Each SharePoint site comes with default groups and permissions. For most situations, they are perfectly fine, but sometimes you need to change those permissions. What are then your options to change, set, or add SharePoint permissions?
There are several options when it comes to managing permissions in SharePoint. We can set permissions for the whole site or group, on the document library level, and even at folder level.
In this article
In this article, I will explain how the default permissions work and what options you have to change the permissions in SharePoint Online.
Default Permissions in SharePoint
By default, all SharePoint sites are created with the three security groups below:
- Owners – Have full control over the site
- Members – Can add and edit the content (files, lists, etc) on the site
- Visitors – Can only read
When you create a new SharePoint site you have, normally, two options to choose from, a Team site or a Communication site (SharePoint administrators have also other options to choose from). Depending on your choices the following users have permission to the SharePoint site:
|Team Site (private)||Team Site (public)||Communication site|
|Owners||Selected users||Selected users||Selected users|
|Members||Selected users||Everyone except external users||Everyone except external users|
Atleast one owner must be selected when you create the SharePoint site. In the case of a Team site, you can also add the member while creating the site. But in all cases, we can modify the owners, members, and visitors later.
So these are the default permissions, but what options do we have to change this?
Edit SharePoint Permissions
As mentioned at the beginning of the article we can set the permissions on different items in SharePoint. Starting all the way at the top, at the site level, to all the way down at folder level. Good to know is that permissions are by default inherited from the top down.
This means that if we change the permissions at a document library, the permissions in all folders below it are also changed. Now, this is expected behavior, but keep in mind that this also means that subsites also inherit the permissions from the main site.
NoteWhen your document library, list or folder contains more then 100,000 items, you can’t create unique permissions. The inheritance can’t be removed or recreated when you exceed the threshold.
SharePoint Permission Levels
SharePoint permissions levels are a set of permissions that you can assign to a user or group. There are 5 predefined sets in SharePoint Online, which are suitable for most use cases. It’s also possible to create your own permission levels allowing you to fully customize the permissions that you want to give.
The default permissions levels in SharePoint are:
- Full Control – Has full control
- Design – Can view, add, update, delete, approve, and customize.
- Edit – Can add, edit and delete lists; can view, add, update and delete list items and documents.
- Contribute – Can view, add, update, and delete list items and documents.
- Read – Can view pages and list items and download documents.
- Restricted View – Can view pages, list items, and documents. Documents can be viewed in the browser but not downloaded.
- Limited Access – Assigned to a user or group when sharing an item. Can access the site and view the selected item.
So as mentioned, it’s possible to create your own permission levels. To do this, click on settings (gear icon) in the top right corner and select Site permissions > Advanced Permissions.
In the permissions tab, click on Permissions Levels:
All the existing permissions levels are listed here. It’s best practice to not change the existing permissions levels but instead add a new permissions level.
We can now select the permissions that we want to assign. As you will notice, when you select a permission, other options are automatically selected as well. For example, when we choose to Create Alert, then View Items, View Pages and Open are also selected. These extra permissions are needed so the user can access the site and view the libraries.
The first place to change permissions for a SharePoint site is the site permissions. This will allow you to set the security setting at site level, affecting all document libraries, lists, pages, etc. Permissions should always be set with the Principal of least privileges in mind. Don’t give users more permissions than they need.
To change the site permissions we will need to open the settings menu (gear icon) and click on Site Permissions:
This will show the basic permissions and allows you to add members and owners to the site. Click on Add members (1) to add users to the site. Here you can look up users and make them Members or Owners of the SharePoint site.
Another option is to use the Advanced Permissions Settings (2). The advanced settings allow you to choose custom permission levels and add groups of users (security groups) to the SharePoint site.
- Click on Advanced Permissions Settings in the screenshot above (2)
- Click Grant Permissions
- Search for users or security groups. You can add multiple groups or users simoultancyly
- Select Show Options
- By default, the users will receive an invitation email. You can turn it off if you want
- Select the permission level that you want to assign.
- Click Share to grant the permissions.
Creating Custom Groups
By default, you can only add users or groups to the default security groups (owners, members, visitors). But it’s also possible to create your own security groups. Each group can be assigned one or multiple permission levels.
Click on Create Group in the Advanced Permissions settings:
Give the group a meaningful name and select who can view and add members to the group. At the end of the settings page we can choose the permission level that we want to assign to the group members, for example, Restricted view:
After you have created the group, we can go back to the permissions page and assign users to our newly created security group:
Document Library Permissions
When site-level permissions are not suitable for your situation, then the next level where we can set permissions is on the document library or lists in SharePoint. To change the permissions on a document library we first need to open the library:
- Click on Settings (gear icon)
- Choose Library Settings
- Click on Permissions for this document library
We will now see the same permissions as we have set at site level. So the first step is to stop inheriting the permissions from the parent. This will copy all existing permissions to the document library, making them unique.
NoteKeep in mind that changes made at site level later are not applied to this document library after you stop inheriting. So users who are now member at site level, will remain member of the document library if you remove them later at site level
- Click on Stop Inheriting Permissions and click Ok on the warning
We can now modify the permissions just as we did at site level. This means that we can add a custom security group, grant additional permissions to users or groups, or change the permission level of the existing groups.
For example, we can remove the members, visitors, and testers from the document library, so that only the owners of the SharePoint site can access the Budgets document library.
We can also create custom permissions at the folder level in SharePoint. Keep in mind that custom folder permissions are harder to keep track of, so make sure that you document them properly and don’t use them too much.
To set unique permissions on a folder in SharePoint first select or hover over the folder:
- Click on the 3 dots (show action)
- Choose Manage Access
Here we have a couple of options, we can create a link that gives access to the folder (3), just like the normal sharing options. Or directly add a user to the folder (4). But it’s also possible to create unique permissions, just like with the document library. Click on Advanced (5) to view the permissions settings.
The advanced permissions work the same as the document library. First, stop inheriting the permissions and then create your own custom permissions for the folder.
In SharePoint, it’s even possible to add unique permissions to a file. Now just like folders, don’t use this too much. You will easily lose track of all the unique permissions. Setting file permissions works exactly the same as folder permissions in SharePoint.
- Click on the 3 dots (Show actions) behind the file
- Select Manage Access
- Click on Advanced to create unique permissions
Refer to the steps above on how to stop inheriting the parent permissions and add unique security groups, users, and/or permission levels.
List permissions are a bit special compared to document libraries in SharePoint. They have the same permission structure, so you can give users or groups unique permissions to the list. But besides the list permissions, we can also set permission on item-level in SharePoint.
So first the list permissions. With the list selected:
- Click on Settings
- Open List settings
In the settings screen, we can open the permission for this list (3). Also note the Advanced Settings option, which we will use later for the item-level permissions.
We first need to stop inheriting the site-level permissions before we can add unique permissions to the list. After stopping the inheritance, you can add or remove user or security groups from the list. Refer to the steps above for more details about this.
A special feature of lists in SharePoint is that we can set permissions on item level. The permissions are limited to the question if a user can view and/or edit only their own items or all items. So we can give a user read-all access, which allows them to view all items on the list. But limit the create and edit permission to only the items created by the user.
To set the item permissions, click on Advanced Settings in the List settings. Here we can set the item-level permissions:
We can’t add custom permissions levels to the items, but these options should be more than sufficient in most cases.
I hope this article helped you with configuring your SharePoint permissions. Try to limit the unique permissions to site level and document library level only. When you start creating unique permissions on folder or file level, you can quickly lose the overview.
If you have any questions just drop a comment below.
10 thoughts on “How to set SharePoint Permissions – Complete Guide”
Great article thank you, I have this bookmarked for future reference.
I do have a question though; if I want to grant access to everyone I can use the All users except external users feature but if I want to grant access to everyone except for a few internal users is there a way to do this just as easily? I don’t particularly want to create a special group with access permissions because that would entail adding more than 200+ people to the group.
It’s possible, but only if you have the correct license that includes Enterprise Mobility + Security : https://learn.microsoft.com/en-us/microsoftteams/block-access-sharepoint
If I set read access for Members to the home.aspx on my SPO site, the “+New” button on top disappears, so it is not anymore possible to create pages, which my Member should be able to – they just should not edit the homepage.
The strange thing is: By using the “settings” cog on top, it is still possible to create pages.
Anything I am missing?
Thanks Ruud! Your article is quite clear and helpful to understand the permission.
I may ask your suggestion on setting up a team site.
I need to limit some document libraries based on team members’ security level. About 2/3 can access all document libraries and 1/3 should have limited access.
As the first option, I thought to create a group, such as member-secret or member-nonsecret, and change the library permission. According to your article, however, it may break inheriting the site permission.
The second option is to create two sites: one for everyone and another for limited access.
Which option do you think is easier to maintain? If you briefly explain possible pros and cons, it is much appreciated.
The latter is of course easier to maintain from a security standpoint. But if you only need to split between owners and members, then removing the member’s permission from some of the document libraries isn’t that hard. And make is for the owners (who can access all libraries) easier to work with.
Thank you !
Thank you for the detailed steps.
I have 3 doc. libraries in the sp site. Trying to set it so that doc. library 1 members cannot access doc. library 2 or 3. Will your process, as detailed above, produce this result?
Why: I have tried – yet the unique permission email can still access all libraries.
Guidance is greatly appreciated!
Unique permissions will overrule group permissions. If you stop inheriting permissions on lib 2 and 3, and add unique permission for only the owners, then members from the site should not be able to access it.
I’m curious, and can’t seem to find a direct answer anywhere, can you have one person in multiple permissions groups on SharePoint 365? We have columns that are the type “Person or Group” and currently we have to have All Users selected which pulls from all members of our organization which is quite large. I was hoping to change the settings of these columns to instead pull from a specific SharePoint group but the 6 employees I want to have as options are split between permissions groups Members and Owners. Could I add the two Owners to the Members group, thus having them in two groups, without affecting their permissions? Do permissions levels pull from the highest level if a single person is in multiple permissions groups?
Thanks in advance for any help you can provide.
That should work.