This document provides an overview of permissions in SharePoint, including:
- There are three default permission groups (Full Control, Contribute, Reader) that are automatically set up when a site is created.
- SharePoint groups allow assigning permissions to a group of users rather than individual users, making management easier over time.
- Permissions can be inherited from the parent site or made unique by "breaking inheritance" for specific lists, folders, or documents.
- Active Directory groups are similar to SharePoint groups but are managed centrally rather than within individual sites.
08448380779 Call Girls In Friends Colony Women Seeking Men
SharePoint permissions guide
1. Page 1
SharePoint Permissions 101
SharePoint is a good tool for sharing information with others, both within a small project team or
throughout the entire company. One of the most important things to understand is how to make
sure that the information you share is only seen and accessible by the right people, though.
In this guide, I’ll explain how SharePoint permissions work, the various permission levels you can
assign, how to create and use SharePoint groups, and how to set permission levels at various levels
in a SharePoint site.
Contents
SharePoint Permissions 101............................................................................................................................................... 1
Permissions In SharePoint................................................................................................................................................... 2
Using SharePoint Groups For Permissions................................................................................................................... 3
Why Groups Instead Of Individual People?.................................................................................................................. 5
Creating A New SharePoint Group ................................................................................................................................... 6
Adding People To A SharePoint Group........................................................................................................................... 9
Inheriting And Breaking Permissions...........................................................................................................................13
How SharePoint Groups Work When You Break Inheritance.............................................................................15
Finding What Permissions Someone Has On A Site................................................................................................16
What Is “Limited Access”?..................................................................................................................................................18
Using Email Distribution Groups As SharePoint Permission Groups..............................................................19
SharePoint Groups Vs. Active Directory Groups.......................................................................................................22
2. Page 2
Permissions in SharePoint
SharePoint has the ability to assign permissions at various levels in a site (like a team site). You can
assign permissions at the site level (the highest level), and everything in the site will inherit those
permissions. You can “break the inheritance” for a specific list or library in the site, and that list or
library could have unique permissions assigned to it. You can also take the concept of breaking
inheritance down to the folder, document, or list item level, and assign unique permissions to those.
However, there are benefits and drawbacks that you need to be aware of in order to make wise
decisions.
3. Page 3
Using SharePoint Groups for Permissions
In SharePoint, you normally have three general SharePoint permission groups that are created by
default when a new site is created:
Full Control – This is assigned to the owners of a site. It means you have complete control
over the site, including the ability to change permissions and delete the site.
Contribute – This is assigned to people who need to add, change, or delete content in the
site. They can’t change the design of the site or change permissions for anyone.
Reader – This is assigned to people who can read content, but they are not allowed to add,
change, or delete anything. If you want to let everyone in the company see the content, you
would add the group “NT AUTHORITYAuthorized Users”.
These three general SharePoint groups are set up automatically when a site is created. You can find
those permissions by clicking on Site Actions > Site Permissions:
5. Page 5
Why Groups Instead Of Individual People?
Technically, you can add SharePoint groups or specific individuals to your site permissions.
However, if you add individuals to the permission list, then you have to manage each person
individually instead of managing their access as part of a SharePoint group.
For example, let’s say that you have a particular department of 20 people who all need the ability to
add and edit documents in a SharePoint library. You create a SharePoint group named Department
X Members and assign Contribute level access to that group. You then add each person to that
specific group. Each person now has Contribute access to that library.
A year later, a reorganization occurs and that department should now only have the ability to read
documents, not add or edit them. You can update the Department X Members group to now have
Read level access, and all twenty people now have the new level of access.
If you had entered each person individually into the SharePoint site permission list, you would then
have to edit the permission level of each specific individual to change them from Contribute to Read
access. That means you’d have 20 entries to update and keep track of, instead of just one. That
would take significantly longer to accomplish, and it would be more difficult to make sure you had
made all the changes correctly.
As you can see, placing people in SharePoint groups and assigning permissions to the group is a
much more efficient way to make sure the right people have the right access.
6. Page 6
Creating a New SharePoint Group
So you know you have the three default groups created in your site, but what if you want to add a
new group to manage your permissions? On the Site Permissions page from the parent site, click on
the Create Group icon in the Ribbon bar:
The following screen shows how to create your group:
Group Owner is an important field, and it often trips people up. In the “Who can edit the
membership of the group” field, you can specify whether anyone in that group can update the
member list, or whether only the owner can do that. It doesn’t matter if you have Full Control on the
site. Unless you are the person in the Owner field (or in the SharePoint group that is specified as the
owner), you will not be able to update the group.
Continuing on in the New Group screen:
7. Page 7
Once you fill out all the fields and click OK, the new group is created with you listed as the only
member:
In your site permission list, it appears as follows along with the permission level you assigned to
the group:
9. Page 9
Adding People to a SharePoint Group
In order to add someone to the Members group shown above, click on the group name:
To add new members, click on New > Add Users:
This brings up the Grant Permissions dialog box. To add people, click on the Address Book icon:
10. Page
10
The Select People and Groups dialog box comes up. Type the last name of the person you want to
add into the Find field and press Enter. Select the name of the person in the list that you want to
add, click Add at the bottom of the screen, and then click on OK when you’re finished:
11. Page
11
In this example, Carol has been added to the group. I can choose to send her an email that will tell
her she has access to this site. When finished, I click on OK:
13. Page
13
Inheriting and Breaking Permissions
The concept of inherited and unique permissions is one of the more confusing aspects of setting
SharePoint permissions properly. In this section, we’ll explain the concepts and the “gotchas”
involved when you start considering whether to inherit permissions for a list or make the
permissions unique by “breaking inheritance.”
When you set permissions at the site level, all the lists (including document libraries) inherit their
permissions from the parent site. This means that any permission changes made at the parent site
will automatically apply to the lists and sub-sites. In fact, in order to change permissions, you have
to go to the main parent site to do so.
However, you can change a list, a folder, or even a document to have different permissions than the
parent site. It’s called “breaking inheritance”.
To see the permissions for a document library, click on Library Tools > Library (or List Tools > List
for a SharePoint list), and then click on the Permissions icon on the far left side:
To break inheritance, click on the Stop Inheriting Permissions button:
Verify that you indeed want to break inheritance:
14. Page
14
The document library takes a copy of the parent permission list and then uses that as the base for
the new permissions. Now any changes made to the parent site will not affect this library, and
changes made to this library will not affect the parent. Individuals and/or groups can be added or
removed at this point.
15. Page
15
How SharePoint Groups Work When You Break Inheritance
THIS IS THE BIGGEST MISUNDERSTOOD PART OF UNIQUE PERMISSIONS!
Breaking inheritance for a list or site means that the specific SharePoint groups or individuals
added directly to the permission list only update and affect that unique site.
The names *within* a SharePoint group are not frozen, and changes to the SharePoint group
membership *will* affect any site or list that uses that group.
The list shown above has unique permissions. The “Livelink To SharePoint Demo Members” group
exists both at the parent site and in this list. If I add a name to that group at the parent site, it will be
added anywhere that group name is referenced. If I delete a name from the group while in this list,
it will be deleted anywhere that group is used. Therefore, *do not* add or delete names in a group
thinking it will only affect that particular list. Also, do not *delete* a group in a list, thinking you are
only removing it from the list. You are deleting it anywhere it is used. Instead, use the Remove User
Permissions button to remove (not *delete*) the group from this list.
Permissions can also be set at the folder and document level:
By default, permissions for a folder or document will inherit from the permissions on the list where
the folder or document resides. To break inheritance and give a folder or document unique
permissions, follow the same steps as outlined above.
BEST PRACTICE – It is recommended to only apply unique permissions down to the folder level (if
it needs to be done at all). Breaking inheritance at the document level means that any changes in
permissions will need to be made to each specific document by someone who has Full Control
access, and there is not a good way to tell what document(s) have what permissions without
accessing each one individually. While it can technically be done, it’s a bad practice from a
maintainability standpoint.
16. Page
16
Finding What Permissions Someone Has On a Site
You can find out what permissions a person has by going to the Site Permissions page and clicking
on the Check Permissions icon in the Ribbon bar:
A dialog box appears asking you to enter the name of the person to check. Enter the name and click
Check Now:
The following screen then shows you all the permissions the person has for the site, and how they
have that permission (either through an individual entry or through a group):
17. Page
17
In the case of someone having multiple permission levels (like in the example above), the highest
level of access is granted. So, in this case, I would have Full Control.
18. Page
18
What Is “Limited Access”?
In some cases, you will see people or groups listed with “Limited Access”:
Limited Access is a permission level that SharePoint adds automatically when unique permissions
exist somewhere in a site. It is not something that you will add people to, and you shouldn’t delete it
from your permission list when it exists. It allows someone to “pass through” parts of a site to get to
the area that they do have access to.
For instance, let’s say that you are not listed as having access to a particular site. But within that
site, there’s a Document Library that you have Read access to. In order for SharePoint to allow you
to get through the main site and into the Document Library, it has to use the Limited Access level of
permission.
When you see someone or some group with Limited Access, it does not mean they can see areas of
the site that they shouldn’t be able to see. It’s only an internal mechanism for SharePoint to use
unique permissions.
19. Page
19
Using Email Distribution Groups as SharePoint Permission Groups
One feature you can take advantage of in terms of making it easier to have people get included in
particular sites is to use Email distribution groups in your SharePoint permission groups. Generally
speaking, email distribution lists are kept up to date for mailings to go out to a group. However,
updating SharePoint groups may not be as visible. By using an email distribution list, you can
update the group in one place, and have that take care of your SharePoint permissions also.
Email distribution groups are the groups you find in your Outlook address book that start with
[DL]:
To add a distribution list to your permissions, you look up the group name just as you would a
person in the Select People and Groups dialog box:
22. Page
22
SharePoint Groups vs. Active Directory Groups
Occasionally when you look at a site’s permissions, you may see something like this:
If you click on that entry expecting to see a list of names, you’ll see this instead:
These are known as Active Directory groups. They work like SharePoint permission groups, except
that they are controlled and managed by the Security Access Management team. You will most
likely find these on various Spark intranet sites.
To find out who is in the group, call to ask for a list of members.
There are pros and cons to using Active Directory groups vs. SharePoint permission groups. We are
still discussing how we want to handle those in the future, so I can’t give you much more
information at this time. The main thing to remember here is that if you see a group that looks like
this, you will need to call to have them assist you in working with the group.