In part 1 of this three-part series on Microsoft 365 permissions, we discussed Microsoft 365 admin roles and application-specific permissions. Part 2 of this series will focus on Microsoft SharePoint Online permissions management. SharePoint brings another level of permissions management to Microsoft 365 applications, which is why we are keeping this topic separate.
Think of SharePoint as the database for Microsoft 365 applications. Microsoft Teams, Microsoft Planner, and Microsoft Lists store data in SharePoint lists and libraries. You can thus extend the default permissions from the app level through the underlying SharePoint site permissions.
This article will discuss SharePoint permission levels and groups and how you can modify them to help manage overall project permissions.
Structure of SharePoint Permissions
To understand permission controls within SharePoint, you must first understand SharePoint permissions levels.
SharePoint Permission Levels
Permission levels enable users to perform specific tasks. Permission levels are assigned to permission groups or can be assigned to a user directly (not recommended). The permission levels that we typically see on construction projects are the following:
- Full control - Enables users to view, add, update, delete, approve, and customize items or pages on the website. This level is typically reserved for just the SharePoint admins since this level could delete entire pages and libraries.
- Read – Enables users to view pages, list items, and download documents. This level is suitable for managers and external stakeholders viewing but not modifying data.
- Contribute - Enables users to manage personal views, edit items and user information, delete versions in existing lists and document libraries, and add, remove, and update personal Web Parts. You typically assign this level to users who add and upload data. This level is most common for construction team members sharing files and forms.
You can create and modify permission levels from the advanced permissions settings menu if you are a site owner or have full-control permission.
Lydon Solutions typically adds a custom permission level to projects, and we name it “Contribute No Delete” to accommodate external contractors. This custom level allows users to upload but not delete records, which is handy when sharing files between internal and external stakeholders.
SharePoint Permission Groups
Permission groups are containers where you can assign a permission level and users. You can add a permission group to an entire SharePoint site, and its permission level would be inherited across every artifact (list, library, folder, and record) in the site. Alternatively, you can break inheritance and assign a different permission level to a group or user for individual SharePoint artifacts.
As with any other Microsoft 365 application, there are default permission groups available:
- Site owners – Site Owners can manage site permissions, add and delete artifacts, edit site settings, and change site themes. This group has the Full Control permission level assigned in SharePoint.
- Site members – Site Members can add and delete records in lists and libraries. This group has the Contribute permission level assigned in SharePoint.
- Site visitors – Site visitors can see site content but not edit it. This group has the Read permission level assigned in SharePoint.
These default permission groups are automatically assigned to every artifact on the site and will be added to every new artifact you create. This means that while site visitors cannot edit content, they can still see everything in the site, which might not be ideal if you share the site with external users and have sensitive documents on your site.
For sites with external contractors, you will want to create new named permission groups and possibly a new permission level to control project permissions. You can add new permission groups from the advanced permission settings.
Also, instead of every user having access to all of the content on the site, you will most likely want to break inheritance (permissions) for specific artifacts. To change the permissions for each artifact, go to the library settings menu, select permissions, and click Stop Inheriting Permissions.
At this point, you should have a general idea of permission levels and groups. Please be aware that most projects have different permission levels and group needs, but here are a couple of examples of what you might have on a construction project for owner-project managers and external contractors:
Owner-Project Managers:
- Permission group name: Owner Project Manager.
- Permission level: Contribute.
- Assigned: Site level.
- Scope: Project Managers can add and delete list items and documents across the entire site.
External Contractors:
- Permission group name: Contractor.
- Permission level: Contribute No Delete.
- Assigned: Contractor Document Library.
- Scope: Access to only the Contractor Document Library to upload files but not delete anything.
This article is just the tip of the iceberg regarding SharePoint permissions. SharePoint permissions can get pretty complex, and you might end up with a spiderweb of assigned permissions. If you need help with permissions or just setting up your projects in Microsoft 365, you can reach out for a free one-hour consultation here.
For Part 3 of this series, we will be covering file sharing. While this is the easiest way to assign permissions at a folder or file level on a case-by-case basis, we wanted to get the concepts of permissions management in Microsoft 365 out of the way first. Stay tuned.