How to set SharePoint Permissions - Complete Guide

Each SharePoint site comes with default groups and permissions. For most situations, they are perfectly fine, but sometimes you need to change those permissions. What are then your options to change, set, or add SharePoint permissions?

There are several options when it comes to managing permissions in SharePoint. We can set permissions for the whole site or group, on the document library level, and even at folder level.

In this article

In this article, I will explain how the default permissions work and what options you have to change the permissions in SharePoint Online.

Default Permissions in SharePoint

By default, all SharePoint sites are created with the three security groups below:

Owners – Have full control over the site
Members – Can add and edit the content (files, lists, etc) on the site
Visitors – Can only read

When you create a new SharePoint site you have, normally, two options to choose from, a Team site or a Communication site (SharePoint administrators have also other options to choose from). Depending on your choices the following users have permission to the SharePoint site:

	Team Site (private)	Team Site (public)	Communication site
Owners	Selected users	Selected users	Selected users
Members	Selected users	Everyone except external users	Everyone except external users
Visitors	–	–	–

Atleast one owner must be selected when you create the SharePoint site. In the case of a Team site, you can also add the member while creating the site. But in all cases, we can modify the owners, members, and visitors later.

So these are the default permissions, but what options do we have to change this?

Edit SharePoint Permissions

As mentioned at the beginning of the article we can set the permissions on different items in SharePoint. Starting all the way at the top, at the site level, to all the way down at folder level. Good to know is that permissions are by default inherited from the top down.

This means that if we change the permissions at a document library, the permissions in all folders below it are also changed. Now, this is expected behavior, but keep in mind that this also means that subsites also inherit the permissions from the main site.

Note
When your document library, list or folder contains more then 100,000 items, you can’t create unique permissions. The inheritance can’t be removed or recreated when you exceed the threshold.

SharePoint Permission Levels

SharePoint permissions levels are a set of permissions that you can assign to a user or group. There are 5 predefined sets in SharePoint Online, which are suitable for most use cases. It’s also possible to create your own permission levels allowing you to fully customize the permissions that you want to give.

The default permissions levels in SharePoint are:

Full Control – Has full control
Design – Can view, add, update, delete, approve, and customize.
Edit – Can add, edit and delete lists; can view, add, update and delete list items and documents.
Contribute – Can view, add, update, and delete list items and documents.
Read – Can view pages and list items and download documents.
Restricted View – Can view pages, list items, and documents. Documents can be viewed in the browser but not downloaded.
Limited Access – Assigned to a user or group when sharing an item. Can access the site and view the selected item.

So as mentioned, it’s possible to create your own permission levels. To do this, click on settings (gear icon) in the top right corner and select Site permissions > Advanced Permissions.

In the permissions tab, click on Permissions Levels:

All the existing permissions levels are listed here. It’s best practice to not change the existing permissions levels but instead add a new permissions level.

We can now select the permissions that we want to assign. As you will notice, when you select a permission, other options are automatically selected as well. For example, when we choose to Create Alert, then View Items, View Pages and Open are also selected. These extra permissions are needed so the user can access the site and view the libraries.

creating custom permission level sharepoint — Creating custom permission levels

Site Permissions

The first place to change permissions for a SharePoint site is the site permissions. This will allow you to set the security setting at site level, affecting all document libraries, lists, pages, etc. Permissions should always be set with the Principal of least privileges in mind. Don’t give users more permissions than they need.

To change the site permissions we will need to open the settings menu (gear icon) and click on Site Permissions:

This will show the basic permissions and allows you to add members and owners to the site. Click on Add members (1) to add users to the site. Here you can look up users and make them Members or Owners of the SharePoint site.

Another option is to use the Advanced Permissions Settings (2). The advanced settings allow you to choose custom permission levels and add groups of users (security groups) to the SharePoint site.

Click on Advanced Permissions Settings in the screenshot above (2)
Click Grant Permissions
Search for users or security groups. You can add multiple groups or users simoultancyly
Select Show Options
By default, the users will receive an invitation email. You can turn it off if you want
Select the permission level that you want to assign.
Click Share to grant the permissions.

Creating Custom Groups

By default, you can only add users or groups to the default security groups (owners, members, visitors). But it’s also possible to create your own security groups. Each group can be assigned one or multiple permission levels.

Click on Create Group in the Advanced Permissions settings:

Give the group a meaningful name and select who can view and add members to the group. At the end of the settings page we can choose the permission level that we want to assign to the group members, for example, Restricted view:

After you have created the group, we can go back to the permissions page and assign users to our newly created security group:

Document Library Permissions

When site-level permissions are not suitable for your situation, then the next level where we can set permissions is on the document library or lists in SharePoint. To change the permissions on a document library we first need to open the library:

Click on Settings (gear icon)
Choose Library Settings

document library permissions sharepoint — Document Library Permissions in SharePoint

Click on Permissions for this document library

permission settings — Document Library Permissions

We will now see the same permissions as we have set at site level. So the first step is to stop inheriting the permissions from the parent. This will copy all existing permissions to the document library, making them unique.

Note
Keep in mind that changes made at site level later are not applied to this document library after you stop inheriting. So users who are now member at site level, will remain member of the document library if you remove them later at site level

Click on Stop Inheriting Permissions and click Ok on the warning

We can now modify the permissions just as we did at site level. This means that we can add a custom security group, grant additional permissions to users or groups, or change the permission level of the existing groups.

For example, we can remove the members, visitors, and testers from the document library, so that only the owners of the SharePoint site can access the Budgets document library.

remove user permission — Remove user permissions

Folder Permissions

We can also create custom permissions at the folder level in SharePoint. Keep in mind that custom folder permissions are harder to keep track of, so make sure that you document them properly and don’t use them too much.

To set unique permissions on a folder in SharePoint first select or hover over the folder:

Click on the 3 dots (show action)
Choose Manage Access

sharepoint folder permissions — SharePoint Folder Permissions

Here we have a couple of options, we can create a link that gives access to the folder (3), just like the normal sharing options. Or directly add a user to the folder (4). But it’s also possible to create unique permissions, just like with the document library. Click on Advanced (5) to view the permissions settings.

The advanced permissions work the same as the document library. First, stop inheriting the permissions and then create your own custom permissions for the folder.

File Permissions

In SharePoint, it’s even possible to add unique permissions to a file. Now just like folders, don’t use this too much. You will easily lose track of all the unique permissions. Setting file permissions works exactly the same as folder permissions in SharePoint.

Click on the 3 dots (Show actions) behind the file
Select Manage Access
Click on Advanced to create unique permissions

Refer to the steps above on how to stop inheriting the parent permissions and add unique security groups, users, and/or permission levels.

List Permissions

List permissions are a bit special compared to document libraries in SharePoint. They have the same permission structure, so you can give users or groups unique permissions to the list. But besides the list permissions, we can also set permission on item-level in SharePoint.

So first the list permissions. With the list selected:

Click on Settings
Open List settings

sharepoint list permissions — SharePoint List Settings

In the settings screen, we can open the permission for this list (3). Also note the Advanced Settings option, which we will use later for the item-level permissions.

We first need to stop inheriting the site-level permissions before we can add unique permissions to the list. After stopping the inheritance, you can add or remove user or security groups from the list. Refer to the steps above for more details about this.

Item-Level Permissions

A special feature of lists in SharePoint is that we can set permissions on item level. The permissions are limited to the question if a user can view and/or edit only their own items or all items. So we can give a user read-all access, which allows them to view all items on the list. But limit the create and edit permission to only the items created by the user.

To set the item permissions, click on Advanced Settings in the List settings. Here we can set the item-level permissions:

We can’t add custom permissions levels to the items, but these options should be more than sufficient in most cases.

Wrapping Up

I hope this article helped you with configuring your SharePoint permissions. Try to limit the unique permissions to site level and document library level only. When you start creating unique permissions on folder or file level, you can quickly lose the overview.

If you have any questions just drop a comment below.

0 Shares

15 thoughts on “How to set SharePoint Permissions – Complete Guide”

Giuseppe

January 28, 2024 at 19:49 | Reply

Hello Rudy
I like your articles and find them very useful.
I am new to sharepoint; and I was asked to add AD security groups in sharepoint.
Is it possible?

Till now my workaround has been to use Microsoft 365 groups and assign AD users to this groups. is there a better way

Thank you
Giuseppe
- Rudy Mens
  
  January 31, 2024 at 10:03 | Reply
  
  You can add the AD groups directly through the Advanced Permissions screen.
Darryl

September 13, 2023 at 23:50 | Reply

Rudy, we want our site admins to be able to share files and folders, assign metadata labels to library items, and things like that. We don’t want them to be able to create new document libraries, though. When we took away their ability to create new libraries, they lost the ability to manage things inside the libraries as well. Is there a workaround for that?
- Rudy Mens
  
  September 29, 2023 at 09:10 | Reply
  
  The user will need to have edit permissions on the library to be able to manage meta data etc.
John Dakos

June 29, 2023 at 23:12 | Reply

Good Article. Thanks For Sharing.
Ann

March 30, 2023 at 19:14 | Reply

Great article thank you, I have this bookmarked for future reference.

I do have a question though; if I want to grant access to everyone I can use the All users except external users feature but if I want to grant access to everyone except for a few internal users is there a way to do this just as easily? I don’t particularly want to create a special group with access permissions because that would entail adding more than 200+ people to the group.
- Rudy Mens
  
  March 31, 2023 at 09:45 | Reply
  
  It’s possible, but only if you have the correct license that includes Enterprise Mobility + Security : https://learn.microsoft.com/en-us/microsoftteams/block-access-sharepoint
Max

January 11, 2023 at 15:23 | Reply

If I set read access for Members to the home.aspx on my SPO site, the “+New” button on top disappears, so it is not anymore possible to create pages, which my Member should be able to – they just should not edit the homepage.

The strange thing is: By using the “settings” cog on top, it is still possible to create pages.

Anything I am missing?

Thanks,
Max
doo

December 1, 2022 at 08:09 | Reply

Thanks Ruud! Your article is quite clear and helpful to understand the permission.
I may ask your suggestion on setting up a team site.
I need to limit some document libraries based on team members’ security level. About 2/3 can access all document libraries and 1/3 should have limited access.
As the first option, I thought to create a group, such as member-secret or member-nonsecret, and change the library permission. According to your article, however, it may break inheriting the site permission.
The second option is to create two sites: one for everyone and another for limited access.

Which option do you think is easier to maintain? If you briefly explain possible pros and cons, it is much appreciated.
- Rudy Mens
  
  December 2, 2022 at 15:33 | Reply
  
  The latter is of course easier to maintain from a security standpoint. But if you only need to split between owners and members, then removing the member’s permission from some of the document libraries isn’t that hard. And make is for the owners (who can access all libraries) easier to work with.
  - doo
    
    December 2, 2022 at 23:55 | Reply
    
    Thank you !
Pam

August 29, 2022 at 23:20 | Reply

Thank you for the detailed steps.
I have 3 doc. libraries in the sp site. Trying to set it so that doc. library 1 members cannot access doc. library 2 or 3. Will your process, as detailed above, produce this result?
Why: I have tried – yet the unique permission email can still access all libraries.

Guidance is greatly appreciated!
- Rudy Mens
  
  August 31, 2022 at 15:02 | Reply
  
  Unique permissions will overrule group permissions. If you stop inheriting permissions on lib 2 and 3, and add unique permission for only the owners, then members from the site should not be able to access it.
Kimberly

August 3, 2022 at 19:05 | Reply

Hi Ruud!

I’m curious, and can’t seem to find a direct answer anywhere, can you have one person in multiple permissions groups on SharePoint 365? We have columns that are the type “Person or Group” and currently we have to have All Users selected which pulls from all members of our organization which is quite large. I was hoping to change the settings of these columns to instead pull from a specific SharePoint group but the 6 employees I want to have as options are split between permissions groups Members and Owners. Could I add the two Owners to the Members group, thus having them in two groups, without affecting their permissions? Do permissions levels pull from the highest level if a single person is in multiple permissions groups?

Thanks in advance for any help you can provide.
- Rudy Mens
  
  August 13, 2022 at 08:12 | Reply
  
  That should work.