SharePoint Permission Tips for Site Owners

If you grant SharePoint users the Full Control permission level in a SharePoint site this gives them the ability to administer their own site, including permissions. You will likely find yourself needing to facilitate a “SharePoint Permissions 101” training session at some point. I’ve given a few of these sessions and there are some common questions I consistently hear from site owners; this post will list these questions and my answer for each.

Note: This applies to standard SharePoint sites and NOT a SharePoint site provisioned with an Office 365 Group. In an Office 365 Group site, permission administration is accomplished using different methods.

“Who can edit SharePoint group membership?”

You determine this by clicking Site permissions under the Users and Permissions group in Site settings of any site. You will see a list of all SharePoint groups defined for the current site. If you click into any one of the SharePoint groups and then select the Group Settings ribbon option shown beside the blue star you can see who has the ability to edit that SharePoint group’s membership.

The important settings to know about are the Owner and Group Settings.

1. Owner – this can be a single user or another SharePoint group. The owner can change anything about the group. Whoever provisioned the site’s name will be automatically inserted as the Groups’ owner so make sure this is changed to the appropriate person or group to whom should be responsible for administering the Group’s membership. I recommend using a group here rather than an individual user since if they leave no one will be able to administer the group’s membership
2. Group Settings – this determines who can view and change membership of the group. Whether you select the Group Owner or Group Members group, it is important to train the people in the group so they know how to administer permissions.

“Can I edit a SharePoint Group’s membership for just one subsite?”

No. This trips up some users. A SharePoint group’s membership is defined at the site collection level. You cannot edit the members in a subsite that requires unique permission if you only want the change to be effective for the subsite. Changing the group’s membership changes it everywhere in the site collection. You only make that mistake once. 😉

“How do I check a user’s permission?”

You can check the permissions for a user, Active Directory security group or SharePoint group at any point in the hierarchy by navigating to the point you want to check permissions at, clicking the ‘Check Permissions’ ribbon option and entering the user’s name. This is often my first step in troubleshooting permission issues for a specific user and object.

“What does ‘Limited Access’ mean?”

Limited Access is a SharePoint permission level. You can’t explicitly grant it, but rather it is automatically granted to users at the site level when the user is assigned permissions to a child object where permission inheritance is broken. This allows a user, for example, to navigate via the site if they have only been granted permission to an object within the site such as a library or folder.

You will see a lot of ‘Limited Access’ users in an environment where end-user’s are sharing files to other user’s as behind-the-scenes this is how SharePoint grants the appropriate permission.

“Can I copy one user’s permission to another?”

In a word? No. This is often the way a request is worded when an end-user is requesting permission… “Give Bob the same access Susan has.”

It’s just not possible using SharePoint out-of-the-box. You have to use a 3rd party tool to allow this type of functionality.

A beneficial approach is to use Active Directory security groups for access. In our example above, if Susan and Bob are in the same Active Directory security groups and you’ve used Active Directory security groups to assign permission in SharePoint, you’re likely half-way there to having Bob set up the same as Susan. Of course, if Susan has been granted unique permissions elsewhere across your farm/tenant, there is no easy out-of-the-box way of knowing where that is and assigning the same to Bob.

“I want everyone to have access but these 5 people. Can I do that?”

In 2 words? It depends. 😉 Similar to the previous question, this is often how a request is worded when an end-user wants to prevent certain people from seeing things in SharePoint. It’s usually not that simple – you will need to ask more questions before proceeding.

In our example, are the 5 people listed as individual users for the object and not in a SharePoint group? If so, you can break inheritance by stopping permission inheritance and removing the 5 users. Are the 5 people part of a SharePoint group? If so, you can’t remove them out of the group without affecting everywhere else that SharePoint group is used (refer back to the previous question, “Can I edit a SharePoint Group’s membership for just one subsite?” where I discuss this). Are the 5 people part of a larger Active Directory group that’s been added into the SharePoint group? If so, then you will no longer be able to use that AD security group to assign permission. You will either have to find an AD group where the 5 people are not included or update the AD security group to remove them. (which will have other implications if that security group is being used elsewhere in your environment)

Generally speaking SharePoint permissions are done using a ‘grant’ model rather than a ‘revoke’ model. You cannot explicitly specify users you don’t want to have access.

Exception to this is in an on-premises environment you can specify a user as ‘deny all’ or ‘deny write’ at the web application level, but this is not a granular setting you can control.

Closing thoughts…

Permission administration is a classic example of “a little knowledge is a dangerous thing” in SharePoint. If you have enabled users to administer their own, make sure you’ve armed them with the knowledge to set them up for success.

Thanks for reading.

-JCK