Understanding SharePoint Permission Inheritance

Understanding SharePoint Permission inheritance

Understanding SharePoint Permission inheritance is extremely important. So, what is permission inheritance? Permission inheritance means the permissions settings on a Site, List, Folder or List Item, in a Site Collection are inherited by its lower level, for example: See image 1 below. The Top-Level Site is the ‘Parent’ site and the sites below are known as ‘Child’ Sites. It works in a similar way for ‘Lists’ but instead it would inherit permissions based on the Site that it’s contained in.

How does it affect my SharePoint Security?

Permission Inheritance allows you to make a permission assignment once and have its lower level sites, lists/libraries, folders & items inherit the same permissions. It’s enabled by default to help reduce the complexity and save the amount of time content owners and administrator would spend managing security, for example: If you were to assign a user to the members group the user’s permission would automatically pass down through all the child sites, lists, folders, list items etc.

The ‘Share’ button within a site can be used to grant permissions without breaking the permission inheritance for that site. The reason is that at site level, when sharing content via the Share button, the user that  is invited to access the site is made a member of the members group. This brings another issue whereby that group is usually (unless modified) granted Edit permissions. This would mean that the user invited to the site could delete entire lists. In this scenario, you should create a new SharePoint Group and assign it perhaps ‘Contribute’ permissions. Then make that new SharePoint Group the Default Group for the site. Now when users are invited to access the site via ‘Share’, they will be granted Contribute rights. This behaviour is not the same for items or folders. When clicking share on an item or folder, permission inheritance is broken. In this case, the invited user will be granted contribute permissions to the folder or item as a direct permission. This too has consequences, since we want to avoid too many broken permissions and also avoid granting permissions to users directly. Too many broken permissions can affect performance, and direct permissions makes it difficult should a user leave the organization. There are simply too many places to remove the user.

clip_image002

Share Button within a SharePoint 2013 Team Site.

· Top-Level Site: Has Unique Permissions and is the Top site of this site collection

Ø Subsite 2: Has inherited permissions from the ‘Top-Level Site’

– Subsite 5: Has broken permission inheritance from ‘Subsite 2’

ü Lists, Folders and List Items all inherit permissions from ‘Subsite 5’

Ø Subsite 1: Has broken permission inheritance from the Top ‘Level site’

– Subsite 3 & 4: Both inherited permissions from its parent site ‘Subsite 1’

clip_image004

Understanding SharePoint Permission Inheritance Diagram

How do I manage my SharePoint permissions?

SharePoint does have a built in permissions reporting, however, it doesn’t always truly reflect every users permissions since the reports are unable to enumerate the members of an Active Directory Group. Therefore you don’t see each user that is granted permissions. The out-of-the-box SharePoint permissions reports will only display permissions that are given ‘via’ a SharePoint Group, direct permissions (i.e an individual user), and the permissions granted to an AD Group but not each user within the AD Group. The Check Permissions button within the SharePoint Permissions page will show you that a specified user has permissions if they are a member of a domain group. However, it doesn’t tell you which domain group. For example if a user was a member of several domain groups that were added to the members group within a site. The Check Permissions would state that the user in question is granted Edit permissions through the members group, but not which domain group they were a member of.

Lightning Tools offer a SharePoint Permissions Reporting, Management and Auditing tool called DeliverPoint which help considerably with your understanding SharePoint Permission Inheritance. DeliverPoint helps save a lot of time managing permissions, but more importantly allows you to ensure that users are assigned the correct permissions and it will give you confidence that permissions are structured correctly.

Download a 14 day trial of DeliverPoint from: https://lightningtools.com/products/sharepoint-permissions-management/

<Carl/>