Overview of SharePoint Online Permissions
Posted by Erin Bard on 28 January 2019 01:52 PM
Please note that SharePoint Online on Office 365 is a constantly evolving product and this guide may not reflect the current experience.
This guide will provide a high-level overview of the permissions structure in SharePoint Online, detailing the places where permissions can be defined and the different levels of permissions.
Places where permissions can be applied
In SharePoint Online permissions can be applied in four different areas: site-wide, sub-site, document library, and item-level. Normally permissions are inherited from the top down (site-wide > sub-site > document library > item-level), however inheritance can be broken at any level and unique permissions assigned.
Site-wide permissions normally apply to every item and part of the site, however they can be overridden by more specific permissions (sub-sites, document libraries, item-level). Site-wide permissions are by far the simplest to setup and troubleshoot. If possible, we strongly recommend sticking with site-wide permissions only. This guide shows you how to set site-wide permissions: Modify SharePoint Online Site Permissions.
Each SharePoint site has the ability to have sub-sites created. These sub-sites are children to the parent site. The only major difference between a sub-site and a full site is that a sub-site will always be accessible to the owners of the parent site. Sub-sites are useful for when you need separate space for a working group with different permissions than your normal site. Because sub-sites function identically to regular sites, the permissions are managed the same way. See this guide for setting site-wide permissions: Modify SharePoint Online Site Permissions. Do note that when you create a sub-site, you have the option of inheriting the parent site permissions or breaking inheritance and creating new unique permissions; either choice is fine depending on your needs, but in most cases you'll probably want to break inheritance and setup new permissions.
In a site you are likely to have one or more document libraries. Each of these document libraries can be configured to have unique permissions. This may be useful in cases where you have several collections of documents that different groups need to access. This guide shows how to modify document library permissions: SharePoint Online Document Library Permissions
Finally, you can also assign item-level permissions. This is a setup wherein each file or folder within a document library has unique permissions. This can quickly lead to permissions becoming a mess, so we advise against using this setup in most cases. However if this setup is most appropriate for a particular situation (example: a drop-box folder where you can upload files and grant selected people access to each file), we do have instructions on how to set this up: SharePoint Online Document Library Item-level Permissions
Different levels of permissions
When working with permissions in SharePoint Online, there are several levels of access you can assign. They are:
Full Control (Owners): this permission gives you the ability to change anything and everything within the site, including permissions. By default the "Site Owners" group receives this permission.
Design: this permission is the same as full control but without the ability to manage permissions, or create sub-sites. Use this if you want someone to have more than Edit rights but less than Full Control. There are very few cases where this role is needed, most of the time you are better off using Edit or Full Control.
Edit (Members): Can add, edit, and delete lists. Can view, add, update, and delete list items. Can view, add, update, and delete documents. By default the "Site Members" group receives this permission. This role gives read/write access to the site content plus the ability to add and remove lists, but without the ability to modify permissions. There may be times when the Contribute role is more appropriate.
Contribute: Basically the same permissions as Edit, but without the ability to add or delete entire lists. This role only allows you to add, edit, and delete content; it does not allow any structural changes to the site.
Read (Visitors): This role provides basic read-only access. No ability to change the content of the site. By default the "Site Visitors" group uses this role.
View Only: This role is the same as Read but prevents file downloading. If the file can be viewed in the browser with server-side technology (e.g. Excel Web Viewer) then it will be available for viewing.
For most uses of SharePoint, we recommend sticking with site-wide permissions and using the "Site Owners", "Site Members", and "Site Visitors" groups. This setup is the simplest and least likely to cause problems later.