CATCHBEFORE TEAM

SharePoint Permission Levels and Best Practices in Microsoft 365

Table of Contents

In order to secure data and SharePoint Online ensure that only relevant information is seen by the right group of people, permission management in SharePoint Online must be handled properly. In this post, we will be discussing all you need to know about SharePoint permission levels – how they work and where to find them in addition to general best practices surrounding the topic. An exhaustive article on how to manage Microsoft 365 SharePoint, for the administrators out there.

Levels of Permission in SharePoint for Office 365

In SharePoint Online, you may think of permissions as a set of various that determine what users can or cannot do inside the site. These levels include:

Full Control – this means you have full control of the site, including permissions.

Edit – Add, edit and delete lists, libraries, and entries in the Site

Contribute – Users can add, edit and delete items in existing lists and document libraries

Reading – Users can view pages and items in lists and libraries. 2

Read Only – For viewing gem without able to download the content. (Having only read-only access) Its just a view of code and nothing else

Edit Access – The minimum level of access that a user needs in the site collection Limited Access: Automatically assigned to users given edit permissions on an item within a site

Levels of Permission in SharePoint for Office 365

Digging Down: Review of Permission Levels

1. Full Control

Full Control: Users with Full control ability can conduct every operation that the site provides, they may create and delete sites, change site settings (sitewide), Manage permission on all sub-website levels or even full content authoring.

Use Case: Typically given to site administrators who are responsible for building the basic architecture and configuring your application.

2. Edit

Users Add, edit and remove lists, libraries and Items. Customize web partsConcept)xViews

Used When: For team members that need to edit content and should not be able to control site settings, change permissions etc

3. Contribute

Permissions: Add edit and delete items in existing lists & document libraries

When would you use this: Perfect for users that will continue to input content only with no back end access.

4. Read

Roles: Page Viewers, Item/Document Readers (Can view pages/items/documents/{hide})

Use Cases: ideal for read-only users who require data access without the ability to change it

5. View Only

Features: It lets users read a certain specific content only mode and user cannot download the same.

Use Cases: Perfect for shared highly confidential documents that need to be viewed but should not have an option to download or edit.

6. Limited Access

Functionality: Allows users to access an individual asset (the item, typically a document or list entry) in the site

Usage: Deployed automatically when a user requires access to an item, not the site itself.

Knowledge is power and understanding these permission levels are the first step in better SharePoint management.

Default Permission Levels in SharePoint Online

By default, SharePoint Online will assign certain permission levels to any new site created. To manage these permissions:

1. Navigate to Site Settings

Go to the SharePoint site.

Click on the gear icon and then you choose “Site Settings.”

Navigate to Site Settings

2. Manage Site Permissions

Below the “Users and Permissions,” click on “Site Permissions.”

Manage Site Permissions

3. Assign Permissions

Choose the group or user to set access rights.

Click “Grant Permissions” and select the right level of permissions.

Assign Permissions


4. Save Changes

You will click “OK” to save the changes.

SharePoint Online comes with 3 main site groups (Owners, Members and Visitors). Each group maps to one of the permission levels (Owner, Contributor) etc.

SharePoint Online Site Groups Default Permissions

To facilitate Site Group, there are pre-created site groups and default permissions in SharePoint Online.

Owners: This group has Full Control permissions. With these roles they can handle things like site settings, permissions, and content.

Members: Users in the Members group have Edit access rights. They have access to add, update and remove content.

The Visitors: The group which is intended to represent the general public, so people who aren’t authenticated at that site can see content.

These predefined groups make the user roles fairly standard without requiring countless customizations.

Default Permission Groups Customisation

Default permission groups are great, but you might want to tweak them a little bit to suit your organization better:

1. Modifying Existing Groups

Go to Site Settings > People and Groups.

Modifying Existing Groups

2. Choose the group you want to update

You can adjust the permissions and membership of a group via “Settings” > “Group Settings”.

3. Creating New Groups

This can be found under Site Settings > People and Groups

More>New >New Group.

Give the group a name, establish its permissions and configure policies for member enrollment.

The creation of custom groups also enables better permission management relative to the roles in your organization.

Creating New Groups ms365

Add New Permission Level in SharePoint

You can create custom permission levels to cater the specific requirements. In order to make a new permission level:

1. Access Site Permissions

Site Permissions” under “Sitesettings”

2. Create Permission Level

Under Users and Permissions, click on “Permission Levels.”

Click Add a Permission Level.

3. Define Permissions

Give your new permission level a name.

Choose all the necessary permissions from these lists.

Click “Create.”

Add New Permission Level in SharePoint

Custom Permission Levels Best Practice

Custom permission levels can be used to configure access permissions exactly as you need them. Follow these best practices:

1. Define Clear Use Cases

Identify the exact detail(s) that necessitates a unique permission level. Do not make levels just for the levelless sake of making a level.

2. Document Custom Levels

Document any custom permission levels, why those are a thing and what they do.

3. Regularly Review and Update

Occasionally evaluate the custom permission levels, make sure that they still satisfy organizational requirements and modify them accordingly.

With custom permission levels, user actions within SharePoint can be regulated at a more granular level.

This is how you set permissions for Document Libraries in SharePoint Online

SharePoint Online: Document libraries are a key building block of SharePoint Online. Document Library Permissions Management

1. Go To The Document Library

How to check- Open the SharePoint Site -> Document Library

2. Manage Library Permissions

From the ribbon, click “Library Settings”.

Choose the “Permissions for this document library.”

Manage Library Permissions


3. Edit Permissions

Notice: The notification”Grant Permissions To” in which you wish to add users or groups as below.

Select proper permission to share and click SHARE.

Edit Permissions

Deeper Library Permissions Versioning

Advanced settings – Understanding to Manage document library permissions properly

1. Library Permissions Best Practices

Libraries automatically receive permissions from the associated site by default. If you want to manage them separately, click on the library -> Library settings in order to stop inheritance by clicking “Stop Inheriting Permissions”.

Library Permissions Best Practices

2. Library Permissions Levels

Give users or groups permissions on the document library, such as Contribute / Edit.

3. View Library Permissions

Go to the Library Settings and click on Permissions for this document library > check permissions & VERIFY WHO HAS ACCESS TO A DOCUMENT LIBRARY.

Since permissions at the document library level will give users read access to files in a given site collection, as well as protect sensitive information.

How to define Folder Level Permissions in Microsoft SharePoint?

Sometimes the permissions must set on folder level under document library;

1. Navigate to the Folder

Go to the document library and select it.

2. Manage Folder Permissions

The folder name you will find right here on the other side of which there is an ellipsis (three dots), hit that and select Manage Access.

Click on the “Advanced” link to select the permissions.

3. Break Inheritance

Then, to manage permissions separately from the parent library click ‘Stop Inheriting Permissions.

4. Set Permissions

Simply add users, groups and give them the level of permission.

Click “OK” to save changes.



Examples Of Folder-Level Permissions

Folder-level you can control access to folders of documents as a unit

1. Project-Specific Folders

Assign new permissions to folders associated with specific projects, restricting access only for team members who need role-based or administrative privileged.

2. Confidential Documents

Only allow certain users or groups to access folders that contain sensitive documents.

3. Collaborative Workspaces

If some folders are used for collaborating, like the one which requires permissions to be Edit or Contribute then make a folder.

Folder-level permissions make access management within a document library more fine-grained.

Permissions On The Files Level In SharePoint Online

There are a few files that may need individual permissions in some circumstances. There are several ways to handle file level permissions.

1. Select the File

Browse to the Document Library and select your file.

2. Manage File Permissions

Click on the ellipsis (..) next to the name of a file and choose Manage access.

Advanced, on Onglet Permissions

3. Break Inheritance

Select “Stop Inherit Permissions” and then modify file permissions.

Break Inheritance

4. Assign Permissions

Assign the needed permission level to users/groups

Click “OK” to save changes.

Use Cases for File-Level Permissions

In the shared library, file-level permissions can be used to secure confidential files:

1. Sensitive Documents

Limit the number of people who can open up sensitive files.

2. Approval Workflows

Allow only the necessary people to submit changes by setting permissions on files; making it require review.

3. External Sharing

Control the permissions to files shared with external users, and provide a reference or no permission.

File-level permissions offer the ultimate control for each individual document in SharePoint


Setting List Permissions in Office

O365 SharePoint Online

SharePoint Online – Lists List permissions are Being Configured Here

1. Navigate to the List

Open the SharePoint siteGo to list.

2. Manage List Permissions

On the ribbon, click List Settings.

Click on “Permissions for this list.”

3. Edit Permissions

To add users or groups, click Grant Permissions.

Select the permission level and click “Share.

Advanced List Permission Management

The majority of lists consist of structured data that are essential to a companys operations. You can manage list permission like;

1. Breaking Inheritance

Libraries – and lists as well by extension of this fact – are set to inherit permissions from the site they reside on in SharePoint. Make sure to manage these independently by clicking on “Stop Inheriting Permissions” for this doc.

2. Custom Permission Levels

Custom permission levels can be assigned to users or groups on particular lists (e.g. Contribute, Edit).

3. Checking Permissions

Consider utilizing the “Check Permissions” tool to confirm that certain users have access at the list level.

List permissions allow you to control access over structured data in sharepoint, if user have read or write access.


How to Check User Permissions on a List in SharePoint Online?

To verify user permissions:

1. Access Site Permissions

Site Settings > Site Permissions

2. Check Permissions

Click Check Permissions from the ribbon.

Specify the User or Group and click “Check Now.”

Check Permissions

3. Review Permissions

This will show the real permissions of an user

Review Permissions

Why Checking Permissions is Important?

Ensuring the security and compliance of users is done by maintaining their permissions gracefully subscriptions (how this works, out in part 1!)

1. Audit Trails

This allows us to have that audit trail by limiting who has access to what, which is critical for compliance.

2. Security

This limits user access to the appropriate permission and also stops unauthorized entry in confidential data.

3. Efficiency

Periodic checks can put the detecting of suspended permissions in place and will prune system efficiency.

By verifying user permissions, you can ensure users have the necessary level of access to keep unauthorized users from entering or becoming non-compliant.

Results Of Permission Reports In SharePoint Online

Permission reports generate better organizational visibility facilitating greater control over permissions, aiding administrators to understand and deal with them in a more organized manner.

1. Use Built-in Reports

SharePoint Online includes builtin reports under its Site Setting phase.

2. Third-Party Tools

Tools like AdminDroid will give you extensive capabilities to report on permissions.

3. PowerShell Scripts

You can create full detailed reports using PowerShell scripts allows the fully customization.

Comprehensive Permission Analysis

With permission reports you can identify areas where your users have access and, therefore security risks!

1. Regular Reporting

Regularly schedule permission reports to ensure you are alerted if there is a change and remain compliant.

2. Custom Reports

Leverage 3rd party tools or PowerShell to create custom reports and manage your environment specific to what you need for YOUR organization!

3. Actionable Insights

Review reports to pinpoint any security threats or excessive permissions

Permission reports deliver insights on who can do what, enabling administrators to keep their SharePoint environment secure and compliant.


SharePoint Permissions Management Best Practices

Principles of best practices in SharePoint Permissions add Security and simplify the end users lives

1. Adhere to the Principle of Least Privilege

Make sure that you assign the minimum required permissions to users to get their work done.

2. Utilising Groups not Users

Groups – This approach extends the concept of managing permissions via groups which ease the administration.

3. Use Secure Links for Sharing

When sharing documents use secure links that expire and are only viewable.

By adopting these best practices, you can ensure your SharePoint environment remains secure and organized.

Do’s with SharePoint Online Permission Levels

Assign Permissions at the Highest Appropriate Level: Make sure to manage permissions in either site or library.

Use SharePoint Groups: Only manage permissions easily with the use of groups.

Regular Audits: Have regular permission audits to make sure you comply.

Expanded Do’s

1. Do Use Inherited Permissions

Unless businesses have a need for unique permissions, continue to use inherited permissions which can simplify management efforts.

2. Do Keep Permissions Simple

Of course, you should avoid those that present unnecessarily elaborate permission structures which become problematic to configure and follow through with.

3. Do Communicate Changes

Let users know of updates to their permissions so as not to cause confusion and avoid surprises that they do (and do not) have access.

SharePoint Online Permission Levels DONTS

Do not Assign Permissions Directly to Users: It is generally a bad practice and makes things complex.

Avoid Overusing Custom Permission Levels: default permission levels are often the most straightforward way to go.

Keep Inheritance in Mind: respect and manage permission inheritance to prevent unintended access.

Expanded Don’ts

1. Check Permissions fencingOptions More Info

Revisit and update permissions frequently to fit it well with your application permission policies.

2. External Sharing: Never Forget About It

Manage permissions with care for external users to make sure that they do not have unauthorized access.

3. Check Defaults, Default Settings are not Always the Best

Evaluate and modify default permission settings to reflect the specific needs of your organization.

Ultimate Guide to SharePoint Permission Levels in AdminDroid

For managing SharePoint permissions, AdminDroid is a handy tool. It offers:

1. Detailed Reports: Permission reports that can help you avoid additional, and possibly critical security issues.

2. User Activity Monitoring: Task-based user tracking to confirm compliance.

3. Automated Alerts: Be notified about important permission changes.

SharePoint Permission Levels in AdminDroid

Features of AdminDroid

1. Permission Analysis

In-Depth Analysis – Analyze permission settings Site-wide, at Library / List level and item level.

2. Audit Logs

Detailed audit logs to record permission changes and create an accurate trail of events.

3. Custom Reports

Introduce tailored custom reports compliance and security requirements. This will make your life easy to managed the sharepoint permissions via adminDriod.

Features of AdminDroid


Preventing Data Loss by Securing SharePoint

Ensuring The Security of Data in SharePoint

1. Backup your SharePoint often: Make sure the content of SharePoint is daily backup.

2. DLP (Data Loss Prevention) policies: You can implement DLP policy in order to stop the leakage of sensitive information.

3. Multi-Factor Authentication (MFA): Implement MFA for end user security access.

Advanced Security Measures

1. Encryption

Encrypt: all data in transit and at rest.

2. Access Reviews

Run access reviews on an ongoing basis to make sure users are assigned with right permissions.

3. Security Training

Regular security trainings should be conducted for the users so that they learn about best practices and threats.

These when combined with additional security measures makes your SharePoint sit isolated and helps protect the data within.

Summary: SharePoint Permission Levels and Best Practices in Microsoft 365

Properly managing SharePoint permissions is crucial to maintain security and ensure users have the required access. Default permission levels, custom permissions and best practices protect both privileged information and the process of granting access.

These capabilities are further enhanced with tools like AdminDroid, which makes it easier to retrieve a history of who has access permissions and ensures no data loss due to permission relinquishing. These practices will enable you to work toward a secure and performant SharePoint in Microsoft 365.