SharePoint Groups and Permissions Explained

SharePoint Groups and Permissions are a big challenge for new site owners in projects. I felt the same way many years ago. SharePoint Groups and Permission are a very powerful tool to define who can access your Project Site and what they can do there. As a SharePoint Admin of your project, you should understand SharePoint Groups and Permissions and this article will help you with that. Read on and learn something.

SharePoint Groups and Microsoft 365 Groups

SharePoint permission groups were the permission system for SharePoint for many years until Microsoft 365 groups were introduced a few years ago, which simplified collaboration in project teams with all Microsoft products, such as Teams, Planner, Outlook Online, SharePoint and other applications. With the Microsoft 365 groups, the same permissions were then applied to all these applications for the individual user. My article How to Use SharePoint Groups and Microsoft 365 Groups in Your Project Site explains you this in detail.

One might think that with the introduction of Microsoft 365 Groups, SharePoint Groups have become obsolete. But I don’t see it that way. I didn’t get used to Microsoft 365 groups very quickly either, but then I quickly saw their benefits. Especially if you combine these two authorization systems for large project sites or if the other Microsoft applications are also used intensively in your project team. In this article, however, I will now explain the SharePoint permission system to you.

The Challenges with Groups and Permissions

This is a hard topic! New project SharePoint administrators often give the permission system a headache. I felt the same in 2010. It is normal that you need some time to understand this system, especially if you are not an IT-expert. And that’s not all. The new SharePoint Online edition mixed up the old SharePoint permission system with Microsoft 365 Security Groups. In this article, you will find the most important points briefly summarized and with additional tips to set-up groups and permissions for your project.

It is the responsibility of the site owner to define who can access the SharePoint site. The site owner specifies through the site permissions which type of access project team members have, which content site members can view, and which actions they can perform within the site.

When you create a site, SharePoint automatically creates SharePoint groups, which can access the site and assigns permission levels to the groups. These are known as the default SharePoint groups, because they represent the most common levels of access that users need. The default groups and their associated permission levels are a good start when you add users to your SharePoint site.

These SharePoint groups are empty at the beginning and have to be filled with persons or groups of persons in the further course. Only the owner group already contains one person—you as site owner. These two terms you should remember:

Group: Defines a certain group of people

Permission: Defines what the group members can do within SharePoint (read, contribute, edit …)

The Different Groups Used with SharePoint

The move from SharePoint on-premises to SharePoint Online provides you with many challenges—but also opportunities. One of the non-technical changes is the transition to a new world of Microsoft 365 permissions, where traditional SharePoint permissions are replaced in many cases by Microsoft 365 Groups. This throws up many questions in the minds of those who have run SharePoint on-premises deployments and who might be used to customize permissions.

The SharePoint Online security model includes the ability to control granular access to most aspects of SharePoint Online from the site level down to the item level. Access to the different items of SharePoint can be granted to specific users as well as to groups of users.

Traditional SharePoint includes three primary groupings of permissions, that being permission granted:

  • to individual users (not really a group)
  • by Active Directory Groups: Permissions granted to a group of users where the group membership is maintained by Active Directory (AD)
  • by SharePoint Groups: permissions granted to a group of users where the group membership is maintained by SharePoint
  • by Microsoft 365 Groups: Only available in SharePoint Online, these groups are maintained by Azure Active Directory

SharePoint Online Modern team sites in particular are connected to Microsoft 365 Groups, but also the traditional SharePoint Groups can be used here.

Standard SharePoint Groups and Their Permission Level

By default, SharePoint includes the following predefined user groups with this standard permission:

GroupPermission
Owners Have administrator permission (Full Control)
MembersHave edit permission
VisitorsHave only read permission

These user groups with the predefined permission levels are automatically assigned/inherited from your site to sub-sites, to the document libraries or lists you create.

SharePoint Online Grouping Options

SharePoint Online continues to provide both SharePoint Groups as well as security groups maintained by Azure Active Directory. Microsoft 365 provides a third grouping option for SharePoint, Microsoft 365 Groups.

Microsoft 365 Groups are similar to security groups, although Microsoft 365 Groups include many additional benefits. Microsoft 365 groups are a security/membership group tied to various Microsoft 365 tools and apps and are provided a group email address as well as additional tools such as a group calendar, notebook, Planner, and a SharePoint team site. Users assigned to a Microsoft 365 Group may also be classified as either a group owner or a group member, in comparison to security groups, where all group members have equal access under the group.

Sharing and permissions in the SharePoint modern experience

Permission Levels

The permission level in SharePoint determines what the user can do with the content on your SharePoint site or elements of it. Each permission level has a set of permissions associated with it, based on the intended roles for that level. For example, the Members group has the edit permission level by default.

When you create a new site, SharePoint will create three standard Groups with attached permission levels (see next Figure) As a site owner, you can choose which permissions are associated with each permission level (except for Limited Access and Full Control, which cannot be customized) or add new permission levels to combine different sets of permissions.

Standard SharePoint Groups with Permission Levels

For larger sites, it may be useful to have additional groups and permission levels that are tailored to the purpose of the site. I recommend you for the beginning to use the predefined SharePoint groups and permission level and adjust it later if necessary.

Standard Permissions Levels

Full control: This permission level contains all permissions. This permission level cannot be customized or deleted. By default, the site owner has this permission. Any user with full control can add, update, and delete site components, site members, and list content.

Design: This permission level allows users to customize pages, as well as to add, update, and delete list and library content.

Edit: This permission level was introduced with SharePoint 2013 as the default permission level for Members. They can add, edit and delete lists; can view, add, update and delete list items and documents. This is unfortunate and can be changed. More about this later.

Contribute: This is the most common type of permission granted to project team members. Users with this permission level can add, update, and delete list and library content.

Read: This level grants read-only access to the site. This is fine for Stakeholder, who do not need to create information, e.g. Group Audit, Steering Committee and Senior Management.

Limited Access: This level is automatically assigned by SharePoint. You cannot assign Limited Access permissions directly to a user or group yourself. You don’t need this permission level for your work.

Permission Levels are assigned to SharePoint Groups. When someone requests access to your site, you assign them to a specific user group. Depending on your assignment, this person receives the right to change documents (Edit) or read them only (Read).

It is also possible to give people permission directly to a document library, list or document. But this shouldn’t be done!

More articles on the topic:

How to Use SharePoint Groups and Microsoft 365 Groups in Your Project Site

How to Use SharePoint Groups and Permissions Effectively in Your Project

Here You Can Find More Knowledge

Would you like to learn more about how to make your projects more successful with SharePoint? Save time and money and get firsthand experience with my book SharePoint Online for Project Management. It takes you an important step further!

Do you know somebody who might be interested in this article? Then simply forward it or share it. Thank you! 

SharePoint Online for Project Management

Posted in SharePoint.