SharePoint Permissions


Table of Contents


Add to Technorati Favorites



Recently Updated

There have been a lot of tweets on the twittersphere recently around what are the minimum permissions required for certain actions within the SharePoint Web Interface (or object model).

Default Permission Levels

Permission Level Description
Full Control This permission level contains all permissions. Assigned to theSite name Owners SharePoint group, by default. This permission level cannot be customized or deleted.
Design Can create lists and document libraries, edit pages and apply themes, borders, and style sheets in the Web site. Not assigned to any SharePoint group, by default.
Contribute Can add, edit, and delete items in existing lists and document libraries. Assigned to the Site name Members SharePoint group, by default.
Read Read-only access to the Web site. Users and SharePoint groups with this permission level can view items and pages, open items, and documents. Assigned to the Site name Visitors SharePoint group, by default.
Limited Access The Limited Access permission level is designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document, without giving them access to the entire site. However, to access a list or library, for example, a user must have permission to open the parent Web site and read shared data such as the theme and navigation bars of the Web site. The Limited Access permission level cannot be customized or deleted.  
Note   You cannot assign this permission level to users or SharePoint groups. Instead, Windows SharePoint Services 3.0 automatically assigns this permission level to users and SharePoint groups when you grant them access to an object on your site that requires that they have access to a higher level object on which they do not have permissions. For example, if you grant users access to an item in a list and they do not have access to the list itself, Windows SharePoint Services 3.0 automatically grants them Limited Access on the list, and also the site, if needed.
Nice PowerShell script
A common mistake is to follow the OOTB permissions for a site and add everyone to the Owners group which gives them full control. Often, after the fact you wish to downscale the Owners groups littered throughout your site collection from Full Control to Contribute or even Read (until the Owners have had their SharePoint training) see Downscale permissions to Owners group across site collection PowerShell script.

List, site, and personal permissions

Windows SharePoint Services 3.0 includes 33 permissions, which are used in the five default permission levels. You can change which permissions are included in a particular permission level (except for the Limited Access and Full Control permission levels) or create a new permission level to contain a specific set of permissions that you specify.

Permissions are categorized as list permissions, site permissions, and personal permissions, depending upon the objects to which they can be applied. For example, site permissions apply to a particular site, list permissions apply only to lists and libraries, and personal permissions apply only to things like personal views, private Web Parts, etc. The following tables show permissions and the permission levels they are assigned to, by default.

List, site, and personal permissions

Permission Full Control Design Contribute Read Limited Access
Manage Lists


Override Check-Out


Add Items

Edit Items

Delete Items

View Items
Approve Items


Open Items
View Versions
Delete Versions

Create Alerts
View Application Pages

Site Permissions

Permission Full Control Design Contribute Read Limited Access
Manage Permissions



View Usage Data



Create Subsites



Manage Web Site



Add and Customize Pages


Apply Themes and Borders


Apply Style Sheets


Create Groups



Browse Directories

Use Self-Service Site Creation
View Pages
Enumerate Permissions



Browse User Information
Manage Alerts



Use Remote Interfaces
Use Client Integration Features
Open
Edit Personal User Information

Personal Permissions

Permission Full Control Design Contribute Read Limited Access
Manage Personal Views

Add/Remove Private Web Parts

Update Personal Web Parts



Dependencies and descriptions

Many permissions are dependent on other permissions. When you select a permission that is dependent on another, the permission on which it is dependent is also automatically selected. Likewise, clearing a permission on which other permissions are dependent also clears the dependent permissions. The following tables describe what each permission is used for and lists dependent permissions, if applicable.

Here is a diagram by John Holliday that explains this clearer:

Source: SharePoint Permission Dependency Chart by John Holliday

List permissions

Permission Description Dependent permissions
Manage Lists Create and delete lists, add or remove columns in a list, and add or remove public views of a list. View Items, View Pages, Open, Manage Personal Views
Override Check-Out Discard or check in a document which is checked out to another user. View Items, View Pages, Open
Add Items Add items to lists, add documents to document libraries, and add Web discussion comments. View Items, View Pages, Open
Edit Items Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries. View Items, View Pages, Open
Delete Items Delete items from a list, documents from a document library, and Web discussion comments in documents. View Items, View Pages, Open
View Items View items in lists, documents in document libraries, and Web discussion comments. View Pages, Open
Approve Items Approve a minor version of a list item or document. Edit Items, View Items, View Pages, Open
Open Items View the source of documents with server-side file handlers. View Items, View Pages, Open
View Versions View past versions of a list item or document. View Items, View Pages, Open
Delete Versions Delete past versions of a list item or document. View Items, View Versions, View Pages, Open
Create Alerts Create e-mail alerts. View Items, View Pages, Open
View Application Pages View documents and views in a list or document library. Open

Site permissions

Permission Description Dependent permissions
Manage Permissions Create and change permission levels on the Web site and assign permissions to users and groups. Approve Items, Enumerate Permissions, Open
View Usage Data View reports on Web site usage. Approve Items, Open
Create Subsites Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites. View Pages, Open
Manage Web Site Perform all administration tasks for the Web site as well as manage content. View Pages, Open
Add and Customize Pages Add, change, or delete HTML pages or Web Part pages, and edit the Web site using a Windows SharePoint Services-compatible editor. View Items, Browse Directories, View Pages, Open
Apply Themes and Borders Apply a theme or borders to the entire Web site. View Pages, Open
Apply Style Sheets Apply a style sheet (.css file) to the Web site. View Pages, Open
Create Groups Create a group of users that can be used anywhere within the site collection. View Pages, Open
Browse Directories Enumerate files and folders in a Web site using an interface such as SharePoint Designer or Web-based Distributed Authoring and Versioning (Web DAV). View Pages, Open
Use Self-Service Site Creation Create a Web site using Self-Service Site Creation. View Pages, Open
View Pages View pages in a Web site. Open
Enumerate Permissions Enumerate permissions on the Web site, list, folder, document, or list item. View Items, Open Items, View Versions, Browse Directories, View Pages, Open
Browse User Information View information about users of the Web site. Open
Manage Alerts Manage alerts for all users of the Web site View Items, Create Alerts, View Pages, Open
Use Remote Interfaces Use Simple Object Access Protocol (SOAP), Web DAV, or SharePoint Designer interfaces to access the Web site. Open
Open Open a Web site, list, or folder to access items inside that container. No dependent permissions
Edit Personal User Information Allow a user to change his or her own user information, such as adding a picture. Browse User Information, Open

Personal permissions

Permission Description Dependent permissions
Manage Personal Views Create, change, and delete personal views of lists. View Items, View Pages, Open
Add/Remove Private Web Parts Add or remove private Web Parts on a Web Part Page. View Items, View Pages, Open, Update Personal Web Parts
Update Personal Web Parts Update Web Parts to display personalized information. View Items, View Pages, Open


Source: office.microsoft.com - Permission levels and permissions

External References

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (1)

 

  1. Oct 24

    Anonymous says:

    Thanks for the neat layout of all the permissions and their short-n-sweet descri...

    Thanks for the neat layout of all the permissions and their short-n-sweet descriptions. There is some other permission which I'm not able to locate. How do I allow specific users to be able to rename or edit the title field of wiki pages in WSS 3.0 with Wiki functionality. I wasn't able to determine which of the above permissions would allow that. Some users without the privilege are getting Access Denied errors.

    Thanks,

    Diabolic Preacher

    As Is

    http://abusiveviews.wordpress.com/

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.