, or item-level security settings.
  • View Only: This permission level allows users to view content within the site, list, library, or item, but they cannot add, update, delete, or edit items. Users with View Only permissions cannot manage site, list, library, or item-level security settings.

In addition to these built-in permission levels, SharePoint Online also allows you to create custom permission levels by combining various permissions from the built-in permission levels. This can be useful if you need to grant a specific set of permissions to a group of users that is not covered by the built-in permission levels.

How to create a custom permission level in SharePoint Online?

Permission levels are sets of permissions that can be assigned to users and groups, allowing them to perform certain actions within site. For example, a user with a “Full Control” permission level would have complete access to all areas of the site, including the ability to create, edit, and delete content. On the other hand, a user with a “Read” permission level would only be able to view content within the site, but would not be able to make any changes. By creating custom permission levels, site administrators can fine-tune the access and permissions granted to users and groups within their site, ensuring that they have the access they need to perform their tasks while also protecting sensitive information.

To create a custom permission level, do the following:

  1. Navigate to the site settings page for the site where you want to create the permission level.
  2. Click on “Settings” >> “Site Permissions” and then “Advanced permissions settings.”
  3. On the Permissions page, click on the “Permission levels” link in the ribbon.
  4. On the “Permission Levels” page, click the “Add a Permission Level” button.
  5. Enter a name and description for the new permission level.
  6. Select the specific permissions that you want to include in the permission level. You can choose from a list of predefined permissions, such as “Full Control”, “Edit”, or “Read”.
  7. Click the “Create” button to create the new permission level.

Once you have created the custom permission level, you can then assign it to users or security groups as needed. You can also create a new permission level by copying an existing permission level in SharePoint. More info here: How to create a permission level in SharePoint Online?

Similarly, You can Edit and Update a Permission Level, Delete a Permission Level in SharePoint Online as well.

Permission Inheritance in SharePoint Online

In SharePoint Online, permission inheritance refers to the way in which permissions are passed down from a parent site or item to its child sites or items. When inheritance is enabled, a child site or item will inherit the permissions of its parent, unless unique permissions are explicitly set for the child. By default, all sites and lists in SharePoint Online inherit the permissions of their parent site.

For example, consider a SharePoint site with a folder containing several documents. If you set permissions at the site level, those permissions will be inherited by the folder and all the documents within it. However, if you break inheritance on the folder and set unique permissions for it, the folder and its documents will no longer inherit the permissions from the parent site. Instead, they will have their own independent set of permissions.

Permission inheritance can be useful for reducing the amount of work required to manage permissions on a large site with many subsites and items.

Default Groups in SharePoint Online

In SharePoint Online, several default groups are created when a new site is created. These groups are used to manage permissions and control access to the site and its contents. The default groups and their permissions are as follows:

  1. Owners: This group has full control over the site and its contents. They can add and remove users, set permissions, and make any other changes to the site.
  2. Members: This group has the ability to contribute to the site, including adding and editing content, creating lists and libraries, and managing permissions for their own documents and items.
  3. Visitors: This group has read-only access to the site and its contents. They can view, but not edit, any content on the site.
  4. Approvers: This group has the ability to approve or reject documents that are submitted for approval.
  5. Hierarchy Managers: This group has the ability to create and manage sites and pages within the site collection.

In addition to these default groups, you can also create custom groups and assign them specific permissions as needed. More info: How to Create a Group in SharePoint Online?

You can generate a report for users and groups on a SharePoint Online site: Site Users and Groups Report in SharePoint Online

Managing Permissions in SharePoint Online

There are several ways to set and manage permissions in SharePoint Online:

  1. SharePoint Groups: SharePoint groups are a collection of users who are granted the same set of permissions. You can create different groups for different purposes, such as a group for site administrators or a group for project team members. You can add and remove users from groups as needed, and any changes to the group permissions will apply to all members of the group.
  2. Individual Permissions: You can also set permissions for individual users or groups on a specific list, library, or item. Individual permissions override any group or permission level permissions that have been set.

How Do I Manage SharePoint Online Permissions?
Managing permissions in SharePoint Online is done through the user interface (UI). The UI allows you to easily add or remove users from your site/document library, assign roles and tasks, and create groups for easy management of multiple users. It’s important to note that different roles have different levels of permission; for example, an administrator will have more control over the site than a regular user will.

How to Share a SharePoint Online Site?

In SharePoint Online, It’s a common task to add users to the site. This can be done in a few simple steps below. Site-level permissions in SharePoint Online are used to control access to the entire site and any subsites created within it. To set permissions in SharePoint Online, follow these steps:

  1. Navigate to the site for which you want to set permissions.
  2. Click on the Settings gear icon and select “Site Permissions”, and then “Advanced permissions settings”.
  3. Click on the “Grant Permissions” button.
  4. Enter the names or email addresses of the users or groups you want permission to.
  5. Select the appropriate permission level or individual permissions for the users or groups.
  6. Click on the “Share” button to save the permissions.sharepoint online add user to group

More on providing site access to users in SharePoint: How to Grant site permissions in SharePoint Online?

Share a List or Document Library in SharePoint Online

In addition to granting permissions at the site level, SharePoint Online also allows administrators to set permissions at the list and library levels. This is useful for situations where the permissions for a particular list or library need to be different from the permissions for the site as a whole.

To set permissions for a list or library, an administrator must first break the inheritance of permissions from the parent site. This means that the permissions for the list or library will no longer be inherited from the site, and can be set independently. Once the inheritance has been broken, the administrator can add users and groups as members of the list or library and assign specific permissions to those members. To share a document library in SharePoint Online, follow these steps:

  1. Login to your SharePoint Online site >> Navigate to the document library you want to share.
  2. Click on Settings gear >> Choose the “Library Settings” menu item. This takes you to the library settings page. how to grant access to a document library in sharepoint online
  3. Click on the “Permissions for this document library” link under the “Permissions and Management” group.
  4. Click on the “Stop Inheriting Permissions” button on the ribbon and confirm the prompt. Now you can add or remove users and groups to the document library to restrict permissions.
  5. Select users and groups and click on the “Remove user permissions” button to remove unnecessary users. To add additional users to the document library, click on “Grant Permissions” and add people or groups, then set the necessary permissions.

More here: How to Share a Document Library in SharePoint Online?

The users or groups that you shared the document library with will receive an email notification with a link to the shared document library, and will be able to access it using that link.

Folder level permissions in SharePoint Online

In SharePoint Online, folder-level permissions allow you to control access to specific folders within a list or library. By default, users who have permission to access a list or library will also have access to all the folders within that list or library. However, you can use folder-level permissions to give certain users or security groups access to specific folders within the list or library, while denying access to other folders.

To set folder-level permissions in SharePoint Online, follow these steps:

  1. Navigate to the list or library that contains the folder for which you want to set permissions.
  2. Click on the folder for which you want to set permissions.
  3. Click on the “Files” tab in the ribbon, and then click on the “Manage Access” button.
  4. In the “Manage Access” dialog, you can add users or security groups and assign them the appropriate permission level. You can also remove users or security groups from the list by clicking on the “X” icon next to their names.
  5. When you are finished setting permissions, click on the “Save” button to apply the changes.

Note that folder-level permissions are distinct from list or library-level permissions. If you want to give a user or security group access to all the folders within a list or library, you will need to grant them the appropriate permissions at the list or library level. You can do this by going to the “Permissions” page for the list or library and adding the user or security group to the list of users and security groups with permissions. My other article on : Setting folder level permissions in SharePoint Online

How to grant access to a document in SharePoint?

It is also possible to set permissions for individual items within a list or library. This is useful for situations where certain items within a list or library need to have different permissions than the rest of the items. To set permissions for an individual item, the administrator must first break the inheritance of permissions from the parent list or library. Once the inheritance has been broken, the administrator can add users and groups as members of the item and assign specific permissions to those members.

To set file-level permissions in SharePoint Online, follow these steps:

  1. Navigate to the file or folder that you want to set permissions for.
  2. Select the file and click on the “Share” button. This will open the “Share with Others” dialog box.
  3. In the “Invite People” field, enter the email address of the person or group you want to set permissions for.
  4. Select the appropriate level of access from the “Permission Level” dropdown menu.
  5. Optional: If you want to include a message with the invitation, type it in the “Add a message (optional)” field.
  6. Click on the “Share” button to send the invitation and set the permissions.

Keep in mind that the specific file level permissions available may vary depending on your organization’s SharePoint configuration. You may need to request additional permissions from an administrator if you need to set permissions that are not available in the “Permission Level” dropdown menu.

More in How to Grant File level Permissions in SharePoint Online?

How to check user Permissions in SharePoint Online?

If you manage a SharePoint Online site, you may from time to time need to check who has what permissions. This is especially important if you have a lot of users with different roles. Let’s see how to audit SharePoint Online permissions.

To check site permissions in SharePoint Online, follow these steps:

  1. Navigate to the SharePoint site that you want to check permissions for.
  2. Click on the “Settings” icon in the top-right corner of the page, and then click on “Site settings” in the menu that appears.
  3. In the “Site Settings” page, click on the “Site permissions” link under the “Users and Permissions” section.
  4. On the “Site permissions” page, you will see a list of all the users and security groups that have been granted permissions to the site, along with the permission levels that have been assigned to them.

Similarly, to check permission on a list or library, do the following: Click on the name of the list or library in the list. This will open a pop-up window that displays the specific permissions that have been granted to the list or library. Note that in order to view the site, list, or library permissions, you must have the appropriate permissions yourself.

How to stop inheriting permissions in SharePoint Online?

If you want to customize the permissions for a particular site, folder, document library, or document, you must first break the permission inheritance. This can be useful if you want to give a particular group of users access to a specific folder or document while denying access to other users.

To stop inheriting permissions in SharePoint Online, follow these steps:

  1. Navigate to the site, folder, or document for which you want to stop inheriting permissions.
  2. Right-click on the item >>Click on the “Manage Access” menu item.
  3. In the “Manage Access” dialog box, click on the “Advanced” button. >> on the “Permissions” tab, Click on the “Stop Inheriting Permissions” button.sharepoint online stop inheriting permissions
  4. In the confirmation dialog box that appears, click on the “OK” button to confirm that you want to break inheritance.
  5. After breaking inheritance, you can add or remove users and groups and assign them specific permissions (e.g., read or edit).

It’s important to note that breaking inheritance can have unintended consequences, as it will cause the site, folder, or document to have its own independent set of permissions that are not inherited from the parent. This can make it more difficult to manage permissions, as you will need to set permissions separately for each item.

More here: How to Break Permission Inheritance in SharePoint Online?

SharePoint Online permissions Report

It is important to carefully manage permissions in SharePoint Online to ensure that only authorized users have access to the resources they need. Administrators should regularly review the permissions granted to users and groups to ensure that they are appropriate and up-to-date.

There are several different ways to generate a report on permissions in SharePoint Online:

  1. Use the built-in permissions report: SharePoint Online includes a built-in permissions report that allows you to view a list of all the users and security groups that have been granted permissions to a site, along with the specific permissions that have been granted to each user or group. To access the permissions report, go to the site settings page, click on “Site permissions” under the “Users and Permissions” section, and then click on the “Check Permissions” button. This will open the permissions report, which displays a list of all the users and security groups that have been granted permissions to the site.
  2. Use the SharePoint Online Management Shell: The SharePoint Online Management Shell is a Windows PowerShell module that allows you to manage and automate tasks in SharePoint Online. You can use the Management Shell to generate a report on permissions for a specific site, list, or library. To do this, you will need to run a script that retrieves the permissions for the desired site, list, or library and outputs the results to a CSV file. There are several scripts available online that can be used to generate a permissions report using the Management Shell.
  3. Use a third-party tool: There are several third-party tools available that can be used to generate reports on permissions in SharePoint Online. These tools typically offer a variety of features and options for generating and customizing reports, and may be more suitable for larger organizations with complex permissions structures. Some examples of third-party tools that can be used to generate permissions reports in SharePoint Online include ShareGate, AvePoint, etc.

Regardless of the method you choose, it is important to regularly review and update permissions to ensure that users have the appropriate level of access to the resources they need. This can help to ensure that permissions are up-to-date and that unauthorized access to sensitive information is prevented. You can get SharePoint Online site and subsites permission using PowerShell with my other script: SharePoint Online: Permissions Report using PowerShell

SharePoint Online Site Permission Report

Export SharePoint Online Site/List/Folder permissions using PowerShell

To export permissions for a specific site, list, or library in SharePoint Online, you can use PowerShell scripts. This script connects to SharePoint Online using PowerShell, retrieves the permissions for the specified site, list, or library, and exports the permissions to export into a CSV file: Export SharePoint Online permissions using PowerShell

Copy Permissions in SharePoint Online

Have you ever wanted to clone permissions from an existing user to a new user or copy permissions between SharePoint document library, list or folder objects? Well, It can be a tedious process if you have to do it manually, and there are no easier ways to do this without using 3rd party tools. Luckily, PowerShell can help you to ease up to this task. To copy an existing user’s permissions, You have to look through all the objects and then grant permission to the new user.

sharepoint online copy user permissions

Delete all unique permissions SharePoint Online

To delete all unique permissions in SharePoint Online and revert to the inherited permissions from the parent site, follow these steps:

  1. Navigate to the SharePoint site where you want to delete the unique permissions for.
  2. Click on the “Settings” icon in the top right corner of the page, and then click on “Site settings” in the menu that appears.
  3. In the “Site Settings” page, click on the “Site permissions” link under the “Users and Permissions” section.
  4. On the “Site permissions” page, click on the “Stop Inheriting Permissions” button.
  5. In the “Confirm Stop Inheriting Permissions” dialog, click on the “OK” button to confirm that you want to delete the unique permissions and revert to the inherited permissions from the parent site.

Note that this action will delete all unique permissions for the site, including any custom permission levels that have been created. Please note, when deleting unique permissions, as this action cannot be undone. It is generally a good idea to create a backup of the site before deleting unique permissions, in case you need to restore the permissions at a later date.

It is also important to note that deleting unique permissions will not remove any users or security groups from the document library. If you want to remove specific users or security groups from the document library, you will need to do this separately by going to the “Permissions” page for the document library and revoking the permissions for the desired users or groups.

More in removing unique permissions from all objects in a SharePoint Online site collection: Delete all unique permissions in SharePoint Online

Grant Access to External users in SharePoint Online

In addition to granting permissions to users and groups, SharePoint Online also allows administrators to set permissions for external users. External users are users who do not have a Microsoft 365 account and do not belong to the organization’s active directory. To start with, make sure you enabled external sharing by following the steps to Enable External user access in SharePoint Online

To grant permissions to an external user, the SharePoint administrator must first set the sharing settings for a site collection, and then based on the settings configured, the external users can be added directly to the site or Invite Guest users to Azure Active Directory to gain access to a site, list, library, or item. You can also use PowerShell to add External Users to SharePoint Online

add external user to sharepoint online

Once shared, The external user will receive an email notification with a link to the shared file or folder, and will be able to access it using that link.

Anonymous Access in SharePoint Online

If your external sharing settings are set to “Anyone”, You can share a file or folder to any user anonymously. When you share a file or folder anonymously, anyone with the link can access it without entering any credentials. You can share a file or folder in SharePoint Online with anonymous users by following these steps:

  1. Navigate to the file or folder that you want to share in SharePoint Online.
  2. Right-Click on the item and click on the “Share” button.
  3. In the link settings, select “Anyone with the link” and enter the email addresses of the users to get a link.
  4. Select the permissions that you want to grant to anonymous users from the dropdown menu (e.g. Edit, View).
  5. Click “Send”.

This will create a unique link that you can share with anonymous users, who will be able to access the file or folder using that link.

SharePoint Online How to Share a File or Folder for Anonymous Access

More Here: How to Share a File or Folder for Anonymous Access in SharePoint Online?

How to Add a SharePoint Online Administrator in Office 365?

As the SharePoint Online administration is done by people other than Tenant Admin (or Global Administrator!) in most companies, You may need to delegate Office 365 roles so. To add a SharePoint Online administrator in Office 365, follow these steps:

  1. Sign in to your Office 365 account as a global administrator.
  2. Go to the Microsoft 365 admin center at https://admin.microsoft.com
  3. In the left navigation, go to “Users > Active users”.
  4. Click the user that you want to add as a SharePoint Online administrator.
  5. On the “User details” page, click “Edit” next to “Roles”.
  6. Under “Admin roles”, select “SharePoint administrator” from the dropdown list.
  7. Click “Save”.

The user will now have SharePoint Online administrator permissions, and will be able to manage SharePoint Online sites and content. You can also use PowerShell to add a SharePoint Online Administrator: How to Assign the SharePoint Online Administrator Role?

Site collection administrators in SharePoint Online

A site collection administrator in SharePoint Online is a user who has the ability to manage the site collection and all of the subsites within it. They have the ability to add and remove users, create new subsites, and customize the look and feel of the site collection. They also have access to all of the content within the site collection, including documents and lists. As an administrator, they are able to manage the settings for the site collection, including security and permissions.

You can add or remove users to Site collection administrator roles, Export a list of site collection admin, etc. as required. More here: Managing site collection administrators in SharePoint Online

SharePoint Online Permissions Best Practices

Here are some best practices for managing permissions in SharePoint Online:

  1. Use security groups to manage permissions: Instead of assigning permissions directly to individual users, it is generally best practice to use security groups to manage permissions. This allows you to manage access for large numbers of users at once easily and makes it easier to make changes to permissions in the future.
  2. Use the least privilege: When assigning permissions, it is important to follow the principle of least privilege, which means only granting the minimum level of permissions necessary to perform a specific task. This helps to reduce the risk of unauthorized access to sensitive information.
  3. Use custom permission levels sparingly: While custom permission levels can be useful in certain situations, it is generally best practice to use the built-in permission levels whenever possible. This helps to ensure that permissions are consistent across the site and makes it easier to understand and manage permissions.
  4. Use item-level permissions judiciously: While item-level permissions can be useful in certain situations, they can also make it more difficult to manage permissions overall. It is generally best practice to use item-level permissions sparingly, and to use them only when absolutely necessary.
  5. Regularly review and update permissions: It is important to regularly review and update permissions to ensure that users have the appropriate level of access to the resources they need. This can help to ensure that permissions are up-to-date and that unauthorized access to sensitive information is prevented.
  6. Use site-level permissions to control access to subsites: When creating a new subsite within a SharePoint site, it is generally best practice to use site-level permissions to control access to the subsite. This helps to ensure that the permissions for the subsite are consistent with the permissions for the parent site.
  7. Use list and library permissions to control access to specific content: If you want to give certain users access to specific content within site, but not to the entire site, it is generally best practice to use list and library permissions to control access to the specific content. This allows you to easily manage access to specific content while still maintaining control over the overall site.

Conclusion

In conclusion, SharePoint Online permissions are important for managing and organizing content within a SharePoint site. By assigning appropriate permissions to users and groups, site administrators can control who has access to specific content and what actions they can perform on it. It is important to carefully consider the permissions that are granted to ensure that users have the access they need to perform their tasks, while also protecting sensitive information. By carefully managing permissions, administrators can ensure that their teams have the access they need to collaborate effectively, while also protecting the security and integrity of their organization’s data.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

Leave a Reply

Your email address will not be published. Required fields are marked *