Content Management is one of the major and most widely-used offerings of SharePoint. SharePoint portals are set up and used effectively for better content management. When the content comes into the picture, the major area of focus is to present the right set of content to the right users. Permission levels in SharePoint help define the governance around this.
In this article, we will explore what are permission levels, and best practices on how it can be set up effectively, and how to assign permission levels to a SharePoint group.
Planning the Permissions
SharePoint consists of many artifacts that represent a site, list, library, list item, document, or folder. These artifacts are generally referred to as securable objects. Each of this securable object has its own role assignment. A role assignment represents a user (person) or a group.
SharePoint Permission levels are defined sets of actions a user can execute on a site, list or an item/document.
The permissions can be set up at as,
- Site Permissions
- List Permissions
- Personal Permissions
The permission levels include:
Permission Level | Description |
Full Control | Includes all permissions. |
Design | Includes permissions that enable users to view, add, update, delete, approve, and customize the layout of site pages by using the browser or SharePoint Designer 2013. |
Edit | Includes permissions that enable users to add, edit and delete lists; can view, add, update and delete list items and documents. |
Contribute | Includes permissions that enable users to add or change items on the site pages or in lists and document libraries. |
Read | Includes permissions that enable users to view items and site pages. |
Limited Access | Includes permissions that enable users to view specific lists, document libraries, list items, folders, or documents, without giving access to all the elements of a site. You cannot edit this permission level directly. |
View Only | Includes permissions that enable users to view pages, list items, and documents. |
Approve | Includes permissions to edit and approve pages, list items, and documents. |
Manage Hierarchy | Includes permissions to sites and edit pages, list items, and documents. |
Restricted Read | Includes permissions to view pages and documents, but not historical versions or permissions information. |
Custom Permission Levels
In the circumstances where out of the box permission levels are not sufficient, we can create custom permission levels as a set of available permission levels. Below are a few scenarios, wherein we can think of creating custom permission levels,
- Need to define a unique set of permissions
- Exclude several permissions from predefined permission level
- Default permission level does not include permission that user should have
Access and Configure Permission Levels
The user should have Admin privileges to site collection to access and configure permission levels.
- Navigate to root site collection
- Click "Site Settings"
- Under 'Users and Permissions", click "Site Permissions"
- The ribbon allows to view and configure the permission levels
- Click "Permission Levels" to see the available permission levels
SharePoint Group
SharePoint Group allows managing the set of users all at once, instead of managing them individually. The group can contain many individual users. Users can be organized in any number of groups depending upon business scenarios.
Below are out of box groups in SharePoint site.
Group | Default permission level | Description |
Owners | Full Control | Group with full control permissions on SharePoint site |
Members | Edit | Group with edit permissions on SharePoint site |
Visitors | Read | Group with read permissions on SharePoint site |
Publishing sites in SharePoint have an additional set of SharePoint groups as below.
Group | Default permission level | Description |
Restricted Readers | Restricted Read to the site, plus Limited Access to specific lists | Members of this group can view pages and documents, but cannot view historical versions or review user rights information. |
Style Resource Readers | Read to the Master Page Gallery and Restricted Read to the Style Library | Members of this group are given Read permission to the Master Page Gallery and Restricted Read permission to the Style Library. By default, all authenticated users are a member of this group. |
Designers | Design, Limited Access | Members of this group can to view, add, update, delete, approve, and customize the layout of site pages by using the browser or SharePoint Designer. |
Approvers | Approve, Limited Access | Members of this group can edit and approve pages, list items, and documents. |
Hierarchy Managers | Manage Hierarchy, Limited Access | Members of this group can create sites, lists, list items, and documents. |
Users in the Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site. The Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.
Monitor and Control
- Identify and assign the roles to users on the SharePoint portal.
- Define a process to periodically review the assigned permissions.
- If needed, use any tool for monitoring
Best Practices
Never modify out of box SharePoint permission levels
Refrain yourselves from modifying the out of box permission levels, instead create a new one irrespective of major or minor modifications.
Assign Permissions to Group instead of individual users
Maintain the practice of creating groups and assigning permissions to groups. Users can be added or removed from groups as needed.
Assign permissions at the highest possible level
Arrange documents that require unique permissions in a document library which supports specific group permissions. Use AD groups whenever possible. Use SharePoint security groups if there is no AD group that fits your needs.
Summary
Permission levels play a vital role in the governance of SharePoint portals. Follow the best practices to streamline the permission management.