SharePoint Permission Levels And Best Practices

Content Management is one of the major and widely used offerings of SharePoint. SharePoint portals are setup and used effectively for better content management. When the content comes in to the picture, the major area of focus is to present the right set of content to right users. Permission levels in SharePoint helps to define the governance around this.

Overview

Content Management is one of the major and most widely-used offerings of SharePoint. SharePoint portals are set up and used effectively for better content management. When the content comes into the picture, the major area of focus is to present the right set of content to the right users. Permission levels in SharePoint help define the governance around this.

In this article, we will explore what are permission levels, and best practices on how it can be set up effectively, and how to assign permission levels to a SharePoint group.

Planning the Permissions

SharePoint consists of many artifacts that represent a site, list, library, list item, document, or folder. These artifacts are generally referred to as securable objects. Each of this securable object has its own role assignment. A role assignment represents a user (person) or a group.
SharePoint Permission Levels And Best Practices 

SharePoint Permission levels are defined sets of actions a user can execute on a site, list or an item/document.

The permissions can be set up at as,
  • Site Permissions
  • List Permissions
  • Personal Permissions
The permission levels include:

Permission LevelDescription
Full ControlIncludes all permissions.
DesignIncludes permissions that enable users to view, add, update, delete, approve, and customize the layout of site pages by using the browser or SharePoint Designer 2013.
EditIncludes permissions that enable users to add, edit and delete lists; can view, add, update and delete list items and documents.
ContributeIncludes permissions that enable users to add or change items on the site pages or in lists and document libraries.
ReadIncludes permissions that enable users to view items and site pages.
Limited AccessIncludes permissions that enable users to view specific lists, document libraries, list items, folders, or documents, without giving access to all the elements of a site. You cannot edit this permission level directly.
View OnlyIncludes permissions that enable users to view pages, list items, and documents.
ApproveIncludes permissions to edit and approve pages, list items, and documents.
Manage HierarchyIncludes permissions to sites and edit pages, list items, and documents.
Restricted ReadIncludes permissions to view pages and documents, but not historical versions or permissions information.
 
SharePoint Permission Levels And Best Practices
Custom Permission Levels

In the circumstances where out of the box permission levels are not sufficient, we can create custom permission levels as a set of available permission levels. Below are a few scenarios, wherein we can think of creating custom permission levels,
  • Need to define a unique set of permissions
  • Exclude several permissions from predefined permission level
  • Default permission level does not include permission that user should have

Access and Configure Permission Levels

The user should have Admin privileges to site collection to access and configure permission levels.
  1. Navigate to root site collection
  2. Click "Site Settings"
  3. Under 'Users and Permissions", click "Site Permissions"
  4. The ribbon allows to view and configure the permission levels

    SharePoint Permission Levels And Best Practices
  5. Click "Permission Levels" to see the available permission levels

    SharePoint Permission Levels And Best Practices
SharePoint Group

SharePoint Group allows managing the set of users all at once, instead of managing them individually. The group can contain many individual users. Users can be organized in any number of groups depending upon business scenarios.

Below are out of box groups in SharePoint site.
GroupDefault permission levelDescription
OwnersFull ControlGroup with full control permissions on SharePoint site
MembersEditGroup with edit permissions on SharePoint site
VisitorsReadGroup with read permissions on SharePoint site

Publishing sites in SharePoint have an additional set of SharePoint groups as below.

GroupDefault permission levelDescription
Restricted ReadersRestricted Read to the site, plus Limited Access to specific listsMembers of this group can view pages and documents, but cannot view historical versions or review user rights information.
Style Resource ReadersRead to the Master Page Gallery and Restricted Read to the Style LibraryMembers of this group are given Read permission to the Master Page Gallery and Restricted Read permission to the Style Library. By default, all authenticated users are a member of this group.
DesignersDesign, Limited AccessMembers of this group can to view, add, update, delete, approve, and customize the layout of site pages by using the browser or SharePoint Designer.
ApproversApprove, Limited AccessMembers of this group can edit and approve pages, list items, and documents.
Hierarchy ManagersManage Hierarchy, Limited AccessMembers of this group can create sites, lists, list items, and documents.
 
Users in the Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site. The Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.

SharePoint Permission Levels And Best Practices 

Monitor and Control

  1. Identify and assign the roles to users on the SharePoint portal.
  2. Define a process to periodically review the assigned permissions.
  3. If needed, use any tool for monitoring
SharePoint Permission Levels And Best Practices

Best Practices

Never modify out of box SharePoint permission levels
Refrain yourselves from modifying the out of box permission levels, instead create a new one irrespective of major or minor modifications.

Assign Permissions to Group instead of individual users
Maintain the practice of creating groups and assigning permissions to groups. Users can be added or removed from groups as needed.

Assign permissions at the highest possible level
Arrange documents that require unique permissions in a document library which supports specific group permissions. Use AD groups whenever possible. Use SharePoint security groups if there is no AD group that fits your needs.

Summary

Permission levels play a vital role in the governance of SharePoint portals. Follow the best practices to streamline the permission management.