Security is important when it comes to SharePoint systems. Some parts of the site may be restricted to HR users, for example, staff contracts should obviously not be seen by an entire organization. What’s great about SharePoint is it supports this kind of granularity, with an extensive security model. It allows you to configure security on many different levels, and assign a wide variety of different permission levels.
While most roles are straight-forward, there are two different roles that sometimes cause confusion: Site owner vs Site collection administrator. These roles are very important, so let’s explain the difference between them.
Site collection versus subsite
SharePoint consists of web applications, each web application contains one or more site collections, and every site collection has one or more subsites. On every level, different permissions can be assigned, giving admins options for a granular permission configuration.
Each security group has a different set of permissions. The group “Site Owner” gives the user the permissions “Full control” to that subsite. It basically gives the group members all available permissions on that specific subsite. It allows them to create and delete lists and libraries, grant other users permissions, activate site features, create new subsites, etc.
A “Site Collection Administrator” on the other hand, is granted the same permissions as the site owner on every site in the site collection. There is no way to override that on subsite level. This is a very powerful role indeed, and one that should be assigned with care.
The Site Collection Admin roles comes in handy when a site owner has removed all permissions from a subsite, leaving the subsite inaccessible to all users; except the Site Collection Administrator. It is a good security ‘catch all’ role.
Besides that, this role will grant access to “Site Collection Administration” features like Site collection features, Audit reports, Content type publishing, and so forth. These are accessed separately to other settings features (and in ‘Central Administration’ for On-Premises users).
The term “Administrator” doesn't refer to a system administrator role, and shouldn't be confused with classic “Server Admin” roles. It doesn't grant permissions to execute tasks on servers, neither does it grant access to other site collections or web applications (SharePoint Online offers less control in these areas than On-Premises in any case).
Who should be assigned which role?
Site owner vs Site Collection administrator: it depends on your organization. A Site Owner is typically responsible for only a subset of sites in a SharePoint portal. They're usually a key user, who's responsible for maintaining that part of the Intranet. They need to make sure all required libraries, sites, and lists are available for content editors, users have the required permissions, and required features are enabled.
The person or persons who fulfill the role of Site Collection Administrator depends on the size of your SharePoint portal. In an implementation with only one Site Collection, it usually is someone from the IT department. If there are multiple web applications, with multiple site collections, this role is assigned to a key user. When Records Management features are being used, a Records Manager will be most likely the Site Collection Administrator of the records center.
Be careful who you give permissions to
Not everybody in an organization should be granted the role of ‘Site Collection Administrator’. A part of a SharePoint implementation plan should be dedicated to security: Which user groups of the organization are granted which permissions? Be very careful with whom you grant Site Owner or Site Collection administrator roles, because it gives a lot of responsibility. Users granted these permissions must know what they're doing. Some organizations only allow people to be granted these roles after completing training or after formal approval. This may be too much for some organizations, but when sensitive data is being stored, this could very well form part of your implementation plan.
Other permission levels to be aware of
Besides the roles Site Owner and Site Collection Administrator, SharePoint contains a large number of other roles. The available roles after creating a site depend on the type of site you created. For example, a team site only has “Site Viewers”, “Site Members”, and “Site Owners” available, while a publishing portal adds other groups like “Designers”, “Approvers”, “Hierarchy Managers”, and so on. Each of these roles has been assigned a permission level. A permission level defines which actions are allowed, e.g. “read documents”, “update documents”, “create lists”, etc.
And, if that’s not enough, it’s possible to create your own roles and permission levels.
You might want to leave it up to the Site Owner to grant all required permissions for subsequent users and/or sites. But in that case, they must be competent enough to understand all different roles and permission levels, not always easy if they're new to SharePoint!
In any case it's a good idea to regularly review and audit the state of play. A SharePoint management tool like Sharegate can help with this, making it really simple to give users the freedom they need to be productive, whilst keeping control.
Site Owners vs Site Collection administrators demystified
Site Owners are responsible for one part of a Site Collection only, and cannot change anything on Site Collection level. They have full control on one or more subsites, and can grant permissions to users, create lists and subsites, and activate site features.
Site Collection Administrators can do the same as Site Owners, and much, much more. They cannot be denied access to any subsite and they're able to change settings that apply to the entire Site Collection - including deleting things. This role is frequently assigned to people in the IT department, but in larger portals it may be more of a ‘power user’ person.
Remember the golden rule: Only people who qualify should be granted either role, because both come with a lot of responsibility and power!