SharePoint permissions and types: A complete guide

Understanding SharePoint permissions is essential for securing your data, enabling collaboration, and maintaining control over who can access what in your SharePoint environment. This guide explains how SharePoint permissions work, the different permission levels available, and how to manage and customize them effectively.

The permissions pane in classic SharePoint.

Understanding SharePoint permissions: Groups, levels, and inheritance

SharePoint permissions are built on three core components: SharePoint groups, permission levels, and permission inheritance. Together, these elements form the foundation of SharePoint’s access control model.

SharePoint groups are collections of users who share the same access needs. Instead of assigning permissions individually, administrators can add users to groups like Owners, Members, or Visitors. This simplifies permission management and reduces administrative overhead.

Permission levels define what actions users can perform. These levels are combinations of individual permissions such as viewing, editing, or deleting content. For example, a user with Read access can view content but cannot modify it, while a user with Edit permissions can add, modify, and delete content.

Permission inheritance determines how permissions are passed down from one level of SharePoint to another. By default, permissions are inherited from the parent site to subsites, lists, libraries, folders, and items. This ensures consistency and simplifies management. However, inheritance can be broken to assign unique permissions when needed.

Understanding how these components interact is key to implementing secure and efficient SharePoint Online permissions. For example, assigning users to groups with predefined permission levels while maintaining inheritance helps enforce the principle of least privilege.

SharePoint permission levels explained

1. Full Control

• Provides complete control over the site.
• Allows users to manage permissions, settings, and content.
• Typically assigned to site owners or administrators.
• Use case: IT admins or site owners responsible for governance.

2. Edit

• Allows users to add, edit, and delete lists and document libraries.
• Includes the ability to manage content structure.
• Does not allow permission management.
• Use case: Power users who manage content organization.

3. Contribute

• Enables users to add, edit, and delete items in existing lists and libraries.
• Cannot create or delete lists/libraries.
• More restricted than Edit.
• Use case: Team members collaborating on documents.

4. Read

• Allows users to view pages and list items.
• Cannot make any changes.
• Use case: Stakeholders or viewers who need visibility only.

5. Limited Access

• Automatically assigned when users need access to a specific item.
• Does not grant broad permissions.
• Ensures users can access required content without exposing the entire site.
• Use case: Users who are granted access to a specific document, folder, or list item without needing access to the entire site.

Additional SharePoint permission levels

SharePoint also includes several specialized permission levels used in specific scenarios:

• Design: Allows users to customize site appearance and edit content, but not manage permissions.
• Approve: Enables users to approve, edit, and delete items (useful in publishing workflows).
• Manage Hierarchy: Grants permission to create sites and manage permissions.
• Restricted Read: Allows viewing content but not historical versions.
• View Only: Lets users view content without downloading documents.

These levels are typically used in publishing sites, governance-heavy environments, or advanced workflows.

How to manage SharePoint permissions

Managing SharePoint permissions involves controlling access through groups, assigning appropriate permission levels, and regularly reviewing who has access to what.

Managing access through groups and permissions

Depending on your requirements, you may need to perform specific permission-related tasks:

• Create and manage SharePoint groups to organize users based on roles and responsibilities.
• Move or copy users between groups when team structures change or access needs to be replicated.
• Grant specific access levels, such as edit permissions, when users need more control over content.
• Manage permissions at the document library level when access needs to be controlled for specific content repositories.
• Copy permissions between users to save time and maintain consistency across similar roles.

Checking and monitoring permissions

Regular permission reviews help prevent over-permissioning and reduce security risks:

• Check user access levels to understand who has access to what and identify potential issues.
• Generate permission reports to get a complete overview of access across sites and objects.
• Audit permission changes and activities to track modifications and ensure compliance.

Breaking permission inheritance

In some cases, you may need to restrict access to specific content such as sensitive documents or folders, department-specific data, or confidential project files. This requires breaking permission inheritance and assigning unique permissions to control access more precisely.

Best practices for breaking permission inheritance:

• Limit the use of unique permissions to avoid complexity.
• Document changes for auditing purposes.
• Regularly review permissions for security risks.

Breaking inheritance provides flexibility but can lead to permission sprawl if not managed carefully.

External access and Microsoft 365 Groups

Modern SharePoint environments are tightly integrated with Microsoft 365, enabling seamless collaboration both internally and externally.

External sharing allows users to share content with people outside the organization using secure sharing links. These links can be configured with different permission levels such as view-only or edit access. Administrators can control external sharing through:

• Organization-level policies.
• Site-level sharing settings.
• Expiration dates and access controls.

Microsoft 365 Groups play a key role in SharePoint permissions, especially in team sites. When a Microsoft 365 Group is created, it automatically maps:

• Owners to the SharePoint Owners group with Full Control.
• Members to the SharePoint Members group with Edit or Contribute related permissions.

Visitors are not added automatically through Microsoft 365 Group membership. If read-only access is needed, administrators can assign users separately to the SharePoint Visitors group.

Important Always review external sharing activity to prevent unauthorized access to sensitive data.

Custom permission levels

For complex scenarios, SharePoint allows administrators to create custom permission levels and manage advanced configurations. Custom permission levels enable you to define specific combinations of permissions tailored to business needs. For example, you might create a permission level that allows users to edit items but not delete them.

Limited Access is a system-generated permission level that allows users to access a specific item without granting broader permissions. It is automatically assigned and should not be modified.

How to simplify SharePoint permission management

Managing SharePoint permissions manually can become complex, especially in large environments with nested groups, unique permissions, and frequent changes. SharePoint Manager Plus simplifies permission governance with centralized visibility, bulk controls, and detailed reporting, all from a script-free, GUI console.

SharePoint permissions best practices

Best practices to manage SharePoint permissions focus on simplicity, security, and scalability:

Frequently asked questions