SharePoint Permissions 101 (text)

SharePoint Permissions 101 SharePoint is a good tool for sharing information with others, both within a small project team or

throughout the entire company. One of the most important things to understand is how to make

sure that the information you share is only seen and accessible by the right people, though.

In this guide, I’ll explain how SharePoint permissions work, the various permission levels you can

assign, how to create and use SharePoint groups, and how to set permission levels at various levels

in a SharePoint site.

Contents SharePoint Permissions 101 ............................................................................................................................................... 1

Permissions In SharePoint ................................................................................................................................................... 2

Using SharePoint Groups For Permissions ................................................................................................................... 3

Why Groups Instead Of Individual People? .................................................................................................................. 5

Creating A New SharePoint Group ................................................................................................................................... 6

Adding People To A SharePoint Group ........................................................................................................................... 9

Inheriting And Breaking Permissions ........................................................................................................................... 13

How SharePoint Groups Work When You Break Inheritance ............................................................................. 15

Finding What Permissions Someone Has On A Site ................................................................................................ 16

What Is “Limited Access”? .................................................................................................................................................. 18

Using Email Distribution Groups As SharePoint Permission Groups .............................................................. 19

SharePoint Groups Vs. Active Directory Groups ....................................................................................................... 22

Permissions in SharePoint SharePoint has the ability to assign permissions at various levels in a site (like a team site). You can

assign permissions at the site level (the highest level), and everything in the site will inherit those

permissions. You can “break the inheritance” for a specific list or library in the site, and that list or

library could have unique permissions assigned to it. You can also take the concept of breaking

inheritance down to the folder, document, or list item level, and assign unique permissions to those.

However, there are benefits and drawbacks that you need to be aware of in order to make wise

decisions.

Using SharePoint Groups for Permissions In SharePoint, you normally have three general SharePoint permission groups that are created by

default when a new site is created:

Full Control – This is assigned to the owners of a site. It means you have complete control

over the site, including the ability to change permissions and delete the site.

Contribute – This is assigned to people who need to add, change, or delete content in the

site. They can’t change the design of the site or change permissions for anyone.

Reader – This is assigned to people who can read content, but they are not allowed to add,

change, or delete anything. If you want to let everyone in the company see the content, you

would add the group “NT AUTHORITY\Authorized Users”.

These three general SharePoint groups are set up automatically when a site is created. You can find

those permissions by clicking on Site Actions > Site Permissions:

The permission list would look like this:

Why Groups Instead Of Individual People? Technically, you can add SharePoint groups or specific individuals to your site permissions.

However, if you add individuals to the permission list, then you have to manage each person

individually instead of managing their access as part of a SharePoint group.

For example, let’s say that you have a particular department of 20 people who all need the ability to

add and edit documents in a SharePoint library. You create a SharePoint group named Department

X Members and assign Contribute level access to that group. You then add each person to that

specific group. Each person now has Contribute access to that library.

A year later, a reorganization occurs and that department should now only have the ability to read

documents, not add or edit them. You can update the Department X Members group to now have

Read level access, and all twenty people now have the new level of access.

If you had entered each person individually into the SharePoint site permission list, you would then

have to edit the permission level of each specific individual to change them from Contribute to Read

access. That means you’d have 20 entries to update and keep track of, instead of just one. That

would take significantly longer to accomplish, and it would be more difficult to make sure you had

made all the changes correctly.

As you can see, placing people in SharePoint groups and assigning permissions to the group is a

much more efficient way to make sure the right people have the right access.

Creating a New SharePoint Group So you know you have the three default groups created in your site, but what if you want to add a

new group to manage your permissions? On the Site Permissions page from the parent site, click on

the Create Group icon in the Ribbon bar:

The following screen shows how to create your group:

Group Owner is an important field, and it often trips people up. In the “Who can edit the

membership of the group” field, you can specify whether anyone in that group can update the

member list, or whether only the owner can do that. It doesn’t matter if you have Full Control on the

site. Unless you are the person in the Owner field (or in the SharePoint group that is specified as the

owner), you will not be able to update the group.

Continuing on in the New Group screen:

Once you fill out all the fields and click OK, the new group is created with you listed as the only

member:

In your site permission list, it appears as follows along with the permission level you assigned to

the group:

Adding People to a SharePoint Group In order to add someone to the Members group shown above, click on the group name:

To add new members, click on New > Add Users:

This brings up the Grant Permissions dialog box. To add people, click on the Address Book icon:

The Select People and Groups dialog box comes up. Type the last name of the person you want to

add into the Find field and press Enter. Select the name of the person in the list that you want to

add, click Add at the bottom of the screen, and then click on OK when you’re finished:

In this example, Carol has been added to the group. I can choose to send her an email that will tell

her she has access to this site. When finished, I click on OK:

Carol is now part of the Members group:

Inheriting and Breaking Permissions The concept of inherited and unique permissions is one of the more confusing aspects of setting

SharePoint permissions properly. In this section, we’ll explain the concepts and the “gotchas”

involved when you start considering whether to inherit permissions for a list or make the

permissions unique by “breaking inheritance.”

When you set permissions at the site level, all the lists (including document libraries) inherit their

permissions from the parent site. This means that any permission changes made at the parent site

will automatically apply to the lists and sub-sites. In fact, in order to change permissions, you have

to go to the main parent site to do so.

However, you can change a list, a folder, or even a document to have different permissions than the

parent site. It’s called “breaking inheritance”.

To see the permissions for a document library, click on Library Tools > Library (or List Tools > List

for a SharePoint list), and then click on the Permissions icon on the far left side:

To break inheritance, click on the Stop Inheriting Permissions button:

Verify that you indeed want to break inheritance:

The document library takes a copy of the parent permission list and then uses that as the base for

the new permissions. Now any changes made to the parent site will not affect this library, and

changes made to this library will not affect the parent. Individuals and/or groups can be added or

removed at this point.

How SharePoint Groups Work When You Break Inheritance THIS IS THE BIGGEST MISUNDERSTOOD PART OF UNIQUE PERMISSIONS!

Breaking inheritance for a list or site means that the specific SharePoint groups or individuals

added directly to the permission list only update and affect that unique site.

The names *within* a SharePoint group are not frozen, and changes to the SharePoint group

membership *will* affect any site or list that uses that group.

The list shown above has unique permissions. The “Livelink To SharePoint Demo Members” group

exists both at the parent site and in this list. If I add a name to that group at the parent site, it will be

added anywhere that group name is referenced. If I delete a name from the group while in this list,

it will be deleted anywhere that group is used. Therefore, *do not* add or delete names in a group

thinking it will only affect that particular list. Also, do not *delete* a group in a list, thinking you are

only removing it from the list. You are deleting it anywhere it is used. Instead, use the Remove User

Permissions button to remove (not *delete*) the group from this list.

Permissions can also be set at the folder and document level:

By default, permissions for a folder or document will inherit from the permissions on the list where

the folder or document resides. To break inheritance and give a folder or document unique

permissions, follow the same steps as outlined above.

BEST PRACTICE – It is recommended to only apply unique permissions down to the folder level (if

it needs to be done at all). Breaking inheritance at the document level means that any changes in

permissions will need to be made to each specific document by someone who has Full Control

access, and there is not a good way to tell what document(s) have what permissions without

accessing each one individually. While it can technically be done, it’s a bad practice from a

maintainability standpoint.

Finding What Permissions Someone Has On a Site You can find out what permissions a person has by going to the Site Permissions page and clicking

on the Check Permissions icon in the Ribbon bar:

A dialog box appears asking you to enter the name of the person to check. Enter the name and click

Check Now:

The following screen then shows you all the permissions the person has for the site, and how they

have that permission (either through an individual entry or through a group):

In the case of someone having multiple permission levels (like in the example above), the highest

level of access is granted. So, in this case, I would have Full Control.

What Is “Limited Access”? In some cases, you will see people or groups listed with “Limited Access”:

Limited Access is a permission level that SharePoint adds automatically when unique permissions

exist somewhere in a site. It is not something that you will add people to, and you shouldn’t delete it

from your permission list when it exists. It allows someone to “pass through” parts of a site to get to

the area that they do have access to.

For instance, let’s say that you are not listed as having access to a particular site. But within that

site, there’s a Document Library that you have Read access to. In order for SharePoint to allow you

to get through the main site and into the Document Library, it has to use the Limited Access level of

permission.

When you see someone or some group with Limited Access, it does not mean they can see areas of

the site that they shouldn’t be able to see. It’s only an internal mechanism for SharePoint to use

unique permissions.

Using Email Distribution Groups as SharePoint Permission Groups One feature you can take advantage of in terms of making it easier to have people get included in

particular sites is to use Email distribution groups in your SharePoint permission groups. Generally

speaking, email distribution lists are kept up to date for mailings to go out to a group. However,

updating SharePoint groups may not be as visible. By using an email distribution list, you can

update the group in one place, and have that take care of your SharePoint permissions also.

Email distribution groups are the groups you find in your Outlook address book that start with

[DL]:

To add a distribution list to your permissions, you look up the group name just as you would a

person in the Select People and Groups dialog box:

When you click OK, that group will appear in your permissions list:

SharePoint Groups vs. Active Directory Groups Occasionally when you look at a site’s permissions, you may see something like this:

If you click on that entry expecting to see a list of names, you’ll see this instead:

These are known as Active Directory groups. They work like SharePoint permission groups, except

that they are controlled and managed by the Security Access Management team. You will most

likely find these on various Spark intranet sites.

To find out who is in the group, call to ask for a list of members.

There are pros and cons to using Active Directory groups vs. SharePoint permission groups. We are

still discussing how we want to handle those in the future, so I can’t give you much more

information at this time. The main thing to remember here is that if you see a group that looks like

this, you will need to call to have them assist you in working with the group.

SharePoint Permissions 101 (text)

Technology

Transcript of SharePoint Permissions 101 (text)