How do permissions work for SharePoint Online?

This FAQ was last modified on: Tuesday, January 16, 2018 10:22pm

SharePoint Online pre-defines different combinations of permissions. These pre-defined permission levels are known as the “default permission levels”. Permission levels specify which permissions users have for a site or list, and therefore whether people can view, change, or manage a site. By default, SharePoint pre-defines some permission levels.

Applies To:

  • All recent web browsers
To set permissions go to the Site settings section and click change permission under the “Users and Permissions” section.
Site settings
 Site permissions
 
Details: See the tables below for definitions of pre-defined permission levels.
 
Pre-defined permission levels
PERMISSION LEVEL
DESCRIPTION
Full Control
Contains all available SharePoint permissions. By default, this permission level is assigned to the Owners group. It can’t be customized or deleted.
Design
Create lists and document libraries, edit pages and apply themes, borders, and style sheets on the site. There is no SharePoint group that is assigned this permission level automatically.
Edit
Add, edit, and delete lists; view, add, update, and delete list items and documents. By default, this permission level is assigned to the Members group.
Contribute
View, add, update, and delete list items and documents.
Read
Can view pages and items in existing lists and document libraries. Can download documents.
Limited Access
The Limited Access permission level is unusual. It enables a user or group to browse to a site page or library to access a specific content item. Typically, the user was given access to a single item in a list or library, but does not have permission to open or edit any other items in the library. The Limited Access permission level includes all the permissions that the user must have to access the required item.
You cannot assign Limited Access permission level directly to a user or group. Instead, you assign appropriate permission to the single item, and then SharePoint automatically assigns Limited Access to other required locations.
Approve
Edit and approve pages, list items, and documents. By default, the Approversgroup has this permission.
Manage Hierarchy
Create sites and edit pages, list items, and documents. By default, this permission level is assigned to the Hierarchy Managers group.
Restricted Read
View pages and documents, but not historical versions or user permissions.
View Only
View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded.
 
To help make managing site access more efficient, permission levels work together with SharePoint groups. A SharePoint group is a set of users who all have the same permission level. That is, all users in a SharePoint group have the same collection of permissions.
 
By default, each kind of SharePoint site includes certain SharePoint groups. For example, a Team Site automatically includes the Owners, Members, and Visitors group. A Publishing Portal site includes those groups and several more, such as Approvers, Designers, Hierarchy Managers, and so on. When you create a site, SharePoint automatically creates a pre-defined set of SharePoint groups for that site. In addition, a SharePoint admin can define custom groups and permission levels.
 
The following table describes the default permission levels and associated permissions for three standard groups: Visitors, Members, and Owners.
 
GROUP
PERMISSION LEVEL
Default permission levels and associated permissions for three standard groups
Visitors
Read    This level includes these permissions:
  • Open
  • View Items, Versions, pages, and Application pages
  • Browse User Information
  • Create Alerts
  • Use Self-Service Site Creation
  • Use Remote Interfaces
  • Use Client Integration Features
Members
Edit.    This level includes all permissions in Read, plus:
  • View, add, update and delete Items
  • Add, Edit and Delete Lists
  • Delete Versions
  • Browse Directories
  • Edit Personal User Information
  • Manage Personal Views
  • Add, Update, or Remove Personal Web Parts
Owners
Full Control     This level includes all available SharePoint permissions
 
By default, permissions are inherited in SharePoint—that is, permissions set at the site collection level are copied to every site, list, and item in the site collection. This means that the permission levels that you set when you first create SharePoint groups can affect access for every site, list, library, folder, and item in the site. The best practice is to group people who require similar access. The following image displays permission inheritance.
 
Permission inheritance
 
SharePoint permissions apply to three categories of content: list permissions, site permissions, and personal permissions.
 
The following sections contain tables that describe SharePoint permissions for each permission category. For each permission, the table shows the dependent permissions.
 
Site permissions and dependent permissions
 
The following table describes the permissions that apply to sites, and show the permissions that depend on them.
 
PERMISSION
DESCRIPTION
DEPENDENT PERMISSIONS
Permissions that apply to sites, and show the permissions that depend on them.
Manage Permissions
Create and change permission levels on the website and assign permissions to users and groups.
Approve Items, Enumerate Permissions, Open
View Web Analytics Data
View reports on website usage.
Approve Items, Open
Create Subsites
Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
View Pages, Open
Manage website
Perform all administration tasks for the website, which includes managing content.
View Pages, Open
Add and Customize Pages
Add, change, or delete HTML pages or Web Part pages, and edit the website by using a Windows SharePoint Services-compatible editor.
View Items, Browse Directories, View Pages, Open
Apply Themes and Borders
Apply a theme or borders to the whole website.
View Pages, Open
Apply Style Sheets
Apply a style sheet (.css file) to the website.
View Pages, Open
Create Groups
Create a group of users who can be used anywhere within the site collection.
View Pages, Open
Browse Directories
Enumerate files and folders in a website, by using an interface such as SharePoint Designer or web-based Distributed Authoring and Versioning (Web DAV).
View Pages, Open
Use Self-Service Site Creation
Create a website by using Self-Service Site Creation.
View Pages, Open
View Pages
View pages in a website.
Open
Enumerate Permissions
Enumerate permissions on the website, list, folder, document, or list item.
View Items, Open Items, View Versions, Browse Directories, View Pages, Open
Browse User Information
View information about users of the website.
Open
Manage Alerts
Manage alerts for all users of the website
View Items, Create Alerts, View Pages, Open
Use Remote Interfaces
Use Simple Object Access Protocol (SOAP), Web DAV, or SharePoint Designer interfaces to access the website.
Open
Open*
Open a website, list, or folder to access items inside that container.
No dependent permissions
Edit Personal User Information
Allow a user to change personal information, such as adding a picture.
Browse User Information, Open
 
List permissions and dependent permissions
 
The following table describes the permissions that apply to lists and libraries, and show the permissions that depend on them.
 
PERMISSION
DESCRIPTION
DEPENDENT PERMISSIONS
Permissions that apply to lists and libraries
Manage Lists
Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
View Items, View Pages, Open, Manage Personal Views
Override Check-Out
Discard or check in a document that is checked out to another user.
View Items, View Pages, Open
Add Items
Add items to lists, add documents to document libraries, and add web discussion comments.
View Items, View Pages, Open
Edit Items
Edit items in lists, edit documents in document libraries, edit web discussion comments in documents, and customize Web Part Pages in document libraries.
View Items, View Pages, Open
Delete Items
Delete items from a list, documents from a document library, and web discussion comments in documents.
View Items, View Pages, Open
View Items
View items in lists, documents in document libraries, and web discussion comments.
View Pages, Open
Approve Items
Approve a minor version of a list item or document.
Edit Items, View Items, View Pages, Open
Open Items
View the source of documents that use server-side file handlers.
View Items, View Pages, Open
View Versions
View past versions of a list item or document.
View Items, View Pages, Open
Delete Versions
Delete past versions of a list item or document.
View Items, View Versions, View Pages, Open
Create Alerts
Create e-mail alerts.
View Items, View Pages, Open
View Application Pages
View documents and views in a list or document library.
Open
 
Personal permissions and dependent permissions
 
The following table describes the permissions that apply to personal views and web parts, and show the permissions that depend on them.
 
PERMISSION
DESCRIPTION
DEPENDENT PERMISSIONS
Permissions that apply to personal views and web parts
Manage Personal Views
Create, change, and delete personal views of lists.
View Items, View Pages, Open
Add/Remove Private Web Parts
Add or remove private Web Parts on a Web Part Page.
View Items, View Pages, Open, Update Personal Web Parts
Update Personal Web Parts
Update Web Parts to display personalized information.
View Items, View Pages, Open