We explain two ways to manage user and group permissions in SharePoint Online—ensuring the right people have access to the right things.
SharePoint permissions are managed through a set of membership groups within some types of sites (owners, members, visitors, etc.).
We know, and Microsoft also knows that secure collaboration is crucial when working online. You have a wide array of users with access to site content, and you need to make sure that the intern doesn’t somehow stumble onto the company’s secrets.
With SharePoint Online, you have a broader set of capabilities to secure collaboration in Microsoft 365 while giving your users more control.
Here at ShareGate, we enable you to implement SharePoint permissions best practices in one handy multi-tool.
In this article, we simplify the process of permissions management across different types of sites in SharePoint. By the end, you’ll get a clear picture of the flexibility you now have when looking to collaborate securely inside and outside your organization.
In this article:
In a nutshell, SharePoint lets you grant permissions to users in SharePoint. But another important follow-up question would be, “How much can I play around with these permissions?”
To answer that question, it’s a good idea to first familiarize yourself with all of the kinds of permissions available in SharePoint. They include:
Team permissions: Depending on whether you add a user as an owner or a member of the associated Microsoft 365 group, permissions to the team site are assigned accordingly. When Dave is added as a team member in the group, he’s automatically a ‘member’ of the SharePoint team site rather than an ‘owner’ or ‘visitor’.
Communication site permissions: Unlike SharePoint team sites, communication sites aren’t part of Microsoft 365 Groups. Owners, members, or visitors added to a SharePoint communication feature are only associated with that particular site. Of course, different permission levels can be granted (as an owner, member, visitor, or custom SharePoint group) to a single user, security group, or an entire Microsoft 365 group.
Use case: Inviting visitors to a communication site for collaboration. Visitors can be added as part of a security group where permissions are standardized for a large number of visiting collaborators.
Hub site permissions: SharePoint admins control which users can add more sites. Hub site permissions can go either of two ways:
- For team sites, permissions should be managed from the corresponding Microsoft 365 group.
- For communication sites, permissions should be managed from the SharePoint group (since communication sites aren’t part of Microsoft 365 Groups).
Shareable links permissions: Any user assigned permission to access a site, group, or team automatically has access to the corresponding SharePoint site data. Shareable links allow you to share specific data rather than the entire site content. You can edit permissions so that the shared link is accessible by everyone or specified users.
Guest sharing permissions: SharePoint allows guest sharing capabilities to make collaboration with outside parties easier. Permissions can be edited so that only specific site data is accessible by outside parties.
Method #1: Using Microsoft
Add users to a group
- On the SharePoint site, click share/members.
- Click on Add Members.
- Enter the names or e-mail addresses of the users you want to add will appear in the dialogue box.
- You’ll also be able to set permissions levels when sending the invite.
- Once done, click on Share, and the invite will be sent.
Remove users to a group
- Go to the SharePoint site and click Settings.
- Click Site settings/Site Information.
- Click View all site settings/Site settings. (Some users might need to click on Site contents before viewing the Site settings dialogue).
- On the Site Settings page, go to Users and Permissions—> People and Groups.
- Go to People and Groups—>Quick Launch and select the user you want to remove.
- Click Actions—>Remove Users from Group.
- A confirmation dialogue box will pop up. Click Ok to proceed and remove the user.
Grant site access to a group
- Go to the SharePoint site and click Settings.
- Go to Site Permissions.
- Click Advanced Site Permissions once the site permissions page opens.
- On the Advanced Site Permissions page, click on the Permissions tab.
- Click Grant Permissions.
- Click on Share, and enter the group name to who you’d like to give access.
- After you click on Share, a prompt will appear asking you the level of permissions you want to give to the group. By default, the group will be able to edit. But, you can change permission levels by clicking on Show options—> Select a Permission Level/Select a group or permission level.
- Once permissions for the group are finalized, click Share to proceed.
Assign a new permission level to a group
- Go to the SharePoint Site and click Settings—>Site Settings/Site information on the SharePoint site. (Sometimes, you’ll have to click on site contents and then site settings).
- Once on the Site Settings page, click on Users and Permissions—> Site Permissions.
- Hover over the user/group to which you’d like to assign a new permission level. Tick the check box to select them.
- Go to the Permissions tab and click on Edit User Permissions.
- You’ll be prompted to a screen where you’ll be to grant custom permissions to the group. If you check more than one box, the user will get a combination of all those permission levels.
Method #2: Editing permission assignments using ShareGate
To grant permissions to users or groups in a target location, go to Explorer and select the sites where you want to apply the changes. Click + Add from the Permissions section in the Quick actions menu.
In Add permissions, you can select one or multiple users, and grant them new permissions over the items that were previously selected in the Explorer. You can either add them to existing SharePoint groups, assign them as Site Collection administrator, or assign them explicit permissions. These can be out-of-the-box permission levels or custom ones. You can also assign permissions to SharePoint groups and Active Directory groups.
Copy user permissions
One particularly interesting feature is the ability to copy the permissions of a user to another.
For example, your company makes two hires for the Sales Team: Alex and David. As an IT admin, you know Alex and David’s permissions should be the same. In ShareGate, copy Martin’s already existing permissions and assign them to Alex and David. That’s it! Alex and David now have the same access to site content as the rest of the team. You can select a tenant, sites, or any SharePoint object for this operation.
It’s been a few months, and Alex and David have been promoted to new positions with different job descriptions. As a result, the old permissions are no longer required.
Our Remove Permissions option is there to help you remove permissions from users or groups.
With Remove permissions, you can select your tenant, sites, or other SharePoint objects to:
- Remove from SharePoint group membership
- Remove from site collection administrators
- Remove their explicit permissions
- Remove all permissions
Watch the demo: Manage your SharePoint environment permissions
Identifying site permission levels regularly
Environments tend to evolve over time.
People get promoted, new people are hired, and roles change.
If you’re not careful, you might lose track of permissions across your organization. Due to mismanagement, Dave from Sales, who was transferred to the marketing department, might still have irrelevant access.
It’s essential to have a mechanism to track permissions levels and ensure access to resources remains secure over time.
Permission levels in SharePoint
First, let’s have a closer look at all the permissions levels available in SharePoint:
Full control: Pretty self-explanatory from the name. This is the highest permission level available, giving owner-level access to the user. The group’s owner automatically has this permission level by default.
Design: This permission level doesn’t come with any group by default. It needs to be manually assigned by the admin. It grants the user the ability to create lists, document libraries, and edit pages. Users can also apply borders, style sheets, and borders on the site.
Edit: Assigned to the Members group by default. You can further add, edit and delete lists with this permission level. You can also add, delete, and update list items and documents.
Contribute: Add, update, delete, and view list items/documents.
Read: View pages/items in existing lists and document libraries. You can also download documents with this permission level.
Limited access: You can provide access to specific content rather than the entire site. The user might be able to access the site, but they’ll only see the content they’re allowed to.
Web-only limited access: Only allows the user to view web objects, and restricts them from everything else.
Approve: Assigned to the Approvers group by default, you can approve and edit list items and documents.
Manage hierarchy: Assigned to the Hierarchy group by default, users can create and edit sites and pages.
Restricted read: Restricts users from seeing historical versions and user permissions. But, users will still be able to view pages and documents.
View only: View documents, pages, and items.
ShareGate’s Permissions Matrix Report: An answer to permission management problems in SharePoint
Permissions not only need to be managed but also audited regularly to maintain an ongoing standard of high-level security for your organization’s data.
ShareGate offers a built-in Permissions Matrix Report, which covers all those bases. Think of it as your all-knowing personal security assistant.
With one click, you get comprehensive visibility of what users and groups have access to and their permission levels, in your SharePoint and Microsoft 365 environments.
With the results from our Permissions Matrix Report, you can:
- See who (and which groups) can access what, including external users and the content shared via anonymous links.
- Plan your migration by helping you answer the question “Are these the permissions I want to have when I migrate to the destination?”.
- Compare pre- and post-migration. Get a snapshot of your permissions before you make the move. When your migration is completed, you can compare your source to your destination.
If you can’t wait to dive into our Permissions Matrix Report and all our Microsoft 365 management solutions, start a 15-day trial with ShareGate (it’s free!).
It’s safe to say that there’s a fair amount of attention spent on permissions management in SharePoint. The platform is evolving to cater to digital and secure collaboration.
Advanced permissions capabilities allow you to track who has access to what across the organization. And if you want more flexibility in staying updated about these permissions, you always have ShareGate’s Permission Matrix Report to rely on.