🧐 What's this all about?

Hello again!

This post is all about permission management within a SharePoint Online site.

We are going to stick to SharePoint-only permissions. I won't muddy the waters within Group connected Team sites. While in principle, everything in this post will apply (as Team sites are SharePoint sites at the end of the day), but... there are nuances there, so we'll focus on them in a separate post.

With that being said, let's set the scene with an analogy...

Think of a SharePoint Online site like a house...

Fig. SharePoint Online Site Permissions

And think of site permissions as keys to that house.

Great, let's continue...

🔑 How Permissions Work by Default

Default Permission Levels: Owners, Members, and Visitors

When you first create a SharePoint site (your house), three kinds of permission groups (keys to your house) are created by default. These are 'Owner', 'Member', and 'Visitor'.

Fig. SharePoint Online Permissions are like keys

• Site Owner Key: Think of the 'Site Owner Key' as the master key, granting full access to every room in your house. If you're an 'Owner', you have the authority to manage settings, make structural changes, and invite others into the house.

• Site Member Key: The 'Site Member Key' is like a key to the main areas of the house. 'Members' can add, edit, or delete content, rearrange furniture, but they can't manage keys or change the house's structure.

• Site Visitor Key: The 'Site Visitor Key' is like a guest key. It only opens the front door and lets you look around, but you can't touch or move anything. In SharePoint terms, you can view content but can't make any changes.

Assigning Permissions: Handing Out the Keys

Now that you have your keys, it's time to hand them out. You can give keys directly to individuals or give them to groups.

Fig. Assigning SharePoint Online Permissions

🙋‍♂️ Individuals Giving keys to individuals is pretty much as it sounds. You share the site with named individuals via their email addresses. Users who are licensed within your tenant, i.e. they have the same type of email address as you, something@[yourcompany].com can be added straight away.

To add an external user (somebody who does not have the same email address as you) depends on the sharing settings set up in the SharePoint admin centre. It's best to consult your IT department on this one, as they should have a policy and approach for external sharing.

👥 Groups Giving keys to groups can be a very efficient way of managing permissions within a site. The main benefit is that if the key is given to a group, everyone within that group also gets the key. BUT... if they are removed from the group, they automatically have the key taken away. Very handy!

The main types of groups which can be given keys are:

• Microsoft 365 Groups (the groups created when you create a MS Team)
• Security groups created within Microsoft Entra (the artist previously know as 'Azure Active Directory')

How you give out the keys to your house (individual vs. group) will depend on who you plan to share your site with and what level of access they should have. Obviously, when it comes to groups, the group must already exist 😜.

.Note: A handy group to be aware of is a default group which comes with every tenant which is called 'Everyone except external users'.

This is like a catch-all that includes all licenced users within your tenant. It is commonly used for handing out the Site Visitor key (permissions) to Intranet sites so that everyone in the company can have read access.

Where you assign permissions (keys) is the same in both scenarios:

1. Click the 'Share' link that appears on every page within your site
2. Start typing in the email address or group name you want to share the site with
3. Choose the type of key (permission) you want them to have
   1. Read = Visitor
   2. Edit = Member
   3. Full Control = Owner
4. Click 'Share'
5. Done!

Fig. Sharing a SharePoint Online Site

Fig. Selecting user to share the site with

Inherited Permissions: The Family Heirloom Key

Every SharePoint site (or house) is made up of a number of storage locations (rooms within the house) such as 'Document Libraries', 'Site Pages', 'Events', 'Lists' etc.

The behaviour of permissions within SharePoint follows a principle called 'Permission Inheritance'.

This means that unless you change the permissions at the room level, then by default, the keys given out when you shared the house will apply to all the rooms and everything within them in the house.

Fig. SharePoint Online Permission Inheritance

Inheritance makes life easier because you don't have to hand out keys for every single room. It's like having a key that opens the front door and all the rooms inside. Nice and simple and, above all, easy to remember if you are a Site Owner!

I can't stress this enough... try to stick to the default permission behaviour if you can. The reason for this is that as you start to stray away from the default behaviour, you start to have to manage exceptions which, with all the goodwill in the world... can get forgotten and, frankly, be a pain in the a$s to remember! 🤬🥶

😈 How to Modify SharePoint Online Site Permissions

As I mentioned above. Try your best to keep things simple and managed at the site (house) level if you can.

However...

This is the real world, and whether we like it or not, sometimes we have no choice but to amend how the keys to our house work and where they apply (sometimes you just need to keep those bodies hidden in the basement! 😱).

So, here are the common ways you might need to modify permissions within your SharePoint Online Site.

Breaking Permission Inheritance: Changing the Locks

Let's say you have a room that you don't want everyone to access - maybe it's your private study or a room where you keep sensitive documents (or that basement 😱). That's where 'BREAKING permission inheritance' comes in.

Breaking inheritance effectively means you stop a key from working for a particular room in the house, or you change what that key allows the holder to do within that room. You're essentially changing the locks on that room.

A common example is when a Document Library is created for storing private documents, and you want to prevent anyone with the 'Visitor Key' from accessing it (or even being aware it exits).

For this scenario, we 'break inheritance' for the Document Library, and then we can remove the visitor key for that Document Library.

Fig. Breaking SharePoint Online Permission Inheritance

To break inheritance for a list or document library:

1. Go to the List or Document Library within your site
2. Access the List/Document Library settings (click the cog in the top right and you'll see a link to the settings there)
3. Select 'Permissions for this document library'
4. Click 'Stop Inheriting Permissions' (Click 'OK' to the warning)
5. Now you can select the 'Keys' and amend or delete them from the List/Document Library if you want.

Fig. How to Break SharePoint Online Permission Inheritance 1

Fig. How to Break SharePoint Online Permission Inheritance 2

Fig. How to Break SharePoint Online Permission Inheritance 3

IMPORTANT - If you got excited reading this and jumped feet first into deleting permissions you can always reset things back to default by clicking 'Delete unique permissions'... just saying! 😉

Changing Permission Levels: The Custom-Made Key

OK, so if you are here, then you are looking to get quite fancy in your site permission management! 🥸

So earlier, I set the scene by saying there are three default keys, with each key granting the recipient certain access:

• Site Owner - Full Control
• Site Member - Edit Access
• Site Visitor - Read Access

There are two other levels of access available that you can assign to the keys either at the house (site) level or at a room level.

These are:

• 'Design' - Can view, add, update, delete, approve, and customise.
• 'Contribute' - Can view, add, update, and delete list items and documents.

To change the permission level assigned to a Key for the entire site do the following: Note: The following instructions will only work for Communication type sites

1. Click the 'cog' icon and select 'Site permissions'
2. Click 'Advanced permission settings'
3. Select the 'Key' you want to change the permission level for
4. Select 'Edit User Permissions'
5. Tick the permission level you want to apply to the selected Key
6. Click 'OK' and you're done

Fig. How to change permission level assigned to a SharePoint Online Group 1

Fig. How to change permission level assigned to a SharePoint Online Group 2

Fig. How to change permission level assigned to a SharePoint Online Group 3

Fig. How to change permission level assigned to a SharePoint Online Group 4

To change the permission level assigned to a Key for a specific location (list or document library) do the following:

1. Click the 'cog' icon and select 'Library Settings'
2. Click 'Permissions for this document library'
3. Select the 'Key' you want to change the permission level for
4. Select 'Edit User Permissions'
5. Tick the permission level you want to apply to the selected Key
6. Click 'OK' and you're done

Editing Permission Levels: The Adjustable Key

Over time, you might find that a key doesn't fit quite right anymore. Maybe you want to give your 'Members' a little more access, or restrict 'Visitors' a bit more. In SharePoint, you can edit existing permission levels - it's like adjusting a key to fit a changing lock.

In order to know what to amend, you need to see exactly what options you have and what options are currently in place for each permission level.

To access this information do the following:

1. Click the 'cog' icon and select 'Library Settings'
2. Click 'Permissions for this document library'
3. Click 'Permission levels'
4. Click any listed permission level
5. You will then be presented with a comprehensive list of privileges assigned to that permission level

Fig. How to edit a SharePoint Online permission level 1

Fig. How to edit a SharePoint Online permission level 2

Fig. How to edit a SharePoint Online permission level 3

Fig. How to edit a SharePoint Online permission level 4

Fig. How to edit a SharePoint Online permission level 5

Once you are on this screen you have two real options:

1. Amend an existing permission level (by ticking or unticking items)
2. Copy the permission level to create a new one which you can then assign to a key

🏆 Best Practices for Managing Permissions in SharePoint Online (and any keys in general really!)

• ✅ Use the principle of least privilege - only give out keys that give the minimum access needed.
• ✅ Assign keys to groups, not individuals, where possible. Especially when it comes to site visitors!
• ✅ Regularly review who has which keys, especially if people move houses (change roles) or leave the neighbourhood (leave the company).
• ✅ Avoid changing locks (breaking inheritance) too often, or you'll end up with a keychain heavier than a medieval dungeon door.
• ✅ And most importantly, KEEP IT SIMPLE!!!

💡 Summary: Key to Success

So there you go; you're now equipped with the knowledge to navigate the labyrinth of SharePoint permissions. Remember, every great SharePoint homeowner started off as a beginner, fumbling with keys and unlocking the wrong doors.

Remember, just because you can do something doesn't mean you should. I have spent countless hours helping clients unpick nests of custom permissions on their sites when really what I would have recommended was to just create additional sites when the permission requirements started to diverge (Microsoft does not charge per site so don't be shy about creating more if you need to).

Until next time, Dan