ROLE BASED PERMISSIONS

Understanding Role-Based Permissions in SharePoint Online

Implementation and Management

Introduction

SharePoint Online employs a role-based membership system to control access to resources such as sites, lists, folders, and items. In this system, users are assigned to roles that define their permissions, ensuring secure and organized collaboration.  This approach allows administrators to manage access efficiently by grouping users and assigning predefined or custom permission levels. Proper implementation and management of these permissions are crucial for maintaining data security, compliance, and productivity in a SharePoint Online environment.

This document covers key concepts, default permission levels, steps for implementation, management strategies, and best practices.

Key Concepts - Users, Groups, and Principals

  • Access in SharePoint Online is granted to users either directly via individual role assignments or indirectly through membership in groups.  A principal refers to the entity—user or group—receiving the role assignment. Users can include internal Windows users or external users via pluggable authentication. 

SharePoint supports:

  • Domain groups: Managed externally (e.g., in Active Directory).
  • SharePoint groups: Scoped to the site collection level, such as default groups like Owners, Members, and Visitors. 
  • Microsoft 365 groups integrate with team sites, where group owners become site owners and members become site members. 

Roles and Permission Levels

  • A role definition associates a user or group with specific rights from the enumeration.
  • Permission levels are essentially role definitions that bundle these rights (e.g., the “Contribute” level allows adding, editing, and deleting items).
  • Roles can be customized, but dependencies between rights must be considered to avoid inconsistencies. 

Securable Objects and Inheritance

  • Permissions apply to securable objects like sites, lists, libraries, folders, and items.
  • By default, objects inherit permissions from their parent (e.g., a list inherits from the site).
  • Inheritance can be broken for unique permissions.
  • When granting access to a child object, SharePoint automatically assigns “Limited Access” to parents to enable navigation. 
  • Anonymous access allows unauthenticated users limited actions, while “all authenticated users” provides access without enabling anonymity. 

Default Permission Levels - SharePoint Online includes several default permission levels, which can be customized (except Full Control and Limited Access).  Here are the key ones:

  • Full Control: All permissions, including managing permissions and site settings. Assigned to Owners group.
  • Design: Create lists/libraries, edit pages, apply themes, and manage views. Includes Contribute permissions.
  • Edit: Add, edit, and delete lists; view, add, update, and delete list items/documents.
  • Contribute: View, add, update, and delete list items/documents.
  • Read: View pages, list items, and download documents.
  • Limited Access: Enables navigation to specific items without broader access; automatically assigned.
  • View Only: View items but not download (for libraries with major/minor versioning).
  • These levels are assigned to default groups: Owners (Full Control), Members (Edit/Contribute), Visitors (Read).  

Implementing Permissions

Creating Sites and Assigning Initial Permissions

  • For team sites (connected to Microsoft 365 groups): Add users to the group via Microsoft 365 admin center or Teams. Owners manage membership. 
  • For communication sites: Use SharePoint groups. Go to Site Settings > Site Permissions > Add users/groups to Owners, Members, or Visitors.  
  • During site creation, choose unique permissions or inherit from parent. 

Sharing Files, Folders, and Lists

  • Use shareable links: “Anyone” (anonymous), “People in your organization,” or “Specific people.”  Configure default link type per site.
  • For external sharing, enable at organization and site levels.  Invite external users by email. 
  • Break inheritance on a list/folder: Go to List Settings > Permissions > Stop Inheriting Permissions, then assign unique roles. 

Custom Permission Levels

  • Navigate to Site Settings > Site Permissions > Advanced Permission Settings > Permission Levels > Add a Permission Level.
  • Select specific permissions (e.g., add “Create Items” but deny “Delete Items”).  Assign the custom level to users/groups. 

Managing Permissions

Checking and Auditing Permissions

  • Go to Site Settings > Site Permissions > Check Permissions. Enter a user/group to view effective permissions. 
  • Use Advanced Permission Settings to view and edit group memberships. 
  • For site-wide management, SharePoint Administrators access the admin center to manage sites and permissions. 

Removing or Modifying Access

  • Remove users from groups or role assignments via Site Permissions.  Deleting a user from the site collection removes them from all scopes. 
  • Policy roles at the web application level can enforce deny rights, overriding site permissions. 

Handling Special Cases

  • Channel sites in Teams: Manage permissions exclusively in Teams; SharePoint view is read-only. 
  • Hub sites: Permissions follow the underlying site type; configure hub associations in the admin center. 
  • Limited Access cleanup: This is system-assigned; to remove, revoke the underlying unique permissions. 

Best Practices

  • Use groups over individual assignments for scalability.   Prefer Microsoft 365 groups for team sites.
  • Isolate sensitive data in sites with external sharing disabled. 
  • Minimize custom permissions to avoid complexity; stick to defaults where possible. 
  • Regularly audit permissions using tools like Check Permissions. 
  • For large audiences, add security groups to SharePoint groups, but avoid nesting due to performance issues. 
  • Enable versioning and use “Can Review” for Word documents where appropriate, noting it requires Full Control for certain features. 

Conclusion

Role-based permissions in SharePoint Online provide a flexible framework for secure access management. By understanding core concepts, leveraging default levels, and following best practices for implementation and ongoing management, organizations can ensure efficient collaboration while protecting sensitive information. For advanced scenarios, consult the SharePoint admin center or Microsoft documentation for updates.

«   »