SharePoint services are provided within the Microsoft 365 subscription model. While SharePoint Online makes use of Azure Active Directory (AAD) for user account and group management, specific access to SharePoint objects is managed with SharePoint groups.
User accounts and SharePoint groups are granted specific permission levels. Each level provides fine-grained access anywhere from full control down to limited access on a specific item. The following table outlines the permission levels and the associated rights granted for each level based on the site type.
Team sites are typically used for department, division, and committee sites in SharePoint. They are also the default site type when a new team is created within Microsoft Teams.
|
Permission level
|
Description
|
Permissions included by default
|
|
View Only
|
Enables users to view application pages. The View Only permission level is used for the Excel Services Viewers group.
|
View Application Pages
View Items
View Versions
Create Alerts
Use Self Service Site Creation
View Pages
Browse User Information
Use Remote Interfaces
Use Client Integration Features
Open
|
|
Limited Access
|
Enables users to access shared resources and a specific asset. Limited Access is designed to be combined with fine-grained permissions to enable users to access a specific list, document library, folder, list item, or document, without enabling them to access the whole site. Limited Access cannot be edited or deleted.
|
View Application Pages
Browse User Information
Use Remote Interfaces
Use Client Integration Features
Open
|
|
Read
|
Enables users to view pages and list items, and to download documents.
|
Limited Access permissions, plus:
View Items
Open Items
View Versions
Create Alerts
Use Self-Service Site Creation
View Pages
|
|
Contribute
|
Enables users to manage personal views, edit items and user information, delete versions in existing lists and document libraries, and add, remove, and update personal Web Parts.
|
Read permissions, plus:
Add Items
Edit Items
Delete Items
Delete Versions
Browse Directories
Edit Personal User Information
Manage Personal Views
Add/Remove Personal Web Parts
Update Personal Web Parts
|
|
Edit
|
Enables users to manage lists.
|
Contribute permissions, plus:
Manage Lists
|
|
Design
|
Enables users to view, add, update, delete, approve, and customize items or pages in the website.
|
Edit permissions, plus:
Add and Customize Pages
Apply Themes and Borders
Apply Style Sheets
Override List Behaviors
Approve Items
|
|
Full Control
|
Enables users to have full control of the website.
|
All permissions
|
Publishing sites are typically used for portals such as G-NET and eSite. Publishing sites have all the Team site permission levels and provide the following additional permission levels.
|
Permission level
|
Description
|
Permissions included by default
|
|
Restricted Read
|
View pages and documents. For publishing sites only.
|
View Items
Open Items
View Pages
Open
|
|
Approve
|
Edit and approve pages, list items, and documents. For publishing sites only.
|
Contribute permissions, plus:
Override List Behaviors
Approve Items
|
|
Manage Hierarchy
|
Create sites; edit pages, list items, and documents, and change site permissions. For Publishing sites only.
|
Design permissions minus the Approve Items, Apply Themes and Borders, and Apply Style Sheets permissions, plus:
Manage permissions
View Web Analytics Data
Create Subsites
Manage Alerts
Enumerate Permissions
Manage Web Site
|
Each SharePoint site has three security groups defined by default. Additional security groups can be created to meet specific needs for the site. Security groups are managed from the Site Permissions page, which is located at https://cityofgoodyearaz.sharepoint.com/<site url>/_layouts/15/user.aspx (ex. https://cityofgoodyearaz.sharepoint.com/g-net/_layouts/15/user.aspx). You can also navigate to this page by following the steps below. SharePoint administrator permissions are required to view security groups. The SSSP_Admin account can be used to sign into the browser in order to perform security maintenance.
- Navigate to the SharePoint site you wish to view
- Click the Gear icon in the upper right of the toolbar to display the pop-up menu
- Click the Site Settings link from the menu OR
- Click the Site Permissions link from the menu, and then click Advanced Permissions Settings
- The list of SharePoint security groups for the site will be displayed along with the Permission Level granted to the group
- Follow the previous steps to view the site security groups for the site you wish to view
- Click on the group name you wish to view
- The group membership will be displayed
- Note that both AD groups and individual user accounts can be added to any SharePoint group
- If an AD group is already a member of the security group, simply add the user to that AD group and membership will automatically be granted to the user
- This is the preferred method for SharePoint permissions
- To add directly to the SharePoint group, click the New link, and then click the Add Users link
- In the popup window, type either the user’s first and last name OR email address, and then click their resolved name from the popup
- Click the SHOW OPTIONS link, and then uncheck the Send an email invitation box
- Click the Share button to add the user, or click the Cancel button to cancel adding the user
- The user may need to sign out of SharePoint and sign back in for the permissions to be updated
- Any AD group can be added to a SharePoint group, provided it is synced from the on-premises Active Directory into Azure AD
- To add the synced AD group, click the New link, and then click the Add Users link
- In the popup window, type the name of the AD group, and then click the resolved name from the popup
- If the group name does not resolve, verify that the AD group has been synced into Azure AD
- Click the SHOW OPTIONS link, and then uncheck the Send an email invitation box
- Click the Share button to add the AD group
- Members of the AD group may need to sign out of SharePoint and sign back in for the permissions to be updated
- To determine if a user has access to a particular site, navigate to the site’s Advanced Permissions page
- In the toolbar, click Check Permissions
- Type the first and last name OR email address OR AD group name in the popup window, and then click the user or group resolved name from the popup
- Click the Check Now button
- The page will display all SharePoint groups the selected user or AD group has access to on the site, and the permission levels that have been granted through the group memberships
- Note that if the user is a member of an AD group, and the AD group has permissions through a SharePoint group, the user will be displayed as a member of the SharePoint group that contains the AD group
- Note that if any Lists or Document Libraries on the site have unique permissions assigned, any group membership may not be correctly displayed at the site level. When checking for List or Library access, follow the steps in the Determining Existing List/Library User Permissions in this document.
By default, SharePoint site permissions apply to the site and all lists, libraries and content on the site. If specific lists or libraries within the site need separate permissions, it is possible to define unique permissions for those elements. Unique permissions should not be defined for individual folders or documents. Instead, consider creating a separate Document Library on the site, and then applying the unique permissions on the new library. To create unique permissions, follow the steps below:
- Navigate to the List or Document Library that needs unique permissions
- Click the Gear icon in the upper right corner of the toolbar, and then click Library settings or List Settings from the popup menu
- In the List/Library Settings page, click either Permissions for this list OR Permissions for this document library
- Click the Stop Inheriting Permissions button on the toolbar
- Make any necessary changes to the group membership
- Note that when unique permissions are created, any permissions previously inherited from the parent site will remain in place on the library until they are manually modified
You can resume inheriting permissions from a List or Document Library’s parent site. Once you delete the unique permissions, any custom changes to that List or Library’s permissions will be overwritten by the parent site’s permissions.
- Navigate to the List or Document Library that has unique permissions
- Click the Gear icon in the upper right corner of the toolbar, and then click Library settings or List Settings from the popup menu
- In the List/Library Settings page, click either Permissions for this list OR Permissions for this document library
- Click the Delete Unique Permissions button on the toolbar
Because Lists and Document Libraries can be assigned separate permissions from the parent site, it’s best to check the existing permissions at the List or Library level rather than at the site level.
- Navigate to the List or Document Library where you want to check a user’s permissions
- Click the Gear icon in the upper right corner of the toolbar, and then click Library settings or List Settings from the popup menu
- In the List/Library Settings page, click either Permissions for this list OR Permissions for this document library
- Click the Check Permissions button on the toolbar
- Type the first and last name OR email address of the user OR the name of the AD group you want to check permissions for
- Click the resolved name of the user or AD group from the popup
- Click the Check Now button
- The current level of access for the user or AD group is displayed in the window