Introduction: Control user access with permissions
This topic introduces three SharePoint security features that work together to help you control user access to sites and content on sites. These features are as follows:
Permissions inheritance and site structure
Note This article provides an overview of the elements that make up SharePoint permissions. To learn how to assign permissions for a site, list, library, or item, see Edit permissions for a list, library, or individual item.
In this article
Permissions and site structure
If you work on a site, you are working inside a site collection. Every site exists in a site collection, which is a group of sites that are in a hierarchy under a single top-level site. The top-level site is called the root site of the site collection.
A Company Administrator for your Office 365 subscription becomes the first site collection manager. Only a site collection manager can grant permission for other users to become one.
A site collection administrator configures the initial permissions settings for a site collection. That is, the site collection administrator adds users to SharePoint groups. Each SharePoint group has a permission level, and all users in the group are granted that same permission level. Through permission inheritance, these settings (groups and permission levels) cascade down through the hierarchy of the collection. The settings apply to all sites and all site content in the site collection.
To reflect the requirements of the organization better, people customize permission settings. They can stop permission inheritance at a specific location. They can also create new groups and new permission levels. A site collection administrator can make these changes at any level in the hierarchy. Alternatively, most sites have one or more site owners who can change the settings for the sites that they own.
The following illustration shows a simple site collection. It contains a hierarchy of subsites, lists in a subsite, and list items in a list.
The following illustration of a site collection shows a simple hierarchy of sites, lists and list items. The permissions scopes are numbered, starting at the broadest level at which permissions can be set, and ending at the narrowest level (a single item in a list).
At the top of the site collection, a site collection administrator configures permissions for the whole collection.
By design, all the sites and site content in a collection inherit the permissions settings of the top-level site (the root site of a site collection). If you are a site owner, you can stop permission inheritance for the site, and change the permission settings for the site.
Lists and libraries inherit permissions from the site to which they belong. If you are a site owner, you can stop permissions inheritance for the list or library, and change the permission settings of the list or library.
List items and library files inherit permissions from their parent list or library. If you have control of a list or library, you can stop permissions inheritance for the item and change the permissions settings directly on the specific item.
In addition, a user can interrupt the default permission inheritance for a list or library item by sharing a document or item with someone who does not have access. In that case, SharePoint automatically breaks inheritance on the document. SharePoint admins should understand this result of the Share action.
By default, subsites and their content inherit the groups and permission levels of the site above them in the hierarchy—that is, a site inherits permissions from its parent site. If you make a change in the parent site, its subsites and their contents automatically get the same change. For example, if you add several users to the Members group, the new users have the same permissions as other people in the Members group anywhere in the site collection. Permissions inheritance enables you to manage permissions conveniently from one place, the site collection root. This is a quick and efficient a way to manage permissions across a large site structure.
If you have an appropriate permission level, you can stop permission inheritance at any level. For example, if you stop permission inheritance for a library, the library no longer inherits permissions from the site that contains it. This means, for example, that when you make a change for the site, that the library does not inherit the change.
It's important to remember that permissions inheritance means that changes affect not only the parent site, but also all subsites under the parent site. It is important to consider carefully any changes to permission levels.
SharePoint displays a message at the top of the Site Permissions page for each site to tell you if a site inherits permissions from the parent site, or if the inheritance has been changed. For example, the following illustration shows a SharePoint Site Permissions page that lists the available groups for a site. At the top of this page, SharePoint displays a message that states, “Some content on this site has different permissions from what you see here.” This indicates that for one or more of the groups, permission inheritance was stopped and different permissions assigned.
Best Practices: Plan for unique permissions
Although we recommend keeping the permissions inheritance intact for all sites, lists, libraries, and items, you might have cases in which you must break permissions inheritance. For example, if you have a list on your site that contains sensitive data, you might want to restrict who can see it.
However, for easier administration, we recommend that you plan for separate permissions. Organize the site structure to reflect requirements for access. This enables you to collect content that has unique access requirements in a single site, and then assign unique permissions to that site. For example, you might create a special sub site for documents that contain sensitive data, or a special subsite that contains lists with restricted access. That way, you can manage permissions for all content with the same access requirements at one time, instead of tracking many individual documents.
For learn how to assign unique permissions, see Edit permissions for a list, library, or individual item
A SharePoint group is a collection of people—SharePoint users—who have the same permission level. That is, everyone in the group has the same access on your site. Groups let you manage access to your site for many people at the same time.
Here are some advantages of assigning permissions to groups:
Helps you align your site structure and permissions with the requirements of the organization
Streamlines site maintenance for site collection administrators and site owners
Ensures that people performing similar tasks have the same levels of access
Helps you make sure that people have only the access they need, not more.
SharePoint groups can help simplify permissions management. Instead of managing permissions for tens or hundreds of individual people, you manage permissions for a few groups. This is especially helpful if you have to change site collection administrators for the site.
Notes SharePoint groups can contain individual users, Windows security groups, or can be some combination of the two. You can add Windows security groups to a SharePoint group, but you can’t add a Windows distribution group (distribution list) to a SharePoint group.
For information about how to work with the Windows security and distribution groups that are included in Active Directory Domain Services, see Choose security groups (SharePoint Server 2010).
Default SharePoint groups
The most frequently used SharePoint groups on a site are the groups that SharePoint creates automatically when you create a site, the default SharePoint groups. When you create a site, you use a site template, and each site template includes a collection of pre-defined SharePoint groups. For example, a Team Site template automatically includes these pre-defined groups:
Visitors, assigned Read permission level
Members, assigned Edit permission level
Owners, assigned Full Control permission level
These default SharePoint groups have permission levels assigned that correspond to levels of access the users have, and help you sort people who use your site in similar ways. For example, some people might only have to follow content on the site (Visitors), others have to edit content (Members), and others have to change elements of the site itself (Owners).
Best Practices: Group people who require similar access
In the following illustration, Otto and Oliver are responsible for making sure that the SharePoint sites meet the needs of the team. They need to be able to edit the sites. Chris, Connie and Stu are the heart of the team, they need to be able to add, edit and delete documents on the sites. Vanessa, Victor and Sheila aren’t team members. They are working on a similar project and only need to be aware of the work done by this team. Therefore they only need to be able to view the documents on the sites.
You can organize these users into SharePoint groups such as Visitors, Members, and Owners to cluster them by the kind access they have to have on the site. The following illustration shows the users assigned to those groups.
A single SharePoint permission provides access to a single action. For example, when a user has View item permission, that user can view and read items on a site. A permission level is a combination of these individual SharePoint permissions. For example, SharePoint collects Open a site, View pages, and View items into the Read permission level.
Every person in a SharePoint group has the same permission level given to them. SharePoint automatically creates several permission levels, and assigns those levels to the default SharePoint groups. In addition, if the default permission levels don’t have what you want, you can create your own permission levels.
It's a good idea to assign permission levels to a SharePoint group, instead of granting individual permissions. These combinations are what make the site function differently for different users. They grant permissions for some to take certain actions, and prevent other users from doing anything. For example, they can prevent some users from deleting documents on a site.
Default SharePoint groups and permission levels
Default SharePoint groups have permission levels assigned automatically. In fact, the assignment is so carefully done that many SharePoint users never have to create SharePoint groups or permission levels of their own.
For example, the Owners group has the Full Control permission level. People with Full Control permission level can work with the structure and components of the site itself. This includes granting other permissions, and doing tasks associated with lists, libraries, and items. As you might expect,
All the default SharePoint groups (such as Visitor, Member, and Owner) are assigned default permission levels (such as Read, Edit, and Full Control). That is, each group of people has appropriate SharePoint permissions to perform their tasks.
If you are a site collection administrator and the default permission levels don’t really do what you want, you can also create custom permission levels.