11 min readLast Updated on June 4, 2025 by Satyendra
Microsoft’s SharePoint platform is designed for sharing and managing content across an enterprise, including documents, presentations, spreadsheets, images and notes. While SharePoint offers numerous advantages over traditional file systems for content management, it still requires permissions to be applied to control access to content. The types of permissions available can vary depending on the type of object being accessed, such as lists or sites. SharePoint administrators may face challenges similar to those encountered by file system administrators, including difficulties in understanding the level of access a user has to a specific resource. Below are some of the most notable SharePoint permissions best practices.
SharePoint Permissions Types
SharePoint permissions define the level of access and control for users within a site or group. There are five types of permissions:
- Team permissions: Automatically assigned based on group membership, allowing owners, members, and visitors to access the site.
- Communication site permissions: Allow owners, members, visitors, and custom SharePoint groups to be assigned, granting different permissions to individuals or groups.
- Hub site permissions: Control who can add more sites and are managed through the corresponding Microsoft 365 group or SharePoint group.
- Shareable links permissions: Allow sharing specific site data, with permissions that can be edited to allow access to everyone or specified users.
- Guest sharing permissions: Allow collaboration with external parties, with permissions that can be edited to control access to specific site data.
Different levels of SharePoint Permissions
In SharePoint Online, permission levels are used to determine what actions a user or group can take within a site, list, library, or item. SharePoint Online comes with several built-in permission levels, such as Full Control, Edit, and Read, but you can also create custom permission levels if needed
The default permission levels in SharePoint Online are:
| Permission Level | Description |
|---|---|
| Full Control | This permission level allows users to have full control over the site and content. This means users with this permission level can create, modify, and delete lists, libraries, pages, and site settings. In addition, they can also manage user profiles and permissions.
Team members responsible for site administration, which includes managing site structure, permissions, and overall data governance, should be given full control permissions. Typically, IT administrators have this permission level. |
| Design | This permission level gives users the ability to view and edit any content within the site, list, library, or item, as well as create and delete lists and libraries. Users with Design permissions can modify the site’s appearance, apply unique styles, and edit the layout. They can also add, edit, and delete items within lists and libraries. They cannot, however, manage site, list, library, or item-level security settings.
Design permissions should be given to team members who need to create and edit the site structure and design. Typically web designers and site architects have this permission level. |
| Edit | This permission level allows users to add, edit and delete any content within the site, list, library, or item. Users can contribute content and collaborate with others by modifying existing content. However, users with Edit permissions cannot manage site, list, library, or item-level security settings.
Edit permissions should be given to team members who need to actively contribute and collaborate on the site’s content. Project team members and content creators typically have this permission level. |
| Contribute | This permission level allows users to add, update, delete, and view list items and documents. Users can upload documents, participate in discussions, and manage document versions. However, they cannot change the structure of the site.
Contribute permissions should be given to users who need to contribute content and collaborate but who do not need administrative access. |
| Read | This permission level allows users to view pages and items in lists and libraries, but they cannot add, update, or delete items. Users with Read permissions cannot manage site, list, library, or item-level security settings.
Read permissions should be given to users who need access to site content for informational purposes only. Users can download documents and view content but cannot modify anything. |
| Restricted Read | Users may view current versions of pages and documents. However, historical versions are unavailable.
This permission level should be given to users who need access to current content but not to older versions or sensitive information. Typically, external stakeholders and junior team members have this permission level. |
| View Only | This permission level allows users to view pages, documents, and items within the site, but they cannot add, update, delete, or edit items. Unlike Restricted Read, this level allows the viewing of older versions. Users with View Only permissions cannot manage the site, list, library, or item-level security settings. They can create alerts, view items, and view pages, but they cannot download documents to the client applications.
View Only permissions should be given to those users who require read-only access and do not need to be able to contribute. |
| Approve | Approve permissions allow users to review and approve pages, list items, or documents submitted by others. Users can also edit or delete items.
Approve permissions should be given to users involved in the content approval process. This is typically managers, quality control personnel, and external stakeholders. |
| Manage Hierarchy | This permission level allows users the ability to create and edit sites, pages, and components. Users can also manage permission levels and inheritance.
This permission level should be assigned to users responsible for managing the site structure or navigation. Typically, site administrators and webmasters have this permission level. |
What does Limited Access Mean in SharePoint Permissions?
There is also a “Limited Access” permission available. This is a special type of security role that allows a user to only access specific content within a site and follows the Principle of Least Privilege (POLP). Access to the rest of the site is restricted.
For example, when access is given to a specific list but not the site, the users will get read access to the list and limited access to the site.
Limited Access permissions should be given to users who require access to specific content. Typically, external collaborators and junior team members have this permission level.
How to Create a Custom Permission Level in SharePoint Online?
As well as the built-in SharePoint permission list, you can create custom permission levels by combining permission levels from the built-in permission levels to adapt permissions management to the specific needs of your organization.
When to create custom permissions
SharePoint permission levels can be created by administrators to define what a user can do within the boundaries created for them.
For example, an Accounts executive who should be able to view, edit, and delete customer records but shouldn’t be able to tamper with any site settings. You can create a custom permission level around this and name it “Account Executive – Customer Records Management”.
Best practices to create custom permission levels
The following practices help avoid confusion for end users:
- Thoroughly analyze user roles and responsibilities based on job descriptions to understand what a user does and doesn’t require.
- Consult with stakeholders to understand what they require access to and why.
- Document the purpose and scope of each SharePoint permission level.
- Conduct periodic reviews to ensure permissions are consistent with organizational requirements and security policies and adapt these if necessary.
To create a custom permission level, do the following:
- Navigate to the site settings page where you want to create the permission level
- Click on Settings, Site Permissions, Advanced permissions settings
- On the Permissions page, click on the Permission levels link in the ribbon
- From the Permission Levels option, click the Add a Permission Level button
- Enter a Name and Description for the new permission level
- Add a name and description. Select the specific permissions that you want to include in the permission level. You can choose from a list of predefined permissions, for example, Full Control, Edit, or Read. Select any personal permissions that apply.
- Click the Create button to create the new permission level.
Once you have created the custom permission level, you can then assign it to users or security groups as needed.
What is Permission Inheritance in SharePoint Online?
Permission inheritance in SharePoint Online refers to the way in which permissions are passed down from a parent site or item to its child sites or items. When inheritance is enabled, a child site or item will inherit the permissions of its parent, unless separate permissions are specifically set for the child. By default, all sites and lists in SharePoint Online inherit the permissions of their parent site.
For example, in the case where a SharePoint site has a folder containing several documents, if permissions are set at the site level, those permissions will be inherited by the folder and all the documents within it.
However, if you break inheritance on the folder and set unique permissions for it, the folder and its documents will no longer inherit the permissions from the parent site. Instead, they will have their own independent set of permissions.
Permission inheritance can be useful for reducing the amount of work required to manage permissions on a large site which has many subsites and items.
How to Manage Permissions in SharePoint Online?
Permissions can be set and managed in the following ways in SharePoint Online:
SharePoint Groups: SharePoint groups are a collection of users who are granted the same set of permissions. Different groups can be created for different purposes, such as a group for site administrators or a group for project team members. You can add and remove users from groups as needed, and any changes to the group permissions will apply to all group members.
Individual Permissions: Permissions can also be set for individual users or groups on a specific list, library, or item. Individual permissions override any group or permission level permissions that have been set.
Managing permissions in SharePoint Online is done through the user interface (UI). The UI allows you to easily add or remove users from your site/document library, assign roles and tasks, and create groups to easily manage multiple users.
To add users to a group:
- On the SharePoint site, click share/members
- Click on Add Members
- Enter the names or e-mail addresses of the users you want to add, and they will appear in the dialog box
- You can also set SharePoint permissions levels at this stage
- Once all the users are added, click on Share, and an invite will be sent
To remove users from a group:
- Go to the SharePoint site and click Settings
- Click Site settings/Site Information
- Click View all site settings/Site settings
- On the Site Settings page, go to Users and Permissions, People and Groups
- Go to People and Groups, Quick Launch and select the user you want to remove
- Click Actions, Remove Users from Group
- A confirmation dialog box will pop up. Click Ok to proceed and remove the user
Grant site access to a group:
- Go to the SharePoint site and click Settings
- Go to Site Permissions
- Click Advanced Site Permissions once the site permissions page opens
- On the Advanced Site Permissions page, click on the Permissions tab
- Click Grant Permissions
- Click on Share and enter the group name to whom you’d like to give access to
- After you click on Share, a prompt will appear asking you the level of permissions you want to give to the group. By default, the group will be able to edit. However, you can change permission levels by clicking on Show Options, Select a Permission Level/Select a group or permission level.
- Once you have finished setting permissions for the group, click Share to proceed
Assign a new permission level to a group:
- Go to the SharePoint Site and click Settings, Site Settings/Site information on the SharePoint site
- From the Site Settings page, click on Users and Permissions, Site Permissions
- Hover over the user/group to which you’d like to assign a new permission level. Tick the check box to select it
- Go to the Permissions tab and click on Edit User Permissions
- A screen will be displayed where you can grant custom permissions to the group. If you check multiple boxes, the user will get a combination of all those SharePoint permission levels.
If you’d like to see how Lepide Auditor for SharePoint can help you keep SharePoint data secure, schedule a demo with one of our engineers or download the free trial.
Group Policy Examples and Settings for Effective Administration
15 Most Common Types of Cyber Attack and How to Prevent Them
Why AD Account Keeps Getting Locked Out Frequently and How to Resolve It
