10 SharePoint Permissions Tips You Need To Know!
Are you tasked with managing SharePoint Permissions for your department? Below are 10 SharePoint Permissions Tips you need to know!
1. Clicking ‘Share’ at Site Level behaves differently to clicking ‘Share’ at folder or item level.
Clicking “Share” at site level will make the invited user a member of the sitename_members group within the SharePoint team site. That means that permission inheritance at the site level does not need to be broken and you avoid granting a direct permission to the user.
Clicking ‘Share’ at item level or folder level behaves differently. The permission inheritance on the item or folder is broken, and a direct permission is assigned to the invited user. That means that you could end up with hundreds of folders or items with broken permission inheritance.
2. The ‘Edit’ permission level allows users to ‘Manage Lists’ which includes deleting them.
The Edit permission level was introduced with SharePoint 2013 and it sits between Contribute and Design permission levels. The Edit Permission Level includes the Manage Lists permission which enables users with this permission level to delete entire lists and should therefore be used with caution.
3. The ‘Edit’ permission level is the default permission level assigned to the members group within a SharePoint Team Site.
In SharePoint 2010 and prior, the default permission level was Contribute for the members group. In SharePoint 2013, 2016 and SharePoint Online, the default permission level for the members group is ‘Edit’. Even though SharePoint’s user interface suggests that the members group gets Contribute. It doesn’t!
4. You can change the default SharePoint Group for a site when ‘Sharing’ the site, and therefore avoid granting users ‘Edit’.
Our opinion is that you SHOULD NOT modify the ‘Edit’ permission level to remove ‘Manage Lists’, but instead create a new SharePoint Group which is assigned ‘Contribute’. You can then make your new SharePoint Group the default group for the Team Site. So when users click Share, the users will be granted Contribute and not Edit.
Before the Default Group is Changed
After the Default Group is Changed
5. Limited Access is a SharePoint Permission Level that is automatically granted to users at site level when the user is assigned permissions to a child object with broken permission inheritance.
Limited Access is granted automatically to a user when the user is granted permissions to an object within the site such as a folder, thus allowing the user to navigate to the folder via the Site.
6. SharePoint 2013 hides users granted ‘Limited Access’ from the permissions page.
Limited Access no longer displays within the SharePoint permissions report within the team site. Instead, a small yellow banner suggests permissions are broken within the SharePoint team site.
7. Check Permissions can be used to determine if a user is granted permissions even if you cannot see them in any SharePoint Groups or listed as having direct permissions.
It is possible that a user who has any permission level within a site (even Full Control), may not show in the permission report. They may have implicit permissions such as they are a Site Collection Administrator, or they are a member of a domain group which could be nested in a SharePoint group.
This is the membership of ‘My Group’
8. You can refine Read & Contribute Permissions within the Advanced Settings of a SharePoint List.
You can refine what Read permissions and Contribute permissions users can do within a list via the Advanced List Settings. This allows you to control whether users can modify just the items that they created, or just read the items that they created. This is very useful within Surveys. Unfortunately the same setting can not be applied through the user interface for a document library.
9. When you break permission inheritance at a site level, your SharePoint Groups at the parent level could still be used to inadvertently grant permissions at the child site.
When you break permission inheritance at a site level, which formerly inherited permissions. The role assignments are retained including the groups. The parent groups are still assigned permissions to the child site despite permission inheritance being broken. Therefore, users assigning permissions at the parent level, are still inadvertently assigning permissions to the child site too. The groups should be removed in the child site after breaking permission inheritance if you want to avoid this.
10. Consider making the Top Level Site SharePoint Site Owners Group the owner of a SharePoint Group.
By default, only the Group Owners can change the membership of a group. However, if you make the Group Owner field an individual, and that individual were to leave the organization. Nobody will be able to change the membership. You cannot list multiple users as the group owner and you cannot add a domain group as the group owner. Therefore we suggest using the root site owners group the owner of the new group. And that concludes our SharePoint Permissions Tips!
We hope that these SharePoint Permissions Tips prove useful. Setting permissions incorrectly in SharePoint can be disastrous for some. Right Mr Snowden? Put your mind at rest by using a permissions management tool such as DeliverPoint.
DOWNLOAD YOU TRIAL OF DELIVERPOINT