For new site owners, managing SharePoint groups and permissions can be quite challenging. I experienced the same difficulties many years ago. SharePoint groups and permissions are powerful tools that determine who can access your project site and what actions they can perform. As a SharePoint administrator for your project, it is crucial to understand these concepts, and this article will guide you through them. Continue reading to enhance your knowledge.
SharePoint Groups and Microsoft 365 Groups
For many years, SharePoint permission groups served as the primary permission system for SharePoint. However, the introduction of Microsoft 365 groups a few years ago significantly simplified collaboration within project teams across various Microsoft products, including Teams, Planner, Outlook Online, SharePoint, and others. With Microsoft 365 groups, consistent permissions are applied across all these applications for each user, streamlining access management. My article How to Use SharePoint Groups and Microsoft 365 Groups in Your Project Site explains this in detail.
With the introduction of Microsoft 365 Groups, one might assume that SharePoint Groups have become obsolete. However, I don’t see it that way. Although I was initially slow to adapt to Microsoft 365 Groups, I quickly recognized their advantages. These benefits are particularly evident when combining both authorization systems for large project sites or when your project team extensively uses other Microsoft applications. In this article, I will explain the SharePoint permission system to you.
The Challenges with Groups and Permissions
This is a challenging topic! New SharePoint administrators for projects often find the permission system quite headache-inducing. I felt the same way back in 2010. It’s normal to need some time to understand this system, especially if you’re not an IT expert. Additionally, the new SharePoint Online edition has integrated the traditional SharePoint permission system with Microsoft 365 Security Groups, adding to the complexity. In this article, you will find the most important points summarized, along with additional tips for setting up groups and permissions for your project.
The site owner is responsible for defining who can access the SharePoint site. Through site permissions, the site owner specifies the type of access project team members have, the content they can view, and the actions they can perform within the site.
When you create a site, SharePoint automatically creates default SharePoint groups with assigned permission levels. These default groups represent the most common levels of access that users typically need. They provide a solid starting point when adding users to your SharePoint site.
These SharePoint groups are initially empty and need to be populated with individuals or groups of people over time. The only exception is the owner group, which already includes one person—you, the site owner. Here are two key terms to remember:
Group: Defines a certain group of people
Permission: Defines what the group members can do within SharePoint (read, contribute, edit …)
The Different Groups Used with SharePoint
The move from SharePoint on-premises to SharePoint Online provides you with many challenges—but also opportunities. One of the non-technical changes is the transition to a new world of Microsoft 365 permissions, where traditional SharePoint permissions are replaced in many cases by Microsoft 365 Groups. This throws up many questions in the minds of those who have run SharePoint on-premises deployments and who might be used to customize permissions.
The SharePoint Online security model includes the ability to control granular access to most aspects of SharePoint Online from the site level down to the item level. Access to the different items of SharePoint can be granted to specific users as well as to groups of users.
Traditional SharePoint includes three primary groupings of permissions, that being permission granted:
- to individual users (not really a group)
- by Active Directory Groups: Permissions granted to a group of users where the group membership is maintained by Active Directory (AD)
- by SharePoint Groups: permissions granted to a group of users where the group membership is maintained by SharePoint
- by Microsoft 365 Groups: Only available in SharePoint Online, these groups are maintained by Azure Active Directory
SharePoint Online Modern team sites in particular are connected to Microsoft 365 Groups, but also the traditional SharePoint Groups can be used here.
Standard SharePoint Groups and Their Permission Level
By default, SharePoint includes the following predefined user groups with this standard permission:
| Group | Permission |
|---|---|
| Owners | Have administrator permission (Full Control) |
| Members | Have edit permission |
| Visitors | Have only read permission |
These user groups with the predefined permission levels are automatically assigned/inherited from your site to sub-sites, to the document libraries or lists you create.
SharePoint Online Grouping Options
SharePoint Online continues to provide both SharePoint Groups as well as security groups maintained by Azure Active Directory. Microsoft 365 provides a third grouping option for SharePoint, Microsoft 365 Groups.
Microsoft 365 Groups are similar to security groups, although Microsoft 365 Groups include many additional benefits. Microsoft 365 groups are a security/membership group tied to various Microsoft 365 tools and apps and are provided a group email address as well as additional tools such as a group calendar, notebook, Planner, and a SharePoint team site. Users assigned to a Microsoft 365 Group may also be classified as either a group owner or a group member, in comparison to security groups, where all group members have equal access under the group.
Sharing and permissions in the SharePoint modern experience
Permission Levels
The permission level in SharePoint determines what the user can do with the content on your SharePoint site or elements of it. Each permission level has a set of permissions associated with it, based on the intended roles for that level. For example, the Members group has the edit permission level by default.
When you create a new site, SharePoint will create three standard Groups with attached permission levels (see next Figure) As a site owner, you can choose which permissions are associated with each permission level (except for Limited Access and Full Control, which cannot be customized) or add new permission levels to combine different sets of permissions.
For larger sites, it may be useful to have additional groups and permission levels that are tailored to the purpose of the site. I recommend you for the beginning to use the predefined SharePoint groups and permission level and adjust it later if necessary.
Full control: This permission level contains all permissions. This permission level cannot be customized or deleted. By default, the site owner has this permission. Any user with full control can add, update, and delete site components, site members, and list content.
Design: This permission level allows users to customize pages, as well as to add, update, and delete list and library content.
Edit: This permission level was introduced with SharePoint 2013 as the default permission level for Members. They can add, edit and delete lists; can view, add, update and delete list items and documents. This is unfortunate and can be changed. More about this later.
Contribute: This is the most common type of permission granted to project team members. Users with this permission level can add, update, and delete list and library content.
Read: This level grants read-only access to the site. This is fine for Stakeholder, who do not need to create information, e.g. Group Audit, Steering Committee and Senior Management.
Limited Access: This level is automatically assigned by SharePoint. You cannot assign Limited Access permissions directly to a user or group yourself. You don’t need this permission level for your work.
Permission Levels are assigned to SharePoint Groups. When someone requests access to your site, you assign them to a specific user group. Depending on your assignment, this person receives the right to change documents (Edit) or read them only (Read).
It is also possible to give people permission directly to a document library, list or document. But this shouldn’t be done!
More articles on the topic:
How to Use SharePoint Groups and Microsoft 365 Groups in Your Project Site
How to Use SharePoint Groups and Permissions Effectively in Your Project
Here You Can Find More Knowledge
Would you like to learn more about how to make your projects more successful with SharePoint? Save time and money and get firsthand experience with my book SharePoint Online for Project Management. It takes you an important step further!
Do you know somebody who might be interested in this article? Then simply forward it or share it. Thank you!
