How to Create and Use Permission Levels to Implement Access Rules

Justin AntczakTue, 09/10/2019 - 11:36

When collaborating in SharePoint, you need to be mindful of who has access to the content and what they can do with it.  This is handled by permissions. 

By default, SharePoint sites have the three groups:  Owners, Members and Visitors.  These groups have the permissions levels Full Control, Edit and Read respectively.  While these permission levels will suffice for many business needs, sometimes you may want permissions configured in a different way.

Each permission level is made up from many granular permissions.  The Full Control permission level has all permissions granted and cannot be modified.  Although you can modify the other permission levels, it is not recommended.  Instead, you can copy the permission level and modify the copy, using the default as a starting point.  You can also create a permission level from scratch.  Let’s look at how to do that.

On your SharePoint Site, click the settings gear in the top right.  If you are on a modern site, select Site Permissions

 

Permission Levels

 

This will give you a brief summary of the permissions on the site.

 

Site Permissions

 

Select Advanced permissions settings.

 

Advanced Site Permissions

 

 

This will show you all of the groups assigned to that site and the corresponding permission levels.

 

For a classic site, you will click the settings gear in the upper left and choose Site settings.

site settings

 

Then under Users and Permissions, select Site permissions.

Site settings

(Note:  from this point on, the experience is the same on both classic and modern sites).

Select Permission Levels in the Ribbon.  This will show the permission levels available for that site collection.  You can see what granular permissions make up each level by clicking them.

Permission Levels

 

Let’s take a look at the Contribute permission.

List Permissions

Site Permissions

Contribute Permissions

One common use case is needing a permission level that lets users create items, but not edit or delete them.  First, we need to copy the contribute permission level (we are using Contribute instead of Edit because Edit includes the Manage Lists permission, which would allow the deleting of entire lists).  Click Copy Permission Level at the bottom right of the page.

Personal Permissions

 

 

Enter the name Add, give a description and uncheck the Delete Items and Edit Items check boxes.  You may also want to create a permission level that allows users to add and edit items, but not delete them.

Edit items

Click the Create button on the bottom right of the page.

Create Personal Permissions

Now you will see your custom permission level available.

Add a Permission Level

Next we need to assign the permission we made to a group.  Go back to the site permissions page by clicking Permissions in the breadcrumb.

Permissions Breadcrumb

You could assign your new permission level to an existing group, but many times you will want to create your own groups in addition to the default ones.  In this example, we will create a group for students on the instructor site and give them the newly created Add permission level.

Select Create Group from the ribbon.

Create Group

Enter the name, description and check the Add permission level.  You can configure other group settings here as well.  It is often a good idea to change the group owner to a different group instead of an individual (it will be the creator of the group by default).  This way if the user creating the group is unavailable or changes, the group settings and membership can still be changed by other members of that group.  In this case, the Site Owners group is used.

Add permission level

Click the Create button on the bottom right.

Create permissions

Now the group will be created and added to the site with the selected permissions.  By default, the creator of the group is added to the group.  If you go back to the Site Permissions page, you will see the group.

Site permissions page

Another useful feature is the Check Permissions button in the ribbon.  Click it, and then enter the name of the user you want to check the permissions for.  It will show you all the groups that user is a member of on the site and what permission level each group has.

Check Permissions

Check Permissions window

Groups are shared across the whole site collection but can be given different permissions on different sites.  In fact, you can give unique permissions to lists, libraries and even documents, but you need to be careful when doing so. 

Creating permission levels and groups gives you a lot of control over your SharePoint Sites.  However, it can be easy for permissions to get out of hand, so you want to have a good governance plan in place.