Simple Rules for SharePoint Permissions

PermissionsI get questions all the time about how to set up permissions in SharePoint.

Permissions are hard. It’s not just you. And if you don’t do them right, they turn into a tangled ball of string in a drawer that no one can ever get untangled.

Here are some of my rules of thumb. They are intentionally broad brush and some of them may not apply directly to you, yadda, yadda. But time and time again, these rules seem to work.

KISS

First and foremost, keep it simple. Complexity is your enemy. The site topology and list structures should be driven partly as a way to keep “keep it simple” true.

Open Is Good

Collaboration is hard when permissions are tight. Yes, you’ll want to lock things down for some content. That’s normal. But if you create separate Site Collections for everything – Site Collections are a permissions barrier – then you will find that your collaborative goals may not come true.

Highest: Best

Apply permissions at the highest level and only break inheritance when you need to. Permissions can be applied at the Site, List/Library, and item levels. Whenever possible, you want to avoid item-level permissions. There are performance concerns, but they are tiny compared to the administrative nightmare they turn into.

Out of the Box

Use the out of the box permissions unless you need something else. You know what these are:

  • Read
  • Contribute
  • Full Control

90+% of the time, those three permissions levels cover things. Most of the other out of the box permission levels are too esoteric to be useful (e.g., Design).

Groups, Not Individuals

Always use permissions groups, never individuals. For instance, we should have an HR Department permission group and not just give permissions to a person directly. This is even true if there is just one person in a group. If someone leaves the organization, you simply swap them out of groups for their replacement and you’re all set.

Distribute

Let site owners manage their own permissions if you can. SharePoint has a distributed permission model, and you want to let it work. That means that teams should be allowed to mess up their own permissions and external sharing and also be able to fix it. You simply can’t do it all. But you absolutely should be available to help if things get out of hand.

Finally…

Following these simple rules can save you so many headaches. If you’ve had SharePoint up and running for more than a few months, your ball of string is probably already a bit snarled. Don’t let it get much worse before you take a pass through and clean the permissions up. It only gets worse.

9 Comments

  1. Good post, Marc. One thing I would add is that Edit permission level (not Contribute) is now the out-of-box default for a Site Member in SharePoint 2013. I’m not a fan of Edit since it’s everything in Contribute plus Manage List, which grants the ability for users to delete any list/library. Certainly not something I would want a team member doing.

    Reply
  2. I struggle with the Distribute section of your post. This is certainly a training issue for us but some content admins at my company just make a huge mess out of things and we’ve had sensitive sites accidently exposed to all internal employees.

    Reply
    • Michael:

      Note that I say “if you can”. SharePoint was built for collaboration, not command and control. Yet most companies try to run it with a command and control mentality.

      Everything should depend on your own governance rules, of course, but with appropriate training and permissions management for the site admins themselves, distributed permissions are the way to go. Sometimes third party tools can help with the management required here, as SharePoint doesn’t give you much to work with.

      M.

      Reply
  3. Do you ever remove the default groups? The presence of empty groups such as “Hierarchy Managers” and “Translation Managers” seem like so much noise when you are working to “keep it simple”!

    Reply

Have a thought or opinion?