After you have created a SharePoint site, you may want to provide or restrict user access to the site or its contents. For example, you might want to provide access only to members of your team, or you might want to provide access to everyone, but restrict editing for some. The easiest way to work with permissions is to use the default groups and permissions levels provided, which cover most common scenarios. But, if you need to, you can set more fine-grained permissions beyond the default levels. This article describes the different permissions and permission levels, how SharePoint groups and permissions work together, and how permissions cascade through a site collection.
Default Permission Levels
Default permission levels allow you to quickly and easily provide common levels of permissions for one user or groups of users.
You can make changes to any of the default permissions levels, except
Full Control and
Limited Access, both of which are described more fully in the table below.
Full Control
Contains all available SharePoint permissions. By default, this permission level is assigned to the Owners group. It can’t be customized or deleted.
Design
Create lists and document libraries, edit pages and apply themes, borders, and style sheets on the site. There is no SharePoint group that is assigned this permission level automatically.
Edit
Add, edit, and delete lists; view, add, update, and delete list items and documents. By default, this permission level is assigned to the Members group.
Contribute
View, add, update, and delete list items and documents.
Read
View pages and items in existing lists and document libraries and download documents.
Limited Access
Enables a user or group to browse to a site page or library to access a specific content item when they do not have permissions to open or edit any other items in the site or library. This level is automatically assigned by SharePoint when you provide access to one specific item. You cannot assign Limited Access permissions directly to a user or group yourself. Instead, when you assign edit or open permissions to the single item, SharePoint automatically assigns Limited Access to other required locations, such as the site or library in which the single item is located.
Approve
Edit and approve pages, list items, and documents. By default, the Approvers group has this permission.
Manage Hierarchy
Create sites and edit pages, list items, and documents. By default, this permission level is assigned to the Hierarchy Managers group.
Restricted Read
View pages and documents, but not historical versions or user permissions.
View Only
View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded. File types that do not have a server-side file handler (cannot be opened in the browser), such as video files, .pdf files, and .png files, can still be downloaded.
Security Note: Office 365 plans create a security group called “Everyone except external users” that contains every person you add into the Office 365 directory (except people who you add explicitly as External Users). This security group added to the Members group automatically, so that users in Office 365 can access and edit the SharePoint Online site. In addition, Office 365 plans create a security group called “Company Administrators”, which contains Office 365 Admins (such as Global and Billing Admins). This security group is added to the Site Collection Administrators group.