Within this blog post, we will explore SharePoint Groups and how they should be used by Site Owners and Site Collection Administrators.
Carefully planned SharePoint groups are an effective method of organizing users within your SharePoint sites and site collections, and make it less daunting when trying to manage individual users who need to be granted permissions to objects within the sites that you manage.
You have the option to create up to 3 new SharePoint Groups when a new site is created with unique permissions. The default SharePoint Group names are ‘Visitors’, ‘Members’ and ‘Owners’. The site name would also be prefixed to the start of the group name by default, for example: I’ve created a site called ‘Carl’ and the default Group names are ‘Carl Visitors’, ‘Carl Members’ and ‘Carl Owners’ which is shown in the below graphic. It is also possible to add new SharePoint groups to a site at any given time.
SharePoint information workers will be able to add users or domain security groups to these groups, which allows permissions to be managed a lot easier than assigning direct permissions to users within a site. Managing permissions on users directly is a cumbersome task especially if one of those users leave the organization. Removing the users direct permissions on thousands of objects would be a painful task. Taking a user out of a group is a lot simpler and can remove many permissions in one operation.
When a new site is created you have the option to inherit permissions from the parent site or use unique permissions. If you selected to ‘use same permissions as parent site’ any sites under ‘Carl’, would also use the SharePoint Groups ‘Carl Visitors’, ‘Carl Members’ and ‘Carl Owners’ – meaning any changes made to these groups would affect all the sites that are inheriting permissions from the site ‘Carl’ or have selected ‘Use an existing group’. It’s important to make note that you can only use a group within the same site collection!
What happens when permission inheritance is broken?
When you break permission inheritance at a site, list, folder or item level, which had formerly inherited permission, the role assignments are kept including the SharePoint groups. The parent group will still be assigned permissions to the child object where permission inheritance is broken. This means users that are assigned permission at the parent level are inadvertently assigned permissions to the child site too. This is something that can either work in your favour or against, but the understanding of what happens with SharePoint groups when permission inheritance is broken is very important. You should remove these groups in the child site after breaking permission if you are wanting to avoid granting permissions child objects inadvertently.
When you explore a SharePoint Groups properties, you will be able to view what permission level is assigned to the group within the current site. Keep in mind that it may have different permissions to other objects.
The default SharePoint permissions that are set in each group are different, so it’s important to understand what permission level you are giving your users when you assign them to a default SharePoint Group.
Visitors are assigned the permission level ‘Read’, Members are assigned the permission level ‘Contribute’ or ‘Edit’ depending on which site template. and Owners are assigned the permission level ‘Full Control’. The SharePoint permission level ‘Edit’ is the default permission level assigned to the members group within a SharePoint Online, 2013 and 2016 Team Site. However, in SharePoint 2010 and past versions, the default permission level was ‘Contribute’ for the members group. Only SharePoint Online, 2013 and 2016 has the default permission level ‘Edit’ for the members group. However in SharePoint Online, 2013 and 2016 the description for the members group suggests that users in the group will gets ‘Contribute’, when actually they would be granting the user the permission level ‘Edit’ which can be seen below.
You can, however, create your own groups, rather than using the Owners, Members and Visitors. For example, you may want to group all of your project x members in a group called ‘project x’. The great thing about creating your own groups is that the project workers can be responsible for group membership rather than putting that emphasis on the IT administrators. The project team members are likely to have a better understanding as to who who be a member within their own group.
You should pay attention to the group options which include settings on who can change group membership and who is the owner of the group. By default in SharePoint, only the Group Owners are able to change the membership of a group. If an individual user had been a Group Owner and then had to leave the organization, no one would be able to change the membership of that group that the individual user was the owner of. You can’t list multiple users as the Group Owner and you are unable to add a domain group as the Group Owner. For these reasons, it’s a good practice to designate the root site Owners group as the owner of new groups.
Once your group has been created, you will be able to assign the group permissions to the current site. However, the newly created group can also be assigned permissions to other objects within the site, and also to other sites within the site collection. For example, Project X might have Contribute Permissions to Site A, but Edit Permissions to Site B.
DeliverPoint Permissions Reporting tool
Lightning Tools offer a powerful SharePoint Permissions Reporting, Management and Auditing tool called DeliverPoint, which can help a monumental amount with understanding SharePoint Groups and who is in these groups. DeliverPoint not only helps save a lot of time managing your permissions but gives you the confidence that your users are assigned the correct permissions and that your permissions are structured correctly.
Download our powerful permissions management tool ‘DeliverPoint’ and see for yourself how much easier it is to manage permissions in your SharePoint environment with a free 14-day Trial.