Subscribe for more SharePoint E-books SharePoint Permissions Guide

Guide to
SharePoint Permissions

Brought to you by

TekReach.com | Share this eBook

SharePoint Permissions Guide Subscribe for more SharePoint E-books

Who Should use this Guide

This Guide is for anybody from the CIO to the developer that may be required apply permis-
sions or plan permissions in SharePoint. This guide ensures a common baseline of awareness as
to what is involved in SharePoint permissions.

Audience:
- SharePoint Administrators
- Site Owners
- CIOs CTOs
- Governance Team
- Security Team

Why SharePoint Permissions are a big deal?

Before SharePoint’s time assets. In the wrong hands, leaked informa-
company files and informa- tion can literally lead to the demise of an
tion were dispersed and hard organization.
to access. Files were in emails
attachments, file shares and As an administrator of SharePoint, security
print documents. Enterprises administrator, or even CIO or CTO of your
and information technologists have been
organization, it is critical that you verse
fighting a battles to make this information
yourself with how SharePoint handles se-
consolidated and easier to find and ac-
curity. In fact you should give this guide to
cess. SharePoint was the perfect tool to
any site administrator that will be handling
house this data and make it accessible at
security as well.
people’s finger tips.

Ironically, this solution has created new This guide will help you in understanding the

challenges: The information was too easily inner workings of SharePoint permissions,
accessible and could get to the wrong how they are applied, and will therefore
hands. help you plan the architecture of the infor-
mation in SharePoint in alignment with best
Information is the enterprise’s most valuable practices. -Karim Roumani

“[Users with access to permissions] should have a thorough understanding

of how permissions work, as well as they should be trained on and follow
best practices around permissions management. -Wendy Neal

TekReach.com | Share this eBook

 Subscribe for more SharePoint E-books SharePoint Permissions Guide

Let’s Start with the SharePoint Fundamentals

SharePoint Site Architecture

We assume you have some familiarity with SharePoint, however this is the very basic knowledge we need
to ensure you have before moving forward.

SharePoint sites start with a site collection and the content of the site collection can be depicted in the
diagram below.

A site collection is the top level of object that holds

all the sites content. The objects under a site collec-
Site Collection
tion are stored hierarchically.

Many sites can be created under the

site collection. Sites can hold other
Site
sites, libraries and lists.

Site

A document library is a type of list that

hold documents. No sites can go under
a list. Doc Library

A document resides under a document

library. It is also an “item” of that doc- Document
ument library. Nothing can go under a
item.

Just like document libraries lists are a

content holder for data items. For exam- List
ple announcements are a type of list that
holds announcements. Contacts is anoth-
er type of list that can hold contacts.
Item

An item is a record or data

item contained under a list
such as the announcement
itself or the contact.

TekReach.com | Share this eBook

SharePoint Permissions Guide Subscribe for more SharePoint E-books

Now to Permission Fundamentals

Fact 1 Fact 2 Fact 3

SharePoint is made of different An Object naturally inherits permissions It is possible to make a child
objects such as files and folders from the parent. A file is the child of a hold different permissions than
that can be secured by permis- parent folder for instance. its parent. This is called breaking
sions. inheritance.

How Permissions are Applied

Every object in SharePoint can be secured by granting subjects Permission Levels to that object.

{
Subject Permission Level

Object Subject Permission Level

Subject Permission Level

Some basic Definitions

Objects Subjects Permission Levels Permissions

A SharePoint object A subject is a user or Permission levels are a collec- Permissions are the gran-
that can be secure by group that can be tion of rights and permissions ular actions a user can
permissions. given rights to an that can be applied to an perform in SharePoint
Definition

Site, List Folder, Item object entity on an object. that can be policed. A
collection of permissions
define a permission level.
Sites A User Read See Permission Levels for
Lists/Libraries A Active Directory Contribute a description of all the
Examples

Folders Group Write permissions.

Items/documents A SharePoint Group Designer
Full Control
Objects inherit permis- A SharePoint Group It is possible to create custom It is not possible to create
sions from their parent cannot exist inside permission levels. custom permissions.
Important Notes

object. another SharePoint

Group. There is a mysterious “Limit-
To Assign an object dif- ed Access” permission that
ferent permissions than An AD group CAN ex- you may find. This is not a
the parent, you must ist inside a SharePoint permission level that you can
break inheritance. Group. assign.
Limited Access means the
user may have access to
some child objects but not
TekReach.com | Share this eBook others.
 Subscribe for more SharePoint E-books SharePoint Permissions Guide

Thought process to granting permissions

Identify who needs access

Identify the subject and object and to what?

Identify what level of access

Determine the highest level in the needs to be ranted.
SharePoint tree that permissions need to be added.

Before you grant any permissions, you must make Keep in mind that if that document has
sure that you apply those permissions to the right unique permissions, then adding the
object. For instance, if a user asked for access to user to the parent object will not grant
a document, you may be tempted to grant them the user permission to the document
direct access to that object. You should first consider because by definition, the permission of
if it is suitable to grant the user access to the whole the parent don’t apply to children with
library (the parent), and possibly even those whole unique permissions.
site (the grand parent). Don’t jump into granting a
user access directly to an object unless you consider
the top most object that would be suitable.
It is often the case that the object
that needs permission, may cur-
rently be inheriting from the par-
ent. You may have to break this
Break inheritance at the level needed.
inheritance to grant the permis-
sions needed on the object.

Decide how access should be granted.

Method 1 Method 2 Method 3

Add user to existing group Grant an existing group Give the user direct permissions
that already has access permissions to the object on the object

Before granting the user permis- Before granting the user permis- Try avoiding this option, but some-
sions, consider if there is already sions, think if there is a group in times it is necessary. Use this to
similar users with the same access AD or in SharePoint that the user grant a user permission directly
and how those users are granted is a member of that may also to an object and not through a
permissions. Is there a group that need access to the object. Con- group. This option should be used
the user belongs in that already sider granting that group access if you find that the first two options
has access, consider adding the instead of giving the user direct are not good options. Applying
user to the group. Make sure you access. too many direct permissions will
leverage existing groups rath- make management of permissions
er than adding users directly. If more difficult.
this group doesn’t exist consider
adding one and placing users that
need access there.
TekReach.com | Share this eBook
SharePoint Permissions Guide Subscribe for more SharePoint E-books

Be Aware..
permissions better. For instance assigning a user
What is Limited Access Permission level? to a group can automatically grant that unique
Limited Access is not a permission level you can object access as well.
assign manually; It is assigned by the system. It
appears when a user has access to child librar-
Be Aware If a user does not have access to an
ies or lists but not the parent. The parent will
item, they will not see it.
show “Limited Access”. If User A has no Access
to Site A, but has contribute permission to a
library under site A, then Site A permissions will Caution Using SharePoint views to hide content
show limited Access. from users is a BAD practice if the information
needs to be restricted. Instead use permissions.
The user can circumvent the view and still ac-
Site Collection Administrator?
cess items. However with Permissions, the user
A site collection administrator is the highest site
can never access the object.
collection permission that can be given. A site
collection does not need any permissions on
items. They will have FULL CONTROL on all con- Management Tip
tent under that site collection. If you wish to update many permissions site
wide or do an audit, you may also write scripts
via SharePoint PowerShell to do this. Explore the
Is there a way to audit permission on a
RoleDefinitions and RoleAssignment objects.
whole site collection?
There is no way to audit permission on a whole
When to use AD Groups and When Share-
site collection. Consider 3rd party plug ins for
that or writing a PowerShell script. Point Groups?
If a group is well managed in AD you may want
to use that. If you want more flexibility adding
How is sharing and permissions related in
users to the group without having to go through
SharePoint? IT, then use SharePoint groups. Consider also
When you share files in SharePoint 2013 or Office creating a SharePoint group and putting an AD
365, the permissions of what you’re sharing is group in it. If you wish to add new members you
broken and permissions are granted to the can add it through the SharePoint group.
group or user.
Limitation SharePoint list and library columns
Tip Consider creating a custom permission level cannot be locked by permissions. At least not
called “Contribute without Delete”. By default out of the box.
Contribute permission level allows users to de-
lete content. Sometimes, you want the users to
Note If a user or group is given two different
edit content but not be able to delete.
permissions on a site such as read and contrib-
ute, the user will have contribute.
Be Careful Keep in mind that when you have
unique permissions on an object such as a
Resources Permissions planning for sites and
document and then at a later point you decide
content in SharePoint 2013
to grant access to the whole document library,
http://technet.microsoft.com/en-us/library/
that object will not be affected by the new
cc262939(v=office.15).aspx
permissions. Groups can help manage unique

TekReach.com | Share this eBook

 Subscribe for more SharePoint E-books SharePoint Permissions Guide

How to navigate to the permissions page

SP Ver- Site List/Library Item/Document
sion

2013 1. Navigate to the site you wish 1. Navigate to the library you 1. Select the document or item
to change permission for. wish to change permission for.
2. From the top right corner, 2. Click on the “Library” tab on
the top right.
2. Click on File Tab on top left
click
3. From the menu select “site
settings”
4. Under Users and Permis- 3. Click on “Share with”
sions, select “Site Permis- 3. Click on library settings
sions”
4. Click on “ADVANCED”

2010 1. Navigate to the site you 1. Select the document or item

4. Click on “Permissions for this
wish to change permission
document library” or “Permissions
for.
for this list”
2. From the top left corner 2. Click Documents Tab
select “Site Actions”
3. From the menu select
“site settings”
4. Under Users and Permis- 3. Click on “Document Permissions”
sions, select “Site Permis-
sions”

The Anatomy of a SharePoint Permissions Page

The Object

The Controls

Important no-
tifications

The subjects Permission

Levels

TekReach.com | Share this eBook

SharePoint Permissions Guide Subscribe for more SharePoint E-books

How To: (prerequisite: make sure you have full control on the object or are site collection administrator)

Break inheritance Remove permissions Grant permissions Check permissions

Actions

None. Know that once To be able to remove To be able to remove None.

you break inheritance the permissions, you must permissions, you must first
Pre-reqs

permissions of the parent first stop inheriting per- stop inheriting permis-
are copied to the object, missions. sions.
then you can modify
those permissions.
1. Click on Stop inheriting 1. Check the users 1. Click Grant Permissions 1. Click Check Permissions
Permissions the permissions as- 2. Start typing in the 2. Type in the name of a
2. Click OK when given signments you wish to name of the person or group or user.
the warning. remove by selecting email. 3. Click check now
3. The next page may the check boxes next 3. You may include an
ask you to create groups to them. Ex: invitation message None. Means the user has
associated for this site. This 4. Check Send an email no access.
Steps

is for easier management. invitation if you wish

You may go with the de- for the user to receive Or you may see the per-
fault option. emails. mission level they have
-- 5. Under Select a group and if this permission is
2. Click Remove User
At this point you will see or permission level, given through a group or
Permissions
check boxes next to the a directly.
3. Confirm
permissions on the permis-
sions page.
Make sure you are break- Note that after re- Notes: This tool is extremely im-
ing inheritance at the moving permissions, If you select a group, portant in auditing per-
Special considerations

right location. the user may still have make sure that the group missions. It is not enough
access to the object has access to the object to look at the permissions
Breaking permission inher- if the user is in a group you want to give the user on a permission page. If a
itance of many objects that has access to the access to. user is inside of nested AD
will make management object. Make sure you groups, it may be verify
of those objects more use the Check Permis- Confirm user’s access by difficult to audit without
difficult. You are advised sions button to verify. using the Check Permis- this tool.
to use groups for better sions option.
management.
More actions

Edit User Permissions Create Group Inherit permissions Anonymous Access

Allows you to edit an exist- Allows you to create This option will re-inherit To see this option your
ing permission groups. Note that permissions from the par- web application must
Notes

SharePoint groups ent. Any custom permis- have this turned on. See
cannot be nested. sions will be lost. Anonymous section be-
low.

TekReach.com | Share this eBook

 Subscribe for more SharePoint E-books SharePoint Permissions Guide

How To.. Continued

Enable Anonymous From Cen- Creating a Custom Permis-
Grant Anonymous Access
tral Administration sion Level
Actions

Your web application needs to be You must have access to the cen- You must have Manage
Pre-reqs

configured to support anonymous tral administration site. permissions rights or be a site

access. You need central administra- collection administrator.
tion to do this.
1. Click on Anonymous Access 1. Navigate to the central adminis- 1. Navigate to the permis-
2. Select one of the choices: tration site sions page of a site
Entire Web If you wish to grant 2. Click on Central Administration 2. Click on Permission levels
Site complete access on the left menu. 3. You can click on Add
to everyone to the 3. Click on Manage Web applica- Permission Level, however it
entire website. tions is probably best to start off
4. Select the web application you with an existing permission
Lists and If you wish to grant need. level template. So click on
Libraries access to specific 5. Under the Web Applications Tab the permission level you want
libraries only. Grant- in the ribbon, click Authentication to start with instead of “Add
ing this will require
Steps

Providers Permission Level”

you then to go to 6. Click on the Default Authentica- 4. At the very bottom of the
the library you wish tion Providers permission level, the “Copy
to share and grant 7. Check “Enable anonymous Permission Level” button.
Anonymous access access”
there. 8. Click OK
Nothing Completely disable 9. Make sure the web application 5. In the next page, you can
even the option of is selected and click Anonymous now type the name of the
anonymous access. Access in the Ribbon. new permission level you
10. Select “None” the click Save want.
6. Edit the permissions
7. Click Save.
Only use this if this a public website. This option does not grant your site
Public SharePoint sites may need anonymous access yet. You will
special licensing. need to Grant Anonymous access
at the site level. See “Grant Anony-
mous Access”

Assigning Site Collection Administrators The “Access Re-

quest” Feature in
SharePoint is anoth-
er way of granting
You must be a site collection administrator first.
access to content
1. Navigate to the top level or your site collection. Usually in SharePoint. This feature is
http://[site] without any trailing “/”
available in 2013 and Office365.
2. Navigate to the permission page.
Steps

3. Click on “Site Collection Administrators” in the ribbon Watch Asif Rehamani’s Video on
4. Find the user how that is done. WATCH
5. Click OK
TekReach.com | Share this eBook
SharePoint Permissions Guide Subscribe for more SharePoint E-books

Permission Levels Definitions

Default Permission Levels

Permission Description

Ltd. Access
Full Control

Contribute
Design

Read
Manage Lists X X Create and delete lists, add or remove columns in a list, and add or re-
move public views of a list.
Override Check-Out X X Discard or check in a document which is checked out to another user.
Add Items X X X Add items to lists, add documents to document libraries, and add Web
discussion comments.
Edit Items X X X Edit items in lists, edit documents in document libraries, edit Web discussion
comments in documents, and customize Web Part Pages in document
libraries.
Delete Items X X X Delete items from a list, documents from a document library, and Web
discussion comments in documents.
View Items X X X X View items in lists, documents in document libraries, and Web discussion
comments.
Approve Items X X Approve a minor version of a list item or document.
Open Items X X X X View the source of documents with server-side file handlers.
View Versions X X X X View past versions of a list item or document.
Delete Versions X X X Delete past versions of a list item or document.
Create Alerts X X X X Create e-mail alerts.
View Application Pages X X X X X View documents and views in a list or document library.
Manage Permissions X Create and change permission levels on the Web site and assign permis-
sions to users and groups.
View Usage Data X View reports on Web site usage.
Create Subsites X Create subsites such as team sites, Meeting Workspace sites, and Docu-
ment Workspace sites.
Manage Web Site X Perform all administration tasks for the Web site as well as manage con-
tent.
Add and Customize Pages X X Add, change, or delete HTML pages or Web Part pages, and edit the Web
site using a Windows SharePoint Services-compatible editor.
Apply Themes and Borders X X Apply a theme or borders to the entire Web site.
Apply Style Sheets X X
Create Groups X Create a group of users that can be used anywhere within the site collec-
tion.
Browse Directories X X X Enumerate files and folders in a Web site using an interface such as Share-
Point Designer or Web-based Distributed Authoring and Versioning (Web
DAV).
Use Self-Service Site Creation X X X X Create a Web site using Self-Service Site Creation.
View Pages X X X X View pages in a Web site.
Enumerate Permissions X Enumerate permissions on the Web site, list, folder, document, or list item.
Browse User Information X X X X X View information about users of the Web site.

Manage Alerts X Manage alerts for all users of the Web site

Use Remote Interfaces X X X X X

Use Client Integration Features X X X X X Use Simple Object Access Protocol (SOAP), Web DAV, or SharePoint De-
signer interfaces to access the Web site.
Open X X X X X Open a Web site, list, or folder to access items inside that container.

Edit Personal User Information X X X Allow a user to change his or her own user information, such as adding a
picture.
Manage Personal Views X X X Create, change, and delete personal views of lists.

Add/Remove Private Web Parts X X X Add or remove private Web Parts on a Web Part Page.
TekReach.com | Share this eBook
Update Personal Web Parts X X X Update Web Parts to display personalized information.
 Subscribe for more SharePoint E-books SharePoint Permissions Guide

On Going Maintenance Manageability tips

Data is like a virus, it can spread fast, silently, and Train Site Owners and Power Users The benefits
can cause damage. Just like your computer needs of SharePoint is that sites and contents can be
an anti-virus, your SharePoint environment needs a delegated to different users to manage on their
scheduled maintenance of data and permissions to own and take away some of the management
keep it healthy. off your plate. You may, for example, grant the
Marketing team owners a site to manage their
content. Along with that you may give them the
Perform Quarterly Audits: option to manage who has access. Those users
must be very familiar with Sharepoint permissions
Site Collection Administrators Audit Verify to see especially if they will be administering access on
who the site collection administrators are on your sensitive data. Make sure any site owners you
site collections. Often times users are granted that grant full control to are well trained and aware of
permission and are forgotten. Make sure only a small how SharePoint permissions work.
number or administrator group is there. This is also
important to check because other site collection ad- - Provide Hands on Training to site owners
ministrators may grant control to others without your - Providing Videos Tutorials
knowledge. Make sure your whole team is in sync on - Share this guide
who should have this permission. Also make sure that
those users are well acquainted with SharePoint since Granular Permissions Often times there is a
the power of such user can cause irreversible dam- need to have granular permissions at the item
age or possibly data loss. level. Keep in mind that the more granular per-
missions you have the harder they become to
Audit Sensitive Areas Some areas will be more manage. Imagine having 30 document each with
sensitive than others in your portal. Once again the its unique permissions. How do you know who has
users with access to those areas can get out of hand. access to what? How do you update permissions
Make sure you audit exactly who has access by on those items?
checking permissions and group memberships regu-
larly on sensitive content. Document those sensitive -Consider grouping items that require similar per-
areas and review with your team. Use the “Check missions into folders or other lists or libraries and
Permissions” option to test permissions on those sensi- granting permission to that folder library.
tive areas. -Consider using groups to grant permissions on
those unique documents. If for instance you
assign a “Board of Directors” group read permis-
Perform Bi-Annual Audits on: sion on those items and decide later you want to
grant additional user access, you simply add the
Complete Site Collection Complete a full audit user to the group.
on your site collection to identify the overall permis- -In more sophisticated scenarios, you may consid-
sion structure. Users will be adding content such as er using permission automations using workflows
sites and library constantly and this content will grow or event receivers to better administer item level
virally. Make sure you are aware of this content and permissions (granular permissions).
who should have access to it. Work with site owners
and content creators to ensure they are adding con- User Account Expirations Always make sure that
tent in alignment with your governance and security any contractor or consultant that is granted ac-
policies. It is often the case that site owners are not cess has an expiration date on their account. This
aware that the content they are creating is not suffi- is important otherwise they may continue to have
ciently secured. eternal access to your content after they stop
working for you. Even better disable their account
manually when they are done.

TekReach.com | Share this eBook

SharePoint Permissions Guide Subscribe for more SharePoint E-books

Final Thoughts from an expert..

What is the most common bad practice you’ve seen on the
field?

One common mistake I see regarding permissions

is placing users directly in the site, list, or library level
rather than utilizing SharePoint groups. Using Share-
Point groups is much more versatile and easier to
manage. And if you want to take the management
of users completely out of SharePoint, you can place Active Di-
rectory security groups directly inside a SharePoint group, and
then the management of that group of users is done in Active
Directory, which many IT departments prefer.
- Wendy Neal

Information openness vs tight control.

One last thing I’d like to mention about permissions

is not to get too caught up in locking everything
down permissions-wise, just because you don’t
think others outside of your audience would be
interested in seeing it. SharePoint is collaborative in
nature, therefore to have the best experience users should be
able to discover data and documents from other departments
or areas of the site. This is not to say that you shouldn’t lock
anything down; obviously if something is sensitive or confiden-
tial, the appropriate permissions should be applied. However,
I believe the discovery of non-confidential information can
oftentimes help users find some great information to help them
do their jobs better. - Wendy Neal

TekReach.com | Share this eBook

 Subscribe for more SharePoint E-books SharePoint Permissions Guide

Resources
Here are some resources that will help you get more infor-
mation about permissions and tools that could help you
better manage and maintain permissions in SharePoint:

Learn More on Permissions

Grant Permissions for a Site

Understanding Permission Levels

Fine Grained Permissions Best Practices

Videos Lynda.com on Permissions

Tools
SharePoint Permissions manager - Free Permission Manager

Datavantage for SharePoint - Security Auditing

DeliverPoint 2013 by lightining tools - Security Auditing

ChangeAuditor for SharePoint - Change Auditing

Tru Permissions - Fine Grained Permissions Automation

TekReach.com | Share this eBook