The beauty of SharePoint and Office 365 is that they facilitate easy collaboration and access to information. Modern businesses are more aware than ever that allowing knowledge and information to flow around the organization encourages innovation and speeds up workflows. However, Microsoft’s enterprise IT stack is something of a double edged sword - as great as collaboration is, some information needs to be kept hidden from certain users. This can be for reasons of data privacy, data protection, or commercial sensitivity. The process of achieving this is less simple than in the past, where colleagues simply wouldn't have had access to physical libraries and filing cabinets.
SharePoint/Office 365 administrators have an essential role in maintaining the security and integrity of their company's Enterprise IT solution. The platform allows administrators to apply levels to different users and groups which determine what and how much they can see. These levels are an essential part of managing security and, when managed correctly, mean administrators can sleep easy, knowing security is taken care of.
Despite the strengths of the SharePoint permissions model, it can be initially confusing for some to maintain a consistent overview of how sites, lists and libraries are being used in your SharePoint solution. Understanding how SharePoint permission levels work, what you can do with them and how to apply them appropriately can help you manage sites better.
What are permission levels and why do we have them?
In Office 365 and SharePoint 2013 there are a variety of permission levels which allow users to access the resources they need. They tend to group actions and define what users can and can’t see within your enterprise IT solution. You may not want some users to be able to see a certain site at all, or in other cases you might just want to let them see certain lists and libraries but not be able to change or contribute to them.
Knowing which permissions to apply and how to use them requires an intimate understanding of your organization’s needs and how different departments use the Stack. SharePoint and Office 365 include a number of default permission levels which will cover the needs of most organisations. You may wish to customize these permission levels for the specific needs of your business because of unique roles and jobs within your company or because certain employees carry out usual tasks. While customization is possible, it can be complex as administrators need to ensure that there are no breaks in inheritance and that the permission levels are secure.
Default permission levels
Below is a complete list of the permission levels, what they do and who they are for:
For Site collection owners.
Contains all available SharePoint permissions, meaning individuals and groups can carry out any activity - from creating sites to editing lists and libraries or deleting documents.
For IM teams, IT and Site collection owners if they wish.
Allows users to edit pages and change their format (style, borders, and theme). Also lets users create lists and document libraries.
For Group Members - typically heads of departments/the person running a department’s site.
Lets users add, edit, and delete lists.
For anyone invited to work on a project, usually more junior staff members.
Lets you view, add, update, and delete list items and documents, but no more.
Usually for someone invited to participate on work but not to make changes.
It is only possible to view pages and items in existing lists and download documents.
Unusual in that it only allows access to specific content opened to specific users.
Lets users navigate to a particular page and only see the content available there.
The approvers group are usually more senior staff who give the final ‘go-ahead’ to documents.
This permission level lets them edit and approve pages, list items and documents.
Also for administrators.
Lets you create sites, edit pages, list items and documents.
Again, for low level employees or external parties.
Lets users view pages and documents but not see historical versions or other user permissions.
The most limited access type, only for those who have the most limited permissions.
Can only view pages, items and documents, and these can only be viewed if the individual has a server-side file handler - it’s not possible to download them.
Sharing content externally
Besides these internal permissions, Office 365 also allows you to easily share with external users this guide explains how to carry out the procedure. Of course, sharing private information with external parties is risky and at present Office 365 gives administrators very little control over seeing what has been shared and with whom. Sharegate offers a solution to enhance SharePoint, and gives administrators greater control over their domain.
Staying on top of permissions
There’s a lot that can go wrong with permission levels, and security in general. SharePoint and Office 365 offer a strong model, but it needs to be used in the right way, and then maintained over time. Administrators need to be vigilant when ensuring that they’re well managed and our own tools can help provide a greater oversight of how the solution is being used, and ultimately how your content is being protected.