SharePoint permissions are a core component of securing access to your organization’s content. They determine who can access a SharePoint site or resource, what they can do there, and how much control they have. Misconfigured permissions can lead to data leakage, accidental edits or deletions, or internal confusion. Conversely, well-architected permissions simplify administration, enhance collaboration, and protect sensitive information.
Whether you’re new to managing SharePoint or already experienced, understanding the building blocks—permission levels, groups, inheritance, and custom settings—is essential. Together, they allow administrators to provide just the right access, balancing usability with security.
Core Permission Levels in SharePoint
Out of the box, SharePoint provides a number of permission levels. Each level is a set of individual rights that determine what users can do. These default levels cover typical roles, but they might not match every unique scenario.
| Permission Level | What It Allows | Appropriate Use Cases |
|---|---|---|
| Full Control / Full Access | All administrative rights: managing site settings, users/groups, creating subsites, full site configuration. | Use for owners, site administrators, or teams responsible for site structure and governance. |
| Design | Create, edit, customise lists, libraries, pages; manage their layout; adjust lists and libraries; but not full admin settings. | For power users or site designers who build out layouts and content without needing full administration. |
| Edit | Manage lists and list items; add, edit, delete content within lists and document libraries. | Typical for content contributors who need more than read-only access but not full design/admin control. |
| Contribute | Add, edit, and delete items/documents; collaborate on content but not manage structure. | Day‐to‐day users, collaborators, authors of documents and list items. |
| Read / View Only | View items, pages, download documents (Read); or view pages & items in the browser without downloading (View Only). | Auditors, stakeholders, users who only need to consume content without modifying. |
| Limited Access | Allows access to specific resources (folders, items) while denying broader site access. This level cannot be customized or removed. | Used internally when unique permissions are set for individual elements without exposing entire site content. |
SharePoint Groups: Managing People at Scale
Rather than assigning permissions individually, SharePoint encourages the use of groups. Groups simplify administration and make auditing easier.
- Built‐in SharePoint groups: Every site typically has groups such as Owners, Members, Visitors (or similar names), each mapped to one of the default permission levels.
- Active Directory (AD) / Azure AD security groups: You can use organizational groups, which often simplify administration for large organisations, aligning with departmental or role structures.
- Custom groups: If none of the built‐in groups match exactly what your organisation needs, you can create groups tailored for specific combinations of people and permission levels.
Using the right groups means that you assign permissions once to the group, then add or remove members as needed. This is much better than granting permissions individually to many users, which becomes error‐prone over time.
How Permission Inheritance Works
SharePoint elements—including full sites, subsites, libraries, lists, folders, and even individual documents—inherit permissions from their parent object by default. For example, if your site gives Edit access to the “Members” group, a newly created subsite or library will, by default, treat that group just the same.
But there are times when inheritance needs to be broken:
- Unique permissions: A library, folder, or document that must be accessed by only a subset of users cannot adhere to the parent’s permissions.
- Fine‐grained control: Sometimes you need highly specific access for compliance, data separation, or workflows.
When you break inheritance, that object no longer automatically updates when its parent’s permissions change.
Thus:
- Changes at the parent no longer impact child objects with unique permissions.
- You must manage the child’s permissions separately.
- Be aware of what permission levels are already available (as defined at the web application or site collection level) to avoid conflicts.
Advanced Permission Settings & Customisation
Default SharePoint permission levels and groups are helpful, but often you’ll need more precision.
Custom Permission Levels
You can create a custom permission level by selecting exactly which rights (granular actions) are allowed. For example:
- Allowing certain users to approve or reject documents but not delete versions.
- Letting users manage views or modify pages without touching system settings.
Each custom level is built by combining atomic permission rights, like “Manage Lists,” “Approve Items,” “Edit Items,” etc.
Custom Groups Aligned with Roles
Map custom groups to your organisation’s real roles—e.g. “HR Document Editors,” “Legal Approvers,” “Finance Viewers.” Create groups whose names clearly describe their scope and responsibility. Assign appropriate permission levels—custom or default—to each group.
Specific Permission Rights in SharePoint
Beyond levels and groups, SharePoint permission rights are what make up a permission level. Understanding them helps in crafting custom levels and auditing.
Here are some of the more common rights you’d see when defining or customizing:
- Manage Permissions: Create and change permission levels; assign permissions.
- Create Subsites: Ability to set up new sites underneath a site.
- Add & Customize Pages: Change the layout/design of pages.
- Manage Web Site: Full management of site content and settings.
- Use Remote Interfaces / Client Integration: Allows use of SharePoint via APIs, client tools, or other interfaces.
- Manage Lists: Create or delete lists; alter columns and views.
- Add / Edit / Delete Items: Core content operations.
- Approve Items: Needed in publishing or content‐review workflows.
- View Versions / Delete Versions: Whether users can see or clean up historic versions of documents.
- Enumerate Permissions / Browse User Info: Useful for administrative oversight.
Best Practices for Permission Management
To maintain security, clarity, and ease of management, following best practices is essential.
- Keep it simple wherever possible.
The more permission levels and unique permissions you have, the harder it is to audit and maintain. - Use groups, not individuals.
Assign rights to groups (SharePoint or AD), then manage membership. This scales better and reduces errors. - Limit breaks in inheritance.
Only break inheritance when absolutely necessary. Having too many uniquely permissioned elements makes auditing and management complex. - Define roles & naming conventions up front.
Names like “ProjectA_Editors” or “HR_Viewers” immediately tell you purpose. Define who should be in each role and document the intent. - Least privilege principle.
Give users the minimum permissions they need to do their job. Don’t give more “just in case.” - Review permissions regularly.
Especially after reorganisations, role changes, or when projects end, ensure that access is still appropriate. - Document custom permission levels and exceptions.
When you create custom levels or break inheritance, maintain clear documentation (who, what, why) so future administrators understand the setup. - Test changes in a safe environment if possible.
Especially for custom levels or major reorganisations, test in a sandbox or development site before applying in production.
Putting It All Together: SharePoint Permissions in Action
Here’s an illustrative scenario to show how the pieces fit:
Scenario: A marketing department works on public campaigns, some content of which is visible to all staff, some only to leadership. Content needs to be reviewed before publishing. Meanwhile, there are design assets stored in a library that only designers should manage.
Implementation Plan:
- Create groups: Marketing Members, Marketing Designers, Marketing Approvers, Marketing Leadership.
- Define custom permission level “Design & Approve” combining rights for editing pages/design assets plus approval but not site administration.
- Assign default group Marketing Members “Contribute” to general campaign site.
- Break inheritance for a specific design asset library, so Marketing Designers get “Edit / Custom Design” rights, Members get Read.
- Set Marketing Approvers with permission to approve items in a review workflow.
- Leadership group gets “Read / View Only” where appropriate, with additional rights elsewhere if needed.
- Document everything—who is in each group, what each level allows, what exceptions exist.
- Monthly or quarterly audit: check that groups have correct members, no stale permissions.
Conclusion
SharePoint permissions are powerful tools—capable of finely tuning who can see, edit, approve, or administer different pieces of your SharePoint environment. While the default permission levels and groups cover many use cases, custom levels and careful use of groups and inheritance give you flexibility without losing control.
By following best practices—keeping things simple, using groups rather than individuals, minimizing unique permissions, and auditing regularly—you’ll ensure your SharePoint solution remains secure, manageable, and efficient.
