SharePoint Permissions Management: What you need to know for SharePoint 2007, 2010 & 2013

SharePoint PermissionsSo you have a new SharePoint Site and you need to allow access so people can actually use this site. It’s not always as easy as it sounds, but while it can seem overwhelming if you haven’t done it before, there is an easy way to start looking at this.

Throughout this blog, I will break down the basics in a fashion that works for SharePoint 2007, 2010 and the newest iteration 2013. This guide assumes that you have a working knowledge of Active Directory Users and Computers and you have already created User Objects and you have a fresh SharePoint Install ready to be populated with users.

Make sure to continue reading my blog to learn more about Permission Management. In my new Blog, I describe how to remove access properly;

How to Remove Access to SharePoint… and prevent SID Mismatches along the way

Without further ado, let me introduce:

Default Permission Levels

First, it is important to know that there are five Default Permission levels that are available in all versions of SharePoint since WSS 3.0 (Windows SharePoint Services 3.0 – 2007).

PERMISSION LEVEL DESCRIPTION
Full Control This permission level contains all available permissions in your chosen version of SharePoint. By default, this level is assigned to the Site name Owners SharePoint group. This permission level cannot be customized or deleted.
Design Can create lists and document libraries, edit pages and apply themes, borders, and style sheets in the Web site. Not assigned to any SharePoint group, by default.
Contribute Can add, edit, and delete items in existing lists and document libraries. By default, this level is assigned to the Site name Members SharePoint group.
Read Read-only access to the Web site. Users and SharePoint groups with this permission level can view items and pages, open items, and documents. By default, this level is assigned to the Site name Visitors SharePoint group.
Limited Access The Limited Access permission level is designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document, without giving them access to the entire site. However, to access a list or library, a user must have permission to open the parent Web site and read shared data such as the theme and navigation bars of the Web site. The Limited Access permission level cannot be customized or deleted. Limited Access cannot be assigned and is automatically assigned by SharePoint to accommodate for this reason.

Note: The Design, Contribute, and Read Permission Levels can be customized to meet your needs, but it is best practice to leave all default permissions, and create new ones as needed rather than edit the default levels. This gives you an “easy out” should you run into problems with custom permission levels as you would be able to reference the original default levels.

Site Collection Administrators

The Site Collection Administrator has Full Control to everything in the Site Collection. This means that it is not necessary to Grant Permissions granularly on the site or to add to any Groups or Permission Levels because they already have complete access to everything and Site Collection Administrators permission will override ANY other permissions set for the account. These users can be assigned in two locations:

  1. Central Administration
    1. Application Management– in the Site Collections section, click Change Site Collection Administrators. On the Site Collection Administrators page, click the arrow next to the site collection name and then select Change Site Collection if the site collection you want is not already selected. Choose the Appropriate Site Collection or click Change Web Application to find the correct Site Collection.
    2. You can set a Primary site collection administrator and a Secondary site collection administrator here. The advantage of this is that if anything happens to the Site Collection Settings that contain the additional Site Collection Administrators, these users will not be affected. It is often a good idea to set one of these to a dedicated Admin Account that is not a normal user account and store these credentials in a safe place.
  2. Site Collection Site Settings
    1. On the Parent Site, go to Site Settings – under Users and Permissions click Site Collection Administrators. In the box, enter users separated by semicolons and click the checkmark to check the names.  Shortcut: Ctrl+K will also perform this function in most Microsoft Products. Try it in Outlook!Site Collection Administrators

You can add as many additional accounts as you want to the SharePoint Site Collection administrators group, but only the primary and secondary site collection administrators will receive administrative alerts for the site collection. All members of the SharePoint Site Collection Administrators group have full administrative permissions to the site collection. Site Collection Administrators permission will override ANY other permissions set for the account.

Quick Definitions

Think of the structure of your site. What links lead to what pages? You will find the main terms assigned to these pages below.

Root Site

This is the main site. An example of this would be www.example.com. There are no additional directories we are viewing on this site, just the Root Site.

Parent Site

The Root Site is the Parent of all other Sub Sites. Each level you navigate to has a parent preceding it.

Sub Site

This is an additional directory off of the Parent Site. An example of this would be www.example.com/sales. You can even embed a Sub Site within a Sub Site, such as www.example.com/sales/proposals of which /sales would be the Parent. This is common of Lists and Libraries within a Site.

Lists and Libraries

SharePoint lists are web based editable tables. They provide the ability to work with structured data in the same fashion you would manipulate a spreadsheet.

SharePoint libraries are a specialized type of Lists. Libraries are used to store documents and files. A library is a list, but has one (and exactly one) file associated with each item.

Both types allow the ability to add fields, properties, and columns. For our purposes, be aware that it is possible to allow a user access to only certain lists or documents in a library without access to an entire site. This ability is outlined later in this blog.

Inheritance

Again, think of the structure of your site. Since Microsoft has based almost their entire product catalog on Hierarchical Systems, a good way to think of SharePoint is like folders on your computer. By default, all sites, lists, and libraries in a site collection inherit permissions from whatever folder contains it. This means a site inherits permissions from the Root site, or Parent, of the site collection, and a sub site inherits permissions from its parent site. A list inherits permissions from the site that contains the list. A list item inherits permissions from the list to which it belongs.

If the default configuration is not changed, permissions are inherited through the whole site collection. In a way, each element (site, subsite, list, library, item, etc.) inherits permissions from the root site of the site collection.

In instances where certain Users or Groups should not have access to a resource, you will perform what is known as Breaking Inheritance, which is outlined a little further along in this blog. A best practice for inheritance is to inherit as far as possible into the structure of your site. This makes it easier to administrate. If you need to break inheritance often in your site, it is a good idea to keep this documented somewhere. Microsoft Visio is a fantastic tool to use for this purpose, but pen and paper works too.

Manage Access Requests

The ability for users to request access to sites is turned off by default, but some administrators like the ability to allow users to do this. This step is optional and by no means a requirement for SharePoint to function. If you want your users to get a request access page when they browse to a site they do not have permissions to, then follow the steps below to configure this.

Notes:

  • This configuration is for the entire site. There are no settings for individual libraries and lists. Access requests for all lists or libraries all go to the same person.
  • The automated email sent to the site administrator contains a convenient link to ‘grant’ access to the resource (list or library). If you are using groups to manage permissions, you should not use the ‘grant’ link to manage the permission, though it can be helpful to see which resource the user is requesting access to. Consider, disabling automated access requests entirely, in favor of forcing the user to make a specific request (outside of the automated system). At the very least, be mindful that the automated request system is not aware of your grouping setup. 

2007

Click Site Actions, then Site Settings.

Site Settings

Click Advanced permissionsAdvanced Permissions

Click Access Requests.Access Requests

Allowing user requests (through the automated form), is optional. Change the email address to the desired site administrator.

Access Request Settings

2010 and 2013

Go to Site Actions – Site Settings – Site Permissions. Click Manage Access Requests in the ribbon.

Manage Access Requests

This is to allow request for permission to the site. If granted, it will default to permission given directly as limited access. Now you can edit user permissions, or it is recommended to add them to the appropriate group you identified earlier in your planning.

Allow Requests for Access

Managing Users and Groups

Now that you have an understanding of the basics discussed above, you will need to start adding users to the SharePoint site. At this point, let’s assume that only the Site Collection Administrators have been created. Since they do not need to be granted any additional permission and have full control, we can use them to begin Granting Permissions to additional users.

This process is essentially the same in each version of SharePoint, but the locations and names of options may be different. We will start at our Root Site and branch out from there, but be aware that you can navigate to any resource that will have permissions and manage them from the Site Settings – Permissions option of that location.

Root Site

Start on your Root Site. To view the permissions for a 2010 or 2013 site, go to Site Actions – Site Settings – Site Permissions. In 2007 you would go to Site Actions – Site Settings – Advanced Permissions. At this point, you can either Grant Permissions directly to the site and assign the appropriate Permission Level for this user, or begin working with Groups.

If you will have many users that share the same permission level, it would be best practice to use Groups to accomplish this. Again, think of a group like a Folder. The folder contains the permissions, and each member in that folder inherits the permissions assigned to the Group. When a site is built or added to a site collection, three groups are created by default.

Group Name Permission Level
Site Name Owners Full Control
Site Name Members Contribute
Site Name Visitors Read

You can begin populating these groups, creating new groups or granting permissions directly. In any case, the buttons you will be looking for are in the Ribbon spanning across the top of the page.

2007

Create New Users 2007

2010

Create New Users 2010

2013

Create New Users 2013

For the purpose of Granting Permissions directly to the site, Add Users would be the same as Grant Permissions. If you have a previously created a group, you can also Grant Permissions to the already established group. If you need to create a group and have it automatically assigned to the site you are viewing, then Create Group would be the option to choose. To add users to an already established Group, you will click Add Users or Grant Permissions and Choose the Group they belong to.

Sub Sites

Sub Sites will inherit permissions from their parent. As an example, /sales, /sales/proposals, /hr and /hr/policies will have the same User Permissions that have been Granted on the Root site, www.example.com. Each Sub Site can also manage their permissions independently by breaking inheritance from the Parent.

SharePoint Sub site Permissions Hierarchy

So let’s say that HR members should not have access to proposals. To accomplish this, we will be Breaking Inheritance at the /proposals site. If you plan to break inheritance on your site, it’s a good idea to organize your content to limit the number of locations that have uniquely defined permissions.

Consider organizing your content by security level, from less sensitive to most sensitive. You might place documents that are more sensitive on a separate sub site or in a single library. This organizational structure is easier to maintain than managing many documents that are located across many sites or libraries, each with unique permissions.

Once you are at www.example.com/sales/proposals, in 2010 or 2013 site, go to Site Actions – Site Settings – Site Permissions. You will then click Stop Inheriting Permissions.Stop Inheriting Permissions

In 2007, you would go to Site Actions – Site Settings – Advanced Permissions. You will then click Actions – Edit Permissions.

Edit Permissions

You can follow these steps on any sub site to manage what permissions Users and Groups will have to sections of the SharePoint Site.

If you break permissions inheritance for a list or library and then define new permission settings, the list (or library) becomes a parent for items in it. The items inherit the new permission settings (unless the items have uniquely defined permissions.)

To perform the same function for a List or Library and break inheritance to restrict access to it, follow these steps;

2007

  1. Open the list or library in which you want to add users or SharePoint groups.
  2. On the Settings menu, click Document Library Settings or List Settings.
  3. On the Customize page, in the Permissions and Management column, click Permissions for this document library or Permissions for this list.

2010 and 2013

  1. Navigate to the site that contains the list and open it.
  2. Choose the List tab to open the list ribbon.
  3. Click Settings, and then choose List Settings.
  4. On the Settings page, under Permissions and Management, click Permissions for this list to open the permissions page for the list. The permission page displays a status bar across the top that indicates the list inherits permissions from its parent site, and then gives the name of the parent.
  5. To break permissions inheritance from the parent, click Stop Inheriting Permissions. This disconnects the list (or library) from the parent site.

Wrapping Things Up

Now that you have gone through these steps and configured some permissions throughout the SharePoint site, it is a good idea to test your work. What I like to do is use Internet Explorer to perform all my administrative work and use Google Chrome (or any alternate browser) to test the permissions of the Users and Groups you have created. This guide is by no means an All-Inclusive guide, but it will get you started. If you would like to learn more you can check out the resources below.

Further Reading

Continued Education

Now that you have a grasp on the topics above. There will come a time when you need to remove users from SharePoint. To learn how, read my Blog:

How to Remove Access to SharePoint… and prevent SID Mismatches along the way

VN:F [1.9.22_1171]
Rating: 9.0/10 (13 votes cast)

About Fpweb.net Crew

Our business is centered on bringing enterprise-class strategy, support, and security to your hosted or managed platforms no matter where you choose to deploy your environment. We specialize in providing managed services, cyber security, and expert, USA-based, 24/7 Absolute Support® on-premises, or in any cloud.
This entry was posted in SharePoint Tips & Tricks and tagged , , , , , , , , , , , , . Bookmark the permalink.

27 Responses to SharePoint Permissions Management: What you need to know for SharePoint 2007, 2010 & 2013

  1. Pingback: SharePoint 2013: Recopilatorio de enlaces interesantes (XXVI)! - Blog de Juan Carlos González en Geeks.MS

  2. Glenda says:

    hi
    ive got a question please.
    on our sharepoint, we created a group with contributor permission (lets call them Group C).
    then we activated the external user sharing which provide links only to access datas within our sharepoint – we found out that Group C could share all contents in the sharepoint to external users. we would like stop this and give permission to share to external users only to those internal users having full control permission. how can we do that, we are using 2013.

  3. Marian says:

    Hi Steva,
    I have a question regarding adding external users to my SP 2013 side. I’m owner of this project site and invited/added people from our company but I have problem to add a person from external company to my project site. Colleague told me that I need to choose option “Business Partner Teamsite” when creating the site to be able to add/invite external users. But what in case my site is already created? Could you please advise how to change it to “Business Partner Teamsite” ? or is there any other way how an external user can access my site?
    Thank you in advance for your answer.
    Kind regards,
    Marian

  4. Rune says:

    Hi
    Is it possible to give the permission to see/view the Version log only to the permission Level FULL CONTROL.

  5. If you don’t like the appearance or feel of carpeting that has a low pile,
    you may have to go back to the drawing board. Wet Areas Places like the laundry, kitchen and bathrooms build up dirt and grime over time.
    Bonnet – So named since of use of a “bonnet” which buffs out the
    mist created by a cleaning item blended with club soda.

  6. Pretty great post. I just stumbled upon your weblog and wished to
    say that I have truly enjoyed browsing your blog posts. After all I’ll be subscribing on your
    feed and I hope you write again soon!

  7. Hi everybody, here every one is sharing such knowledge, thus it’s pleasant to read this weblog,
    and I used to pay a visit this weblog all the time.

  8. pukimak says:

    Everyone loves what you guys tend to be up too. Such clever work and coverage!
    Keep up the good works guys I’ve added you guys to
    blogroll.

  9. Now, let’s enter the real reason you came to this page, to get
    the absolute best Clash of Clans techniques best at your finger guidelines.

  10. Ingeborg Mastin says:

    Informative writing – I loved the information , Does someone know where my company can grab a blank 2013 IRS 990 – Schedule B example to fill in ?

  11. Any help will be greatly appreciated, thanks.

  12. penis says:

     Un titulo con aceptables modos de video-game, aunque nada originales

  13. Since the admin of this site is working, no hesitation very shortly it will be well-known, due
    to its feature contents.

  14. Great web site you have here.. It’s hard to find high quality writing
    like yours nowadays. I really appreciate people like you!
    Take care!!

  15. JT says:

    excellent read. I found this particular blog because I was searching for a way to restrict users of different groups or departments from accessing entirely the team sites of other departments (lets say from your example, the HR folks being restricted from seeing sales proposals, and vice versa).

    I was hoping to do this without breaking permissions, because it would be much easier to manage, especially as the scale of sites grows in #. it would seem that is the only way, as there isn’t a fine-grained way to restrict members of one from getting into another that I’ve seen…would that be correct?

  16. I absolutely love your blog and find most of your post’s to be what precisely I’m looking for.
    Does one offer guest writers to write content in your case?

    I wouldn’t mind producing a post or elaborating on a few of the subjects you write related to here.

    Again, awesome site!

  17. This are able to get to be the reasons for alteration of your
    true to life too. As suggested above it is possible to create your
    authority inside a more tactful manner by casually sharing some good information and leaving a hyperlink so others can investigate further when they choose.
    It implies that before posting anything using a online community like Facebook you must think: the way what I
    say find without words, without nonverbal communication, without those
    facial expressions.

  18. Thank yyou a bunch for sharing this with all of us you realply recognize what you are
    speaking approximately! Bookmarked. Please additionally discuss with
    my website =). We can have a link trade arrangement among us

  19. Inlyte says:

    Thank you for any other wonderful post. The place else
    could anyone get that type of info in such a perfect
    manner of writing? I’ve a presentation subsequent week, and I’m on the look for such
    info.

  20. Ricky says:

    whoah this blog is magnificent i love studying your posts.
    Keeep up the great work! You recognize, many persons are
    hunting round for this information, you could help thm greatly.

  21. Quality articles or reviews is the crucial to attract the users to
    visit the site, that’s what this site is providing.

  22. Hello, the whole thing is going perfectly here and ofcourse every one is
    sharing facts, that’s genuinely good, keep up writing.

  23. Kevin says:

    What’s up friends, its greaat paragraph regwrding tutoringand
    completely defined, keep it up all the time.

  24. My programmer is trying to convince me to move to .net from PHP.
    I have always disliked the idea because of the costs. Buut
    he’s tryiong none the less. I’ve been using WordPress on various websites ffor about a year aand am concerned about switching to another platform.

    I have heard excellent things about blogengine.net. Is there a way I cann transfer all my wordress content into it?
    Any kind of help would be greatly appreciated!

  25. astrologia says:

    What’s up, its good piece of writing about media print,
    we all understand media is a enormous source of data.

  26. (Of course then you can transfer them to the tablets or E-ink readers that support EPUB or PDF format
    accordingly to read freely.) Also you can share your good books with your families and
    friends as the books are locked by DRM anymore.

  27. I do not write a bunch of comments, however after browsing through a
    great deal of comments on Permissions Management For SharePoint
    2007, 2010 & 2013. I actually do have a few questions
    for you if you tend not to mind. Is it simply me or do some of
    the responses look as if they are left by brain dead folks?
    😛 And, if you are writing at additional places, I’d like to follow you.
    Would you list of the complete urls of your social community sites like
    your linkedin profile, Facebook page or twitter
    feed?

Leave a Reply

Your email address will not be published. Required fields are marked *

Let's make sure you're human first: *