sharepoint 2013 user rights assignment

Understand groups and permissions on a SharePoint site

The permissions you have on a Microsoft Office SharePoint Server 2007 site determine whether you can access the site and what you can do with the content on it. You can have different permissions for different sites and subsites. You can even have different permissions for different content on the same site.

The content and the menu options that you see on a site vary according to the permissions that are assigned to you. A site owner usually grants you permissions to a site by adding you to a SharePoint group, such as Visitors . The group has a permission level that you receive by being a member of the group.

What permission level do I have on a site?

You can have the following experiences when you access a SharePoint site according to your permission level.

Note:  The following assumes the default SharePoint groups and permission levels for a site. Your experience may vary according to how the site owner assigned permissions on your site.

You have the Read permission level

If you can view the site but not make changes to the site or to the content on it, you belong to the Visitors group, which has the Read permission level. For example, if you can view a site but cannot edit a document on the site, you have the Read permission level.

You have the Contribute permission level

If you can view the site and change the content on the site, but not make changes to the site, you belong to Members group which has the Contribute permission level.

You have the Full Control permission level

If you can change the content and the settings on the site you belong to the Owners group which has the Full Control permission level. One of the common tasks that a site owner performs is managing permissions.

You do not have permission to access the site

If you receive the Error: Access Denied message when you attempt to access a site, you do not have the permissions necessary to view the site. Click Request access to ask the site owner to grant you the necessary permissions.

Note:  The ability to request access is an optional feature of a SharePoint site. If the feature is enabled, you can request access to a site.

Managing permissions on a site

As a member of the Owners group you determine the level of access to your site. You can grant users access to the whole site, or to specific information on the site, such as a list or even a single file. Assigning permission levels to a specific item can help you to protect sensitive content, such as a contract or budget information, without restricting access to the rest of the site.

SharePoint groups and permission levels help you to efficiently manage access to sites. You add users to SharePoint groups and assign permission levels to your site and to its contents. By default, permissions on lists, libraries, folders within lists and libraries, items, and documents are inherited from their parent site. However, you can assign unique permissions to items at a lower level, such as subsites, libraries, or even files.

SharePoint groups

Each site comes with a default set of SharePoint groups, such as Owners . The name of the SharePoint group matches the name of the site. For example, if the name of the site is Marketing , a group will be called Marketing Owners . You can add people to these groups, so that you can later grant access to the group instead of having to grant access to each individual user. You can also create SharePoint groups to provide custom levels of access. You might want to provide more liberal or restrictive access to a specific group than you would to the default members of your site. For example, if you have a group of marketing managers that often gives confidential presentations, you might want to create a Marketing Managers group that can share information that is restricted from all other users of the site.

Permission levels

Each permission level has a set of permissions associated with it, based on the intended roles and tasks for that level. For example, the Members group has the Contribute permission level by default. As a site owner, you choose which permissions are associated with each permission level (except for Limited Access and Full Control, which cannot be customized) or add new permission levels to combine different sets of permissions. Some sites have additional groups and permission levels that are tailored to the purpose of the site, such as publishing or records management sites.

Need more help?

Want more options.

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

Thank you for your feedback.

How to set SharePoint Permissions – Complete Guide

Each SharePoint site comes with default groups and permissions. For most situations, they are perfectly fine, but sometimes you need to change those permissions. What are then your options to change, set, or add SharePoint permissions?

There are several options when it comes to managing permissions in SharePoint. We can set permissions for the whole site or group, on the document library level, and even at folder level.

In this article

In this article, I will explain how the default permissions work and what options you have to change the permissions in SharePoint Online.

Default Permissions in SharePoint

By default, all SharePoint sites are created with the three security groups below:

• Owners – Have full control over the site
• Members – Can add and edit the content (files, lists, etc) on the site
• Visitors – Can only read

When you create a new SharePoint site you have, normally, two options to choose from, a Team site or a Communication site (SharePoint administrators have also other options to choose from). Depending on your choices the following users have permission to the SharePoint site:

Atleast one owner must be selected when you create the SharePoint site. In the case of a Team site, you can also add the member while creating the site. But in all cases, we can modify the owners, members, and visitors later.

So these are the default permissions, but what options do we have to change this?

Edit SharePoint Permissions

As mentioned at the beginning of the article we can set the permissions on different items in SharePoint. Starting all the way at the top, at the site level, to all the way down at folder level. Good to know is that permissions are by default inherited from the top down.

This means that if we change the permissions at a document library, the permissions in all folders below it are also changed. Now, this is expected behavior, but keep in mind that this also means that subsites also inherit the permissions from the main site.

Note When your document library, list or folder contains more then 100,000 items, you can’t create unique permissions. The inheritance can’t be removed or recreated when you exceed the threshold.

SharePoint Permission Levels

SharePoint permissions levels are a set of permissions that you can assign to a user or group. There are 5 predefined sets in SharePoint Online, which are suitable for most use cases. It’s also possible to create your own permission levels allowing you to fully customize the permissions that you want to give.

The default permissions levels in SharePoint are:

• Full Control – Has full control
• Design – Can view, add, update, delete, approve, and customize.
• Edit – Can add, edit and delete lists; can view, add, update and delete list items and documents.
• Contribute – Can view, add, update, and delete list items and documents.
• Read – Can view pages and list items and download documents.
• Restricted View – Can view pages, list items, and documents. Documents can be viewed in the browser but not downloaded.
• Limited Access – Assigned to a user or group when sharing an item. Can access the site and view the selected item.

So as mentioned, it’s possible to create your own permission levels. To do this, click on settings (gear icon) in the top right corner and select Site permissions > Advanced Permissions .

In the permissions tab, click on Permissions Levels :

All the existing permissions levels are listed here. It’s best practice to not change the existing permissions levels but instead add a new permissions level .

We can now select the permissions that we want to assign. As you will notice, when you select a permission, other options are automatically selected as well. For example, when we choose to Create Alert , then View Items, View Pages and Open are also selected. These extra permissions are needed so the user can access the site and view the libraries.

Site Permissions

The first place to change permissions for a SharePoint site is the site permissions. This will allow you to set the security setting at site level, affecting all document libraries, lists, pages, etc. Permissions should always be set with the Principal of least privileges in mind. Don’t give users more permissions than they need.

To change the site permissions we will need to open the settings menu (gear icon) and click on Site Permissions:

This will show the basic permissions and allows you to add members and owners to the site. Click on Add members (1) to add users to the site. Here you can look up users and make them Members or Owners of the SharePoint site.

Another option is to use the Advanced Permissions Settings (2). The advanced settings allow you to choose custom permission levels and add groups of users (security groups) to the SharePoint site.

• Click on Advanced Permissions Settings in the screenshot above (2)
• Click Grant Permissions
• Search for users or security groups. You can add multiple groups or users simoultancyly
• Select Show Options
• By default, the users will receive an invitation email. You can turn it off if you want
• Select the permission level that you want to assign.
• Click Share to grant the permissions.

Creating Custom Groups

By default, you can only add users or groups to the default security groups (owners, members, visitors). But it’s also possible to create your own security groups. Each group can be assigned one or multiple permission levels.

Click on Create Group in the Advanced Permissions settings:

Give the group a meaningful name and select who can view and add members to the group. At the end of the settings page we can choose the permission level that we want to assign to the group members, for example, Restricted view:

After you have created the group, we can go back to the permissions page and assign users to our newly created security group:

Document Library Permissions

When site-level permissions are not suitable for your situation, then the next level where we can set permissions is on the document library or lists in SharePoint. To change the permissions on a document library we first need to open the library:

• Click on Settings (gear icon)
• Choose Library Settings

• Click on Permissions for this document library

We will now see the same permissions as we have set at site level. So the first step is to stop inheriting the permissions from the parent. This will copy all existing permissions to the document library, making them unique.

Note Keep in mind that changes made at site level later are not applied to this document library after you stop inheriting. So users who are now member at site level, will remain member of the document library if you remove them later at site level

• Click on Stop Inheriting Permissions and click Ok on the warning

We can now modify the permissions just as we did at site level. This means that we can add a custom security group, grant additional permissions to users or groups, or change the permission level of the existing groups.

For example, we can remove the members, visitors, and testers from the document library, so that only the owners of the SharePoint site can access the Budgets document library.

Folder Permissions

We can also create custom permissions at the folder level in SharePoint. Keep in mind that custom folder permissions are harder to keep track of, so make sure that you document them properly and don’t use them too much.

To set unique permissions on a folder in SharePoint first select or hover over the folder:

• Click on the 3 dots (show action)
• Choose Manage Access

Here we have a couple of options, we can create a link that gives access to the folder (3) , just like the normal sharing options. Or directly add a user to the folder (4). But it’s also possible to create unique permissions, just like with the document library. Click on Advanced (5) to view the permissions settings.

The advanced permissions work the same as the document library. First, stop inheriting the permissions and then create your own custom permissions for the folder.

File Permissions

In SharePoint, it’s even possible to add unique permissions to a file. Now just like folders, don’t use this too much. You will easily lose track of all the unique permissions. Setting file permissions works exactly the same as folder permissions in SharePoint.

• Click on the 3 dots (Show actions) behind the file
• Select Manage Access
• Click on Advanced to create unique permissions

Refer to the steps above on how to stop inheriting the parent permissions and add unique security groups, users, and/or permission levels.

List Permissions

List permissions are a bit special compared to document libraries in SharePoint. They have the same permission structure, so you can give users or groups unique permissions to the list. But besides the list permissions, we can also set permission on item-level in SharePoint.

So first the list permissions. With the list selected:

• Click on Settings
• Open List settings

In the settings screen, we can open the permission for this list (3). Also note the Advanced Settings option, which we will use later for the item-level permissions.

We first need to stop inheriting the site-level permissions before we can add unique permissions to the list. After stopping the inheritance, you can add or remove user or security groups from the list. Refer to the steps above for more details about this.

Item-Level Permissions

A special feature of lists in SharePoint is that we can set permissions on item level. The permissions are limited to the question if a user can view and/or edit only their own items or all items. So we can give a user read-all access, which allows them to view all items on the list. But limit the create and edit permission to only the items created by the user.

To set the item permissions, click on Advanced Settings in the List settings . Here we can set the item-level permissions:

We can’t add custom permissions levels to the items, but these options should be more than sufficient in most cases.

Wrapping Up

I hope this article helped you with configuring your SharePoint permissions. Try to limit the unique permissions to site level and document library level only. When you start creating unique permissions on folder or file level, you can quickly lose the overview.

If you have any questions just drop a comment below.

You may also like the following articles

How to use the Microsoft Entra PowerShell Module

Getting Started with Microsoft Entra Private Access

Microsoft Entra Connect Sync Error due to Conditional Access

15 thoughts on “how to set sharepoint permissions – complete guide”.

Hello Rudy I like your articles and find them very useful. I am new to sharepoint; and I was asked to add AD security groups in sharepoint. Is it possible?

Till now my workaround has been to use Microsoft 365 groups and assign AD users to this groups. is there a better way

Thank you Giuseppe

You can add the AD groups directly through the Advanced Permissions screen.

Rudy, we want our site admins to be able to share files and folders, assign metadata labels to library items, and things like that. We don’t want them to be able to create new document libraries, though. When we took away their ability to create new libraries, they lost the ability to manage things inside the libraries as well. Is there a workaround for that?

The user will need to have edit permissions on the library to be able to manage meta data etc.

Good Article. Thanks For Sharing.

Great article thank you, I have this bookmarked for future reference.

I do have a question though; if I want to grant access to everyone I can use the All users except external users feature but if I want to grant access to everyone except for a few internal users is there a way to do this just as easily? I don’t particularly want to create a special group with access permissions because that would entail adding more than 200+ people to the group.

It’s possible, but only if you have the correct license that includes Enterprise Mobility + Security : https://learn.microsoft.com/en-us/microsoftteams/block-access-sharepoint

If I set read access for Members to the home.aspx on my SPO site, the “+New” button on top disappears, so it is not anymore possible to create pages, which my Member should be able to – they just should not edit the homepage.

The strange thing is: By using the “settings” cog on top, it is still possible to create pages.

Anything I am missing?

Thanks, Max

Thanks Ruud! Your article is quite clear and helpful to understand the permission. I may ask your suggestion on setting up a team site. I need to limit some document libraries based on team members’ security level. About 2/3 can access all document libraries and 1/3 should have limited access. As the first option, I thought to create a group, such as member-secret or member-nonsecret, and change the library permission. According to your article, however, it may break inheriting the site permission. The second option is to create two sites: one for everyone and another for limited access.

Which option do you think is easier to maintain? If you briefly explain possible pros and cons, it is much appreciated.

The latter is of course easier to maintain from a security standpoint. But if you only need to split between owners and members, then removing the member’s permission from some of the document libraries isn’t that hard. And make is for the owners (who can access all libraries) easier to work with.

Thank you !

Thank you for the detailed steps. I have 3 doc. libraries in the sp site. Trying to set it so that doc. library 1 members cannot access doc. library 2 or 3. Will your process, as detailed above, produce this result? Why: I have tried – yet the unique permission email can still access all libraries.

Guidance is greatly appreciated!

Unique permissions will overrule group permissions. If you stop inheriting permissions on lib 2 and 3, and add unique permission for only the owners, then members from the site should not be able to access it.

I’m curious, and can’t seem to find a direct answer anywhere, can you have one person in multiple permissions groups on SharePoint 365? We have columns that are the type “Person or Group” and currently we have to have All Users selected which pulls from all members of our organization which is quite large. I was hoping to change the settings of these columns to instead pull from a specific SharePoint group but the 6 employees I want to have as options are split between permissions groups Members and Owners. Could I add the two Owners to the Members group, thus having them in two groups, without affecting their permissions? Do permissions levels pull from the highest level if a single person is in multiple permissions groups?

Thanks in advance for any help you can provide.

That should work.

Leave a Comment Cancel reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

So, about that AdBlocker... Will you consider disabling it?

Yes, ads can be annoying. But they allow me to keep writing content like this. You can also support me by Buying Me a Coffee ☕ or visit the shop to get some Tech-Inspired merchandise | Read more about disabling AdBlockers

SharePoint Diary

Salaudeen Rajack's SharePoint Experiences!

SharePoint Permissions – A Comprehensive Guide!

Introduction.

One of the key features of SharePoint Online is its robust permissions system, which allows administrators to control who has access to specific content and what actions they can perform on that content. This guide will provide an overview of SharePoint Online permissions, including how to set and manage permissions, how to effectively manage them, and common scenarios for using permissions in SharePoint Online.

Table of contents

Types of sharepoint online permissions, how to create a custom permission level in sharepoint online, how to stop inheriting permissions in sharepoint online, how to share a sharepoint online site, share a list or document library in sharepoint online, folder level permissions in sharepoint online, how to grant access to a document in sharepoint, how to check user permissions in sharepoint online, sharepoint online permissions report, copy permissions in sharepoint online, delete all unique permissions sharepoint online, anonymous access in sharepoint online, how to add a sharepoint online administrator in office 365, sharepoint online permissions best practices, common mistakes to avoid when managing sharepoint permissions.

There are four main types of permissions in SharePoint Online:

• Site permissions : Site permissions control who has access to a specific SharePoint site and what actions they can perform on the site. Site permissions are usually set at the root level of a SharePoint site, but they can also be set at the subsite level.
• List permissions : List or library permissions control who has access to a specific list or library within a SharePoint site and what actions they can perform on the list or library. SharePoint List permissions can be set at the list or library level.
• Folder Permissions: Folder permissions in SharePoint Online work similarly to how permissions work for other objects such as site or document library; users can be granted different levels of access to directories, such as Read, Contribute, or Full Control.
• Item permissions : Item permissions control who has access to a specific item or document within a list or library and what actions they can perform on the item or document. Item permissions can be set at the list item or document level and can override list permissions.

To set permissions for a site or item, you will need to be the site owner or have permission to manage the site. In SharePoint Online, permissions are granted at the site level and can be inherited by subsites, lists, libraries, and individual items within those lists and libraries. This means that administrators can set permissions for a site and have those permissions apply to all of the subsites, lists, and libraries within that site, unless specific permissions are set for a particular subsite, list, library, or item.

SharePoint Permission Levels

In SharePoint Online, permission levels are used to determine what actions a user or group can take within a site, list, library, or item. SharePoint Online comes with several built-in permission levels, such as Full Control, Edit, and Read, but you can also create custom permission levels if needed.

The default permission levels in SharePoint Online are:

• Full Control : This permission level allows users to view, add, update, and delete any content within the site, list, library, or item. Users with Full Control permissions can also create and delete lists and libraries, change the look and feel of the site, and manage site content, list, library, edit user permissions or item-level security settings.
• Design : This permission level allows users to view and edit any content within the site, list, library, or item, as well as create and delete lists and libraries. Users with Design permissions can also change the look and feel of the site, but cannot manage site, list, library, or item-level security settings.
• Edit : This permission level allows users to view and edit any content within the site, list, library, or item. Users with Edit permissions cannot manage site, list, library, or item-level security settings. SharePoint team site members get this permission by default.
• Contribute : This permission level allows users to view and edit any content within the site, list, library, or item, but they cannot create or delete lists and libraries. Users with Contribute permissions in SharePoint cannot change the look and feel of the site or manage site, list, library, personal views, or item-level security settings.
• Read : This permission level allows users to view content within the site, list, library, or item, but they cannot add, update, or delete items. Users with Read permissions cannot manage site, list, library, or item-level security settings. Typically, assigned to the site visitors.
• View Only : This permission level allows users to view content within the site, list, library, or item, but they cannot add, update, delete, or edit items. Users with View Only permissions cannot manage the site, list, library, or item-level security settings. They can create alerts, view items, and view pages, but can’t download documents to the client applications.

What does limited access mean in SharePoint permissions? You’ll also see the “Limited Access” permission level. SharePoint limited access is a special type of security role that a user or group automatically grants when getting access to a specific list/library/item, but not to the site itself. E.g., When we grant access to a specific list, but not the site, users will get read access to the list and limited access to the site.

In addition to the default SharePoint permission levels, SharePoint Online allows you to create custom permissions by combining various permissions from the built-in permission levels. This can be useful if you need to grant fine-grained permissions to a group of users that is not covered by the built-in permission levels.

SharePoint Permission levels are sets of permissions that can be assigned to users and groups, allowing them to perform certain actions within the site. For example, a user with a “Full Control” permission level would have complete access to all areas of the site, including the ability to create, edit, and delete content. On the other hand, a user with a “Read” permission level would only be able to view content within site, but would not be able to make any changes. By creating custom permission levels, site administrators can fine-tune the access and permissions granted to users and groups within their site, ensuring they have the access they need to perform their tasks while protecting sensitive information.

To create a custom permission level, do the following:

• Navigate to the site settings page for the site where you want to create the permission level.
• Click on “Settings” >> “Site Permissions” and then “Advanced permissions settings.”
• On the Permissions page, click on the “Permission levels” link in the ribbon.
• On the “Permission Levels” page, click the “Add a Permission Level” button.
• Enter a name and description for the new permission level.
• Select the specific permissions that you want to include in the permission level. You can choose from a list of predefined permissions, such as “Full Control”, “Edit”, or “Read”. Select personal permissions that apply.
• Click the “Create” button to create the new permission level.

Once you have created the custom permission level, you can then assign it to users or security groups as needed.

Copy existing Permission Level:

You can also create a new permission level by copying an existing permission level in SharePoint. Follow the steps between 1-3. Pick any existing permission level such as “Contribute”, use the “Copy Permission Level” button to copy it, add/remove necessary permissions such as “Open items”, “application pages”, “Browse user information”, “Personal web parts”, “Client integration features”, “Remote interfaces”, etc. More info here: How to create a permission level in SharePoint Online?

Similarly, You can Edit and Update a Permission Level , Delete a Permission Level in SharePoint Online as well.

Permission Inheritance in SharePoint Online

In SharePoint Online, permission inheritance refers to the way in which permissions are passed down from a parent site or item to its child sites or items. When inheritance is enabled, a child site or item will inherit the permissions of its parent, unless unique permissions are explicitly set for the child. By default, all sites and lists in SharePoint Online inherit the permissions of their parent site.

For example, consider a SharePoint site with a folder containing several documents. If you set permissions at the site level, those permissions will be inherited by the folder and all the documents within it. However, if you break inheritance on the folder and set unique permissions for it, the folder and its documents will no longer inherit the permissions from the parent site. Instead, they will have their own independent set of permissions.

Permission inheritance can be useful for reducing the amount of work required to manage permissions on a large site with many subsites and items.

If you want to customize the permissions for a particular site, folder, document library, or document, you must first break the permission inheritance. This can be useful if you want to give a particular group of users access to a specific folder or document while denying access to other users.

To stop inheriting permissions in SharePoint Online, follow these steps:

• Navigate to the site, folder, or document for which you want to stop inheriting permissions.
• Right-click on the item >>Click on the “Manage Access” menu item.

• In the confirmation dialog box that appears, click on the “OK” button to confirm that you want to break inheritance.
• After breaking inheritance, you can add or remove users and groups and assign them specific permissions (e.g., read or edit).

It’s important to note that breaking inheritance can have unintended consequences, as it will cause the site, folder, or document to have its own independent set of permissions that are not inherited from the parent. This can make it more difficult to manage permissions, as you will need to set permissions separately for each item.

More here: How to Break Permission Inheritance in SharePoint Online?

Managing Permissions in SharePoint Online

There are several ways to set and manage permissions in SharePoint Online:

• SharePoint Groups : SharePoint groups are a collection of users who are granted the same set of permissions. You can create different groups for different purposes, such as a group for site administrators or a group for project team members. You can add and remove users from groups as needed, and any changes to the group permissions will apply to all group members.
• Individual Permissions : You can also set permissions for individual users or groups on a specific list, library, or item. Individual permissions override any group or permission level permissions that have been set.

How Do I Manage SharePoint Online Permissions? Managing permissions in SharePoint Online is done through the user interface (UI). The UI allows you to easily add or remove users from your site/document library, assign roles and tasks, and create groups to easily manage multiple users. It’s important to note that different roles have different levels of permission; for example, an administrator will have more control over the site than a regular user will.

Private Team site vs. Public Team site: If you create a SharePoint site with Microsoft 365 group connected, You can set the site’s privacy to private or public so that the site is available only to specific users or to all users of the firm (By granting access to the special group: “Everyone except external users” in SharePoint).

Default Groups and Group Permissions in SharePoint Online

In SharePoint Online, several default SharePoint groups are created when a new team site or communication site is created. These groups are used to manage permissions and control access to the site and its contents. The default groups and their permissions are as follows:

• Owners: This group has full control over the site and its contents. They can add and remove users, set permissions, and make other site changes.
• Members: This group has the ability to contribute to the site, including adding and editing content, creating lists and libraries, and managing permissions for their own documents and items.
• Visitors: This group has read-only access to the site and its contents. They can view, but not edit, any content on the site.
• Approvers: This group has the ability to approve or reject documents that are submitted for approval.
• Hierarchy Managers: This group has the ability to create and manage sites and pages within the site collection.

Create a SharePoint Group: In addition to these default groups, you can create custom groups in SharePoint and assign them specific permissions as needed. More info: How to Create a Group in SharePoint Online?

You can generate a report for users and groups on a SharePoint Online site: Site Users and Groups Report in SharePoint Online

In SharePoint Online, adding users to the site is a common task. This can be done in a few simple steps below. Site-level permissions in SharePoint Online are used to control access to the entire site and any subsites created within it. To add a user to SharePoint, follow these steps:

• Navigate to the site for which you want to set permissions.
• Click on the Settings gear icon, select “Site Permissions”, and then “Advanced permissions settings”.
• Click on the “Grant Permissions” button.
• Enter the names or email addresses of the users or groups you want permission to.
• Select the appropriate permission level or individual permissions for the users or groups. E.g., let’s add members to the SharePoint site.

More on how to share a SharePoint site and provide site access to users: How to Grant site permissions in SharePoint Online?

In addition to granting permissions at the site level, SharePoint Online also allows administrators to set permissions at the list and library levels. This is useful for situations where the permissions for a particular list or library need to be different from the permissions for the site as a whole.

An administrator must first break the inheritance of permissions from the parent site to set permissions for a list or library. This means that the permissions for the list or library will no longer be inherited from the site, and can be set independently. Once the inheritance has been broken, the administrator can add users and groups as members of the list or library and assign specific permissions to those members. To share a document library in SharePoint Online, follow these steps:

• Login to your SharePoint Online site >> Navigate to the document library you want to share.

• Click the “Permissions for this document library” link under the “Permissions and Management” group.
• Click on the “Stop Inheriting Permissions” button on the ribbon and confirm the prompt. You can add or remove users and groups to the document library to restrict permissions.
• Select users and groups and click the “Remove user permissions” button to remove unnecessary users. To add additional users to the document library, click on “Grant Permissions” and add people or groups, then set the necessary permissions.

More here: How to Share a Document Library in SharePoint Online?

The users or groups that you shared the document library with will receive an email notification with a link to the shared document library, and will be able to access it using that link.

Can you restrict access to certain folders on SharePoint? Sure! In SharePoint Online, folder-level permissions allow you to control access to specific folders within a list or library. By default, users with permission to access a list or library will also have access to all the folders within that list or library. However, you can use folder-level permissions to give certain users or security groups access to specific folders within the list or library while denying access to other folders.

To set folder-level permissions in SharePoint Online, follow these steps:

• Navigate to the list or library that contains the folder for which you want to set permissions.
• Click on the folder for which you want to set permissions.
• Click on the “Files” tab in the ribbon, then click the “Manage Access” button.
• In the “Manage Access” dialog, you can add users or SharePoint security groups and assign them the appropriate permission level. You can also remove users or security groups from the list by clicking on the “X” icon next to their names.
• When you are finished setting permissions, click on the “Save” button to apply the changes.

Note that SharePoint folder permissions are distinct from list or library-level permissions. If you want to give a user or security group access to all the folders within a list or library, you will need to grant them the appropriate permissions at the list or library level. You can do this by going to the “Permissions” page for the list or library and adding the user or security group to the list of users and security groups with permissions. My other article on : Setting folder level permissions in SharePoint Online

Setting permissions for individual items within a list or library is also possible. This is useful for situations where certain items within a list or library need different permissions than the rest. How do I grant access to a specific file in SharePoint? To set permissions for an individual item, the administrator must first break the inheritance of permissions from the parent list or library. Once the inheritance has been broken, the administrator can add users and groups as members of the item and assign specific permissions to those members.

To set file-level permissions in SharePoint Online, follow these steps:

• Navigate to the file or folder that you want to set permissions for.
• Select the file and click on the “Share” button. This will open the “Share with Others” dialog box.
• In the “Invite People” field, enter the email address of the person or group you want to set permissions for.
• Select the appropriate level of access from the “Permission Level” dropdown menu.
• Optional: If you want to include a message with the invitation, type it in the “Add a message (optional)” field.
• Click on the “Share” button to send the invitation and set the permissions.

Keep in mind that the specific file level permissions available may vary depending on your organization’s SharePoint configuration. You may need to request additional permissions from an administrator if you need to set permissions that are not available in the “Permission Level” dropdown menu.

More in How to Grant File level Permissions in SharePoint Online?

If you manage a SharePoint Online site, you may need to check who has what permissions from time to time. This is especially important if you have a lot of users with different roles. Let’s see how to audit SharePoint permissions. How do I check who has access to a SharePoint site or item?

To check site permissions in SharePoint Online, follow these steps:

• Navigate to the SharePoint site that you want to check permissions for.
• Click on the “Settings” icon in the top-right corner of the page, and then click on “Site settings” in the menu that appears.
• In the “Site Settings” page, click on the “Site permissions” link under the “Users and Permissions” section.
• On the “Site permissions” page, you will see a list of all the users and security groups that have been granted permissions to the site, along with the permission levels assigned to them.

Similarly, to check permission on a list or library, do the following: Click on the name of the list or library. This will open a pop-up window that displays the specific permissions granted to the list or library. Note that to view the site, list, or library permissions, you must have the appropriate permissions yourself.

How do I change permissions in SharePoint?

To change permissions in SharePoint:

• Navigate to the site, list, or library where you want to change permissions.
• Click on “Settings” and then select “Site Permissions” or “Library Settings” > “Permissions for this document library”.
• Choose the user or group whose permissions you want to edit.
• Click on “Edit User Permissions” and select the appropriate permission levels (e.g., Read, Contribute, Edit, Full Control).
• Click “OK” to apply the changes.

It is important to carefully manage permissions in SharePoint Online to ensure that only authorized users have access to the resources they need. Administrators should regularly review the permissions granted to users and groups to ensure that they are appropriate and up-to-date.

How do I create a permission report in SharePoint? There are several different ways to generate a report on permissions in SharePoint Online:

• Use the built-in permissions report: SharePoint Online includes a built-in permissions report that allows you to view a list of all the users and security groups that have been granted permissions to a site, along with the specific permissions that have been granted to each user or group. To access the permissions report, go to the site settings page, click on “Site permissions” under the “Users and Permissions” section, and then click on the “Check Permissions” button. This will open the permissions report, which displays a list of all the users and security groups that have been granted permissions to the site.
• Use the SharePoint Online Management Shell: The SharePoint Online Management Shell is a Windows PowerShell module that allows you to manage and automate tasks in SharePoint Online. You can use the Management Shell to generate a report on permissions for a specific site, list, or library. To do this, you must run a script that retrieves the permissions for the desired site, list, or library and outputs the results to a CSV file. There are several scripts available in this site that can be used to generate a permissions report using the Management Shell.
• Use a third-party tool: There are several third-party tools available that can be used to generate reports on permissions in SharePoint Online. These tools typically offer a variety of features and options for generating and customizing reports and may be more suitable for larger organizations with complex permissions structures. Some examples of third-party tools that can be used to generate permissions reports in SharePoint Online include ShareGate, AvePoint, etc.

Regardless of the method you choose, it is important to regularly review and update permissions to ensure that users have the appropriate level of access to the resources they need. This can help to ensure that permissions are up-to-date and that unauthorized access to sensitive information is prevented. You can get SharePoint Online site and subsites permission using PowerShell with my other script: SharePoint Online: Permissions Report using PowerShell

Export SharePoint Online Site/List/Folder permissions using PowerShell

You can use PowerShell scripts to export permissions for a specific site, list, or library in SharePoint Online. This script connects to SharePoint Online using PowerShell, retrieves the permissions for the specified site, list, or library, and exports the permissions to export into a CSV file: Export SharePoint Online permissions using PowerShell

Have you ever wanted to clone permissions from an existing user to a new user or copy permissions between SharePoint document library, list, or folder objects? Well, It can be a tedious process if you have to do it manually, and there are no easier ways to do this without using 3rd party tools. Luckily, PowerShell can help you to ease up on this task. To copy an existing user’s permissions, You have to look through all the objects and then grant permission to the new user.

• How to copy Permissions from One User to Another user in SharePoint Online?
• How to Copy Permissions from One List to Another in SharePoint Online using PowerShell?
• How to Copy Permissions from One Folder to Another in SharePoint Online using PowerShell?

To delete all unique permissions in SharePoint Online and revert to the inherited permissions from the parent site, follow these steps:

• Navigate to the SharePoint site where you want to delete the unique permissions for.
• Click on the “Settings” icon in the top right corner of the page, and then click on “Site settings” in the menu that appears.
• On the “Site permissions” page, click on the “Stop Inheriting Permissions” button.
• In the “Confirm Stop Inheriting Permissions” dialog, click on the “OK” button to confirm that you want to delete the unique permissions and revert to the inherited permissions from the parent site.

Note that this action will delete all unique permissions for the site, including any custom permission levels that have been created. Please note, when deleting unique permissions, as this action cannot be undone. It is generally a good idea to create a backup of the site before deleting unique permissions, in case you need to restore the permissions at a later date.

It is also important to note that deleting unique permissions will not remove any users or security groups from the document library. If you want to remove specific users or security groups from the document library, you will need to do this separately by going to the “Permissions” page for the document library and revoking the permissions for the desired users or groups.

More in removing unique permissions from all objects in a SharePoint Online site collection: Delete all unique permissions in SharePoint Online

Grant Access to External users in SharePoint Online

In addition to granting permissions to users and groups, SharePoint Online also allows administrators to set permissions for external users. External users are users who do not have a Microsoft 365 account and do not belong to the organization’s active directory. To start with, make sure you enabled external sharing by following the steps to Enable External user access in SharePoint Online

To grant permissions to an external user, the SharePoint administrator must first set the sharing settings for a site collection, and then based on the settings configured, the external users can be added directly to the site or Invite Guest users to Azure Active Directory to gain access to a site, list, library, or item. You can also use PowerShell to add External Users to SharePoint Online

Once shared, The external user will receive an email notification with a link to the shared file or folder, and will be able to access it using that link.

If your external sharing settings are set to “Anyone”, you can share a file or folder anonymously with any user. When you anonymously share a file or folder, anyone with the link can access it without entering credentials. You can share a file or folder in SharePoint Online with anonymous users by following these steps:

• Navigate to the file or folder you want to share in SharePoint Online.
• Right-Click on the item and click on the “Share” button.
• In the link settings, select “Anyone with the link” and enter the email addresses of the users to get a link.
• Select the permissions you want to grant anonymous users from the dropdown menu (e.g., Edit, View).
• Click “Send”.

This will create a unique link that you can share with anonymous users, who can access the file or folder using that link.

More Here: How to Share a File or Folder for Anonymous Access in SharePoint Online?

Site collection administrators in SharePoint Online

A site collection administrator in SharePoint Online is a user who can manage the whole site collection and all of its subsites. They can add and remove users, change permission, create new subsites, and customize the look and feel of the site collection. They also have access to all the content within the site collection, including documents and lists. As an administrator, they can manage the settings for the site collection, including security and permissions.

You can add or remove users to Site collection administrator roles, Export a list of site collection admins, etc., as required. More here: Managing site collection administrators in SharePoint Online

As the SharePoint Online administration is done by people other than Tenant Admin (or Global Administrator!) in most companies, You may need to delegate Office 365 roles so. To add a SharePoint Online administrator in Office 365, follow these steps:

• Sign in to your Office 365 account as a global administrator.
• Go to the Microsoft 365 admin center at https://admin.microsoft.com
• In the left navigation, go to “Users > Active users”.
• Click the user that you want to add as a SharePoint Online administrator.
• On the “User details” page, click “Edit” next to “Roles”.
• Under “Admin roles”, select “SharePoint administrator” from the dropdown list.
• Click “Save”.

The user will now have SharePoint Online administrator permissions, and will be able to manage SharePoint Online sites and content. You can also use PowerShell to add a SharePoint Online Administrator: How to Assign the SharePoint Online Administrator Role?

Here are some best practices for managing permissions in SharePoint Online:

• Use security groups to manage permissions: Instead of assigning permissions directly to individual users, it is generally best practice to create group to manage permissions. This allows you to easily manage access for large numbers of users at once and makes it easier to make future permissions changes.
• Use the least privilege: When assigning permissions, it is important to follow the principle of least privilege, which means only granting the minimum level of permissions necessary to perform a specific task. This helps to reduce the risk of unauthorized access to sensitive information.
• Use custom permission levels sparingly: While custom permission levels can be useful in certain situations, it is generally best practice to use the built-in permission levels whenever possible. This helps to ensure that permissions are consistent across the site and makes it easier to understand and manage permissions.
• Use item-level permissions judiciously: While item-level permissions can be useful in certain situations, they can also make it more difficult to manage permissions overall. It is generally best practice to use item-level permissions sparingly and to use them only when absolutely necessary.
• Regularly review and update permissions: It is important to regularly review and update permissions to ensure that users have the appropriate level of access to the resources they need. This can help to ensure that permissions are up-to-date and that unauthorized access to sensitive information is prevented.
• Use site-level permissions to control access to subsites: When creating a new subsite within a SharePoint site, it is generally best practice to use site-level permissions to control access to the subsite. This helps to ensure that the permissions for the subsite are consistent with the permissions for the parent site.
• Use list and library permissions to control access to specific content: If you want to give certain users access to specific content within site, but not to the entire site, it is generally best practice to use list and library permissions to control access to the specific content. This allows you to easily manage access to specific content while still maintaining control over the overall site.

While SharePoint provides powerful tools for managing access to resources, it’s important to use them correctly to avoid common mistakes. Here are a few mistakes to avoid when managing SharePoint permissions:

• Giving users more permission than they need: This can lead to users accidentally making changes they shouldn’t, or even intentionally causing damage to a site or site collection.
• Using default permission levels without understanding them: While the default permission levels in SharePoint are useful, they may not be enough for your organization’s needs. Make sure you understand what each level allows before using it.
• Not regularly reviewing permissions: As your organization grows and projects change, so too will your permission needs. Regularly reviewing and updating permissions can help prevent security breaches and ensure that users have the access they need to do their jobs.

In conclusion, SharePoint Online permissions are important for managing and organizing content within a SharePoint site. By assigning appropriate permissions to users and groups, site administrators can control who has access to specific content and what actions they can perform on it. It is important to carefully consider the permissions that are granted to ensure that users have the access they need to perform their tasks, while also protecting sensitive information. By carefully managing permissions, administrators can ensure that their teams have the access they need to collaborate effectively, while also protecting the security and integrity of their organization’s data.

SharePoint offers several permission levels for users to access and interact with sites and content. These include Full Control, Design, Edit, Contribute, Read, Limited Access, and View Only. Each level grants different levels of access and control over the site and its content.

To find the permission levels link in SharePoint, you need to go to the site settings and click on “Site permissions.” From there, you can click on “Permission levels” to view and manage the different levels of access for users and groups in your SharePoint site.

The “Restricted View” permission level in SharePoint allows users to view items, but not edit, delete, add new items, download or print them. This can be useful for situations where sensitive information needs to be shared with certain users, but you want to limit their ability to distribute or copy that information.

SharePoint permissions usually take effect immediately after they are granted or changed. However, in some cases, like in hybrid environments, it may take time for the changes to be fully propagated throughout the system. This delay is usually due to synchronization intervals.

Yes, SharePoint permissions are cumulative. This means that if a user is a member of multiple groups, they will have the combined permissions of all the groups they belong to. Similarly, if they are granted multiple permission levels, the highest takes precedence.

Assigning users to relevant groups simplifies permission management. You can grant permissions to the entire group instead of individual users, streamlining the process.

Yes, you can grant “Guest” access to specific users or groups outside your organization. This allows external collaboration while controlling their access level.

Teams members automatically inherit some SharePoint permissions based on their team roles. However, you can still manage granular permissions within SharePoint itself.

While SharePoint does not natively support field-level security, you may achieve similar functionality using third-party tools or PowerApps.

Related Posts

• ← Office 365: How to Find All Disabled users using PowerShell?
• How to Find the Owner of a Microsoft Forms? →

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

One thought on “ SharePoint Permissions – A Comprehensive Guide! ”

Comprehensive and thorough. Great guide.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of new posts by email.

SharePoint Permissions Management – SharePoint Role Assignment

Last updated: May 22, 2023

Table of contents

This blog has been prepared by our dear friend Agnes Molnar, a SharePoint Server MVP . We will post it in two parts, this is the first part and we are sure it will be interesting and useful.

Agnes Molnar is an International Consultant, ECM & Search Expert, and SharePoint Server MVP. She has been working with SharePoint technologies since 2001, and has developed dozens of SharePoint and FAST implementations for commercial and government organizations throughout the world. A co-author and contributor to several SharePoint books, Agnes is a regular speaker at technical conferences and symposiums around the globe, read more on her blog .

Security is always one of the most critical points in any Content Management System. Knowing who I am and what I can see or do in the system is essential. This sounds obvious but actually it’s always very complex—in SharePoint 2013 as well.

SharePoint Security Steps

When talking about security, we can identify two major steps in every system: authentication and authorization.

• Authentication is the process when the system identifies me, gets answer to the question “Who are you?”, and verifies if you really are who you say you are.
• Authorization is the process of verifying what you can see or do, or in other words —“you are permitted to do what you are trying to do.” Authorization always presupposes successful authentication.

As SharePoint does role based on access control, the next thing to be aware of and understand is the role assignment. SharePoint role assignment has three main components in SharePoint:

• User or Group – the person or group of persons who gets the role.
• Security Scope – the subject
• Permission Level – the level of permission(s) the user or group is assigned to the subject.

Let me show you some examples:

• User : Jeff
• Security Scope : this document
• Permission Level : edit
• User : Chris
• Security Scope : this list
• Permission Level : change the settings (admin)
• Groups : HR, Marketing
• Security Scope : this site
• Permission Level : read
• User : Gary
• Security Scope : these files

SharePoint Role Assignment

In SharePoint, there are several levels of available security scopes. These levels are organized into a well-defined hierarchy; therefore, we have a very clear inheritance — by default, all the permission settings are inherited from the parent level to its children.

These levels are:

• List/Library
• Item/Document

It’s also worth noting that we have permission inheritance by the site hierarchy as well, by default; every site inherits the role assignment from its parent .

In this case, using the default settings, every list and document library inherits the role assignments from the site (and the site inherits from its parent site), as well as the folders, subfolders and items inside. These settings can be, for example:

• Group Marketing has contribution (read or write) access to everything;
• Group Sales has read access to everything;
• Jeff, Joe and Jim have contribution access to everything (regardless of their group membership).

If you use the default settings (inheritance) on each level, these groups will have read (Marketing) and contribution (HR) access to every list and library, every folder and subfolder, every item and document. For example, if you have a document library “Campaigns” with a folder for each year (2013, 2012 etc.), the Marketing group, Jeff, Joe, and Jim can add new documents, open and edit the existing ones, while the members of the Sales group will be able to read these documents but not modify them.

But of course, you can break this inheritance by defining custom SharePoint role assignment , on any level. In this case, you have the default role assignment on the site level (either set on this site or inherited from its parent site), but it’s not inherited to, and below the folder where you create the custom role assignment.

For example, let’s say we have the very same role assignment on site level:

But you have a specific folder in the document library “Campaigns” for the current year (2014) where you want the group ‘Sales’ to have contribution access as they might have to add or modify the current documents. In this case, you have to break the permission inheritance. The default role assignment after this will be identical with the current settings, but you can change it according to your needs:

• Group Sales has contribution (read or write) access to everything;

Of course, you can do this on any level. On one hand, this is good as you can have as custom and complex permission settings on your content as you want. On the other hand, it’s a very big challenge and might be a huge risk due to its complexity.

Note : In SharePoint 2013 and Office 365, it’s very simple to share documents or even folders, lists and libraries with your colleagues. This makes the end users’ lives much easier, but can be a real challenge for the administrators.

SPDockit is a great solution that can be very useful during the SharePoint permissions management process. Use it to explore or create many useful and very detailed SharePoint permissions reports .

Continue reading part two…

Discover, secure, and control M365

Manage your company’s Microsoft 365 ecosystem with Syskit Point, a scalable platform that will help you govern and secure your environment while giving you deep visibility into your entire inventory.

Subscribe to our Newsletter

Thank you for joining our community!

Related Posts

Server performance issues: Detection and causes

A comprehensive guide to SharePoint Site templates

SharePoint and GDPR compliance - Classify, prepare and protect

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Setting permissions in SharePoint 2013 Workflow

I'm working on a SharePoint Workflow as a proof of concept for one of our clients. The requirements are that it must be accomplished as a SharePoint 2013 workflow with no custom code, created only in Designer.

I created a List workflow with custom Approvers and Processors defined in separate lists, as suggested by Brij Dammani in this article . The workflow is working quite well - except there is no security at all; anyone with edit rights can edit the Workflow Tasks list no matter to whom the task is assigned, and complete their task and advance the workflow.

From my searches there are two main suggestions to add security. One to use a second SharePoint 2010 workflow, which uses the deprecated Set Item Permissions action, to lock down the list item to the person whose task it is. The second is to roll my own/import a custom SharePoint 2013 action to manipulate the permissions. Obviously both of these break the requirements. My own idea (a messy one) is to have the workflow move items to the lists with the correct permissions. As my Approvers are set dynamically via a list this makes maintenance difficult.

My question is: What is the preferred way of managing permissions in SharePoint 2013 Workflows?

Surely there must be a way to lock down the tasks to the person to whom it is assigned without having to use deprecated actions or custom code??

• sharepoint-designer

3 Answers 3

I've looked into this a lot and I think I can answer the original question. It is my understanding that SharePoint 2013 has removed impersonation in favour of using the new App Step. The idea behind this is to create a virtual app that represents workflows, then to give permissions to this virtual app. The short version of how to do this is below, Microsoft themselves explain here .

First, activate the feature on the site by going to Site Settings > Site Features and set the feature "Workflows can use app permissions" to Active.

Next, go to Site Settings > Site App Permissions. There should be a virtual app named "Workflow" there. Copy the client section of the App Identifier - this first Guid, between "|" and "@"

Grant permission to the app by going to http://{hostname}/{catalog site}/_layouts/15/appinv.aspx. Paste the App Id, click Lookup. Then paste the following verbatim into the Permission Request XML. There are no placeholders in the Scope value above. It is a literal value. Enter it exactly as it appears here.:

<AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /> </AppPermissionRequests>

• Click Create then Trust It to trust the app. Now, anything running inside an App Step will have FullControl permissions.

This doesn't actually help me lock down the tasks, as there is no custom action that can set the item permission on the task list. To do exactly what I want, I need a custom action that can set item permissions. Still, it's good to know that it's not possible OOTB.

Also noteworthy, as a workaround I tried creating two lists, two workflows (one on each list) with two different task lists, with different permissions. The idea being that the one workflow would create an item in the second list, kicking off the second workflow. The users would then only be able to approve those items in their own task list. However this did not work. List items created by workflows do not kick off that list's workflow as explained in this msdn article: 2013 Workflow not triggered on item created with a workflow . Nor can a SP2013 workflow start another SP2013 workflow with OOTB actions. An SP2013 workflow can only start an SP2010 workflow.

I've come to the conclusion that what I'm trying to do is impossible in SP2013 workflows OOTB. If anyone can correct me I'd be very appreciative.

• Really late to comment. Somehow this post caught my attention just now. Did you try to create a designer workflow using SharePoint 2010 platform? In SP 2013 you can still create 2010 workflows and the impersonation step is available in those workflows –  Unnie Commented Feb 11, 2016 at 15:06

If you want to restrict the users to have permission in only their tasks(ie Assigned to me), you have to use SharePoint 2010 workflow and replace permission on that item to allow only Assigned user edit rights on that item . Choose SharePoint 2010 workflow platform while creating workflow , if you are trying this in a SharePoint 2013 site.

Another workaround is to edit all the views in the Task list and filter to show only those items which has Assigned column value = [Me] . But if the users have rights to edit the views they can override this settings or create new view to see other's items.

Edit: Disdavantage using SP 2010 workflow is that it runs under the privilege of the user who created the workflow.So it can break if user privileges are lowered or user left the company.

• Thanks Unnie - Ok, so there is no way to do this with a SharePoint 2013 workflow? I did add the filter, as was suggested in the original article to which I linked. However, you can still click through to that task by opening the list item and clicking the task under Tasks. I expect there are many other ways to get to a task to edit it if it is merely hidden, so merely hiding it is not adequate security. –  08Dc91wk Commented Aug 21, 2014 at 12:46
• No basically SP 2013 workflows does not have impersonation step. So you cannot do this in 2013 workflows –  Unnie Commented Aug 21, 2014 at 12:57
• Thanks Unnie, wow that seems like a serious step backwards - if we can't manage permissions without custom code we're going to struggle to convince our client to use SP 2013 workflows. I will look into creating a 2010 workflow with SPD2013, the option to do so isn't immediately obvious... –  08Dc91wk Commented Aug 21, 2014 at 13:02
• Unnie is correct. It's not an elegant solution, but it'll work most of the time. You have to have some sort of trust in the users. The fact is if they cause malfeasance, it's auditable. If you can't accomplish the same functionality, it may also be worth looking at third party workflow products as they can easily achieve your requirements. –  SkinnyE Commented Feb 11, 2016 at 14:38

We can also use "If" actions to evaluate who is the currently logged on user and compare that with the item and then allow or disallow updates.

• 1 Thanks Joy - the task is edited/approved as a list item though, so I think this needs to be done as a permission. The problem is that after the task is assigned, anyone with edit rights may complete the task. There doesn't seem to be an action for the workflow to disallow access to edit the list item for users who are not the assigned approver. –  08Dc91wk Commented Aug 21, 2014 at 12:50

Your Answer

Sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged 2013 sharepoint-designer workflow or ask your own question .

• Featured on Meta
• Upcoming sign-up experiments related to tags

Hot Network Questions

• What is the meaning of the angle bracket syntax in `apt depends`?
• Should mail addresses for logins be stored hashed to minimize impact of data loss?
• A chess engine in Java: generating white pawn moves
• Have children's car seats not been proven to be more effective than seat belts alone for kids older than 24 months?
• Applying Bayesian probability to a generalized Monty Hall problem
• Visit USA via land border for French citizen
• Why was William Tyndale executed but nothing happened to Miles Coverdale?
• What does Athena mean by 'slaughtering his droves of sheep and cattle'?
• Have there been any scholarly attempts and/or consensus as regards the missing lines of "The Ruin"?
• Synthesis of racemic nicotine
• Science fiction movie with one or more aliens on Earth and a puppet of a monster that can turn into an actual monster
• Why depreciation is considered a cost to own a car?
• Do IDE data lines need pull-up resistors?
• How do I get my D&D group to engage to a minimum
• "All due respect to jazz." - Does this mean the speaker likes it or dislikes it?
• An alternative way to solve a classic problem of combinatorics
• adding *any* directive above Include negates HostName inside that included file
• How will the ISS be decommissioned?
• What is the translation of misgendering in French?
• Can I tell a MILP solver to prefer solutions with fewer fractions?
• Why did Geordi have his visor replaced with ocular implants between Generations and First Contact?
• Why is completeness (as in Gödel completeness theorem) a desirable feature?
• Should I accept an offer of being a teacher assistant without pay?
• Diagnosing tripped breaker on the dishwasher circuit?

Consulting and developing on Office 365

SharePoint 2013 Workflow: Changing Permissions with REST Calls

SharePoint 2013 workflows do not have a default action to change item or list permissions. With the help of the call http web service action I was able to create multiple REST calls that can interact with the permission. In this blog post describes multiple workflows for specific interactions involving permissions. The solutions where build on SharePoint Online (Office 365) using SharePoint 2013 workflows.

Breaking the inheritance on current item

This workflow will break the inheritance of the item the workflow is running on. It is possible to change the regURL to break the inheritance of different items. If needed set the actions within an App step to make sure the workflow has the required permissions, see the blog post SharePoint 2013 Workflow: App step and App Permissions .

• Create a SharePoint 2013 workflow
• Create a dictionary variable called JSONRequestHeader

• Add the action Build Directory, select JSONRequestHeader as the variable

• Add the Call HTTP web service action to the workflow and set the “this” to the regURL
• Set RequestHeaders to Variable: JSONRequestHeader

Set permissions on current item

This workflow will set permissions on the item the workflow is running on. It is possible to change the regURL to set permission on different items. If needed set the actions within an App step to make sure the workflow has the required permissions, see the blog post SharePoint 2013 Workflow: App step and App Permissions .

• Add the action Build dictionary, select JSONRequestHeader as the variable
• In this example we will grant the default members group contribute permissions.
• Add an step in the workflow called: Set Role Members
• Then store the following URL to the variable regURL [%Workflow Context:Current Site URL%]_api/lists/getbytitle('[%Worklfow Context:List Name%]')/items([%CurrentItem:ID%])/roleassignments/addroleassignment(principalid='769',roleDefId=1073741826)
• The roleDefID sets the type off permissions
• The principalId is the ID of the permissions group, this is an unique id. You will need to find the principalId for your SharePoint Group, see the chapter  Get SharePoint Groups principalId to learn how to find the principalId.
• Add the Call HTTP web service action to the workflow and set the “this” to the regURL

Get SharePoint Groups principalId

• Open the SharePoint site where the SharePoint Groups are present
• Create the following URL [Current Site URL]/_api/lists/getbytitle('[List Name]')/items([Item ID])/roleassignments/
• In the source of the page you can find the principalId’s
• The principalId’s are located between the following tag <d:PrincipalId m:type="Edm.Int32">769</d:PrincipalId>

Remove all permissions on current item

This workflow will remove all permissions on the item the workflow is running on. It is possible to change the regURL to remove all permission on different items. If needed set the actions within an App step to make sure the workflow has the required permissions, see the blog post SharePoint 2013 Workflow: App step and App Permissions . With this workflow we will first break the inheritance, then get all permissions/roles on the item and then remove the roles. Only site collection administrator and farm admins will be able to access the item when the workflow has run.

• Create a dictionary variable called JSONDeleteHeader
• Create a dictionary variable called JSONResponse
• Create a dictionary called AllRoles
• Create a dictionary called RoleItem
• Create a string variable called regURL
• Create a integer called principalId
• Create a integer called Index
• Create a integer called countRoles
• Create a number called calc
• Add the action Build Dictionary, select JSONRequestHeader as the variable
• Add the action Build Dictionary, select JSONDeleteHeader as the variable

• The first step is to break the inheritance of the items, see above the chapter  breaking the inheritance on current item for the steps.
• The second step is to get all SharePoint Groups (Roles) that have permissions on the item.
• Store the following URL to the variable regURL [%Workflow Context:Current Site URL%]_api/lists/getbytitle('[%Worklfow Context:List Name%]')/items([%CurrentItem:ID%])/roleassignments
• Add the Call HTTP web service to the workflow and set the “this” to the regURL
• Set RequestType to HTTP Post

• The third step is to remove all the Roles
• Add a loop that runs repeatedly while: Variable:Index is less then Variable:countRoles
• Add the action Get an Item from a Dictionary, select from Variable: JSONResults, with output to Variable:roleItems and the following code d/results([%Variable:Index%])

• Then store the following URL to the variable regURL [%Workflow Context:Current Site URL%]_api/lists/getbytitle('[%Worklfow Context:List Name%]')/items([%CurrentItem:ID%])/roleassignments([%Variable:principalId%])
• Set RequestHeaders to Variable: JSONDeletedHeader

• Add the action Do Calculation select Variable:Index plus 1 and store the outcome in Variable: Calc

8 Replies to “SharePoint 2013 Workflow: Changing Permissions with REST Calls”

[%Workflow Context:Current Site URL%]/_api/lists/getbytitle(‘[%Worklfow Context:List Name%]’)/items([%CurrentItem:ID%])/roleassignments

[%Workflow Context:Current Site URL%]_api/lists/getbytitle(‘[%Worklfow Context:List Name%]’)/items([%CurrentItem:ID%])/roleassignments

That extra “/” after [%Workflow Context:Current Site URL%] in your instructions really threw me off and I had to painstakingly go through line by line to see what was wrong until I found it. Just wanted you to know so other folks do not wonder why it’s not working when they run it. I even tried log history to find the error but workflow doesn’t break the REST call and just goes on with the workflow. Once I changed it, works like a charm.

Thank you very much for your reply! I have changed it in the post.

Any idea how to simply change the group name (title) via REST in a SharePoint 2013 workflow?

Ho to change the current user permission on list item

Hi Sreenu, I asume you can do this with another API. But I don’t know which one you should use.

Hi Ben, “Remove all permissions on current item” when am doing this i got the below error saying that princeple id is not foud:

-1, System.ArgumentException Can not find the principal with id: 0.

Could you please help me here

Did you provide your the correct principal ID? You have to find the principal ID of the permission group and store that in the variable.

Is there a way to preserve permissions for the app step when deleting the permissions? my workflow deletes the permissions for the app step, and it can’t proceed with the rest of the workflow (running as app step)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Currently you have JavaScript disabled. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page. Click here for instructions on how to enable JavaScript in your browser.

Privacy Overview

• TECHNOLOGIES
• An Interview Question

Permissions in SharePoint 2013 & Office 365 - Part 1

• Manpreet Singh
• Feb 11, 2015
• Other Artcile

Here you will learn about share which is a way to assign permissions to users to their sites in SharePoint 2013 & Office 365.

Welcome Readers. Share Yes “Share” assigns permissions. SharePoint 2013 and Office 365 have a platform of sharing as do social sites in today's technology. Share is a way to assign permissions to users of their sites.

• Invite people: Here you can, as it says, invite people to your site.

On the first box you can rovide the name and through user profile services it will fetch the user's details. On the second box, you can write a message for the user you are adding.

• The next tab has what to be shared with.

This tab will show you the name of the users this site has been shared with. Share your site and just keep learning.

• Office 365 Permissions
• SharePoint 2013
• SharePoint Permissions

SharePoint Framework (SPFx) A Developers Guide

SharePoint 2016: User Rights Assignments and Permissions

• Post author: admin
• Post published: January 19, 2018
• Post category: IT / Microsoft / SharePoint 2013 / SharePoint 2016 / Windows Server 2012

Installing SharePoint 2016 in a closed environment. Security controls are implemented using the GPO and it is very restrictive.Testing the installation before I implement on the production. Every steps of the installation I am getting all kinds of permission issue. I will be documenting all the issue that I encounter and how I resolved it.

• Running Product Configuration wizard, error out at step 5 with the following error:

Log Name: Application Source: SharePoint 2016 Products Configuration Wizard Event ID: 104 Task Category: None Level: Error Keywords: Classic User: N/A Computer: CONTOSOSP.contoso.com Description: Failed to register SharePoint services. An exception of type System.InvalidOperationException was thrown. Additional exception information: Cannot start service AppFabricCachingService on computer ‘.’. System.InvalidOperationException: Cannot start service AppFabricCachingService on computer ‘.’. —> System.ComponentModel.Win32Exception: A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration — End of inner exception stack trace — at System.ServiceProcess.ServiceController.Start(String[] args) at Microsoft.SharePoint.Win32.SPAdvApi32.StartService(String strServiceName) at Microsoft.SharePoint.Administration.SPWindowsServiceInstance.Start() at Microsoft.SharePoint.Administration.SPWindowsServiceInstance.Provision(Boolean start) at Microsoft.SharePoint.DistributedCaching.Utilities.SPDistributedCacheServiceInstance.Provision() at Microsoft.SharePoint.Administration.SPServerRoleManager.<>c__DisplayClass1.<ProvisionServiceInstance>b__0() at Microsoft.SharePoint.Administration.SPServerRoleManager.ConfigureServiceInstance(SPServiceInstance serviceInstance) at Microsoft.SharePoint.Administration.SPServerRoleManager.ConfigureServer(Boolean throwOnFailure) at Microsoft.SharePoint.PostSetupConfiguration.ServicesTask.InstallServices(Boolean provisionTheServicesToo) at Microsoft.SharePoint.PostSetupConfiguration.ServicesTask.Run() at Microsoft.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask()

Resolution:  Farm service account must have the following user rights assignments – Generate Security Audit, Bypass Traverse Checking, Log on as a service.

2.  All option to provision new services under manage service applications grayed out. Central Admin does not display admin account login on the top of the browser. On the event viewer, following error logged in

Log Name: Application Source: ASP.NET 4.0.30319.0 Event ID: 1309 Task Category: Web Event Level: Warning Keywords: Classic User: N/A Computer: SPCONTOSO.contoso.com Description: Event code: 3012 Event message: An error occurred processing a web or script resource request. The requested resource ‘ZSystem.Web.Extensions,4.0.0.0,,31bf3856ad364e35|MicrosoftAjaxWebForms.js|’ does not exist or there was a problem loading it. Event time: 1/19/2018 4:08:16 PM Event time (UTC):  Event ID: 7a22414f7b594efc9911ac74be0c4197 Event sequence: 5 Event occurrence: 1 Event detail code: 0 Application information: Application domain: /LM/W3SVC/240423334/ROOT-1-131608696796766797 Trust level: Full Application Virtual Path: / Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\5318\ Machine name: SPCONTOSO Process information: Process ID: 3560 Process name: w3wp.exe Account name: CONTOSO\spfarm Exception information: Exception type: ZLibException Exception message: The underlying compression routine could not be loaded correctly. at System.IO.Compression.DeflaterZLib.DeflateInit(CompressionLevel compressionLevel, Int32 windowBits, Int32 memLevel, CompressionStrategy strategy)

3012 An error occurred processing a web or script resource request. The requested resource ‘ZSystem.Web.Extensions,4.0.0.0,,31bf3856ad364e35|MicrosoftAjaxWebForms.js|’ does not exist or there was a problem loading it. 7a22414f7b594efc9911ac74be0c4197 5 1 0 /LM/W3SVC/240423334/ROOT-1-131608696796766797 Full / C:\inetpub\wwwroot\wss\VirtualDirectories\5318\ SPCONTOSO 3560 w3wp.exe CONTOSO\spfarm ZLibException The underlying compression routine could not be loaded correctly. at System.IO.Compression.DeflaterZLib.DeflateInit(CompressionLevel compressionLevel, Int32 windowBits, Int32 memLevel, CompressionStrategy strategy) at System.IO.Compression.DeflaterZLib..ctor(CompressionLevel compressionLevel) at System.IO.Compression.DeflateStream.CreateDeflater(Nullable`1 compressionLevel) at System.IO.Compression.DeflateStream..ctor(Stream stream, CompressionMode mode, Boolean leaveOpen) at System.IO.Compression.GZipStream..ctor(Stream stream, CompressionMode mode) at System.Web.Handlers.ScriptResourceHandler.ProcessRequestInternal(HttpResponseBase response, String decryptedString, VirtualFileReader fileReader) at System.Web.Handlers.ScriptResourceHandler.ProcessRequest(HttpContextBase context, VirtualFileReader fileReader, Action`2 logAction, Boolean validatePath) The type initializer for ‘NativeZLibDLLStub’ threw an exception. at System.IO.Compression.ZLibNative.ZLibStreamHandle.DeflateInit2_(CompressionLevel level, Int32 windowBits, Int32 memLevel, CompressionStrategy strategy) at System.IO.Compression.DeflaterZLib.DeflateInit(CompressionLevel c ompressionLevel, Int32 windowBits, Int32 memLevel, CompressionStrategy strategy) Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode, IntPtr errorInfo) at System.IO.Compression.ZLibNative.ZLibStreamHandle.NativeZLibDLLStub.LoadZLibDLL() at System.IO.Compression.ZLibNative.ZLibStreamHandle.NativeZLibDLLStub..cctor() http://spcontoso:5432/ScriptResource.axd?d=MoSG-2iH7RsVnnX_62A0pY44zsDc6iPeRfGWtoDQii3gH1yZZ74e7oxxFyy_ZwpYmuMYyCrI9OPYO-c3sZkieE_vONlIyxlJC2F2p0LYgLMTCLiwlhvQiPlPzTRM0xtPqMKHNt1WIjjUEzbk7YCP_3dJ19GMMxpJ7ZmpJgMAEO2FnUWtgdbPsEx0RmNhI-e-0&t=ffffffffd416f7fc /ScriptResource.axd ::1 False NT AUTHORITY\IUSR 9 NT AUTHORITY\IUSR False at System.IO.Compression.DeflaterZLib.DeflateInit(CompressionLevel compressionLevel, Int32 windowBits, Int32 memLevel, CompressionStrategy strategy) at System.IO.Compression.DeflaterZLib..ctor(CompressionLevel compressionLevel) at System.IO.Compression.DeflateStream.CreateDeflater(Nullable`1 compressionLevel) at System.IO.Compression.DeflateStream..ctor(Stream stream, CompressionMode mode, Boolean leaveOpen) at System.IO.Compression.GZipStream..ctor(Stream stream, CompressionMode mode) at System.Web.Handlers.ScriptResourceHandler.ProcessRequestInternal(HttpResponseBase response, String decryptedString, VirtualFileReader fileReader) at System.Web.Handlers.ScriptResourceHandler.ProcessRequest(HttpContextBase context, VirtualFileReader fileReader, Action`2 logAction, Boolean validatePath)

Resolution: You cannot run SharePoint successfully if the FIPS 140-2 is enabled on the server. The server on which you are installing SharePoint, you must exclude it from GPO that applies FIPS 140-2 (cryptography module).Follow the my post   https://www.bomzan.com/2018/01/11/guide-to-exclude-single-user-or-computer-to-exclude-from-the-group-policy/

You Might Also Like

Guide to exclude single user or computer to exclude from the group policy, migrating active directory certificate service (acds) from windows server 2012 r2 to windows server 2019, nessus scan: symantec endpoint not disabling windows defender antivirus.

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

how to give rights to user in sharepoint 2013

I am working on sharepoint 2013.I have 5 site pages which are linked to top links bars.I want to on 1 st Link..Named Ecommerce URL: http://www.123.com is linked to it and opens page which has 5 webpart.

What i want when some user suppose Richard click on the Ecommerce Links he will able to see the webpart for which he have right.I have to give him rights to view only 3 webparts out of 5.Can it be possible.

What solution i am thinking is to make 2 Usergroup

Example 1)abc-in abc add 1 user with name of nokia 2) xyz -in xyhz add 1 user name Sony

Now I will give rights to abc when he clicks on Ecommerce to view only 1,2,3 Webpart out of 5 and to xyz user to give rights of 3,4,5 webparts.

Now how do I give rights to a user to see specific Webpart..I dont know that

• sharepoint-2010
• sharepoint-2013
• sharepoint-designer

You can set the Target Audiences (Under Edit Web Part>Advanced) for each Web Part on the page.You can specify Users or Groups in it, When the page is rendered, the Web Part appears only to the people who are members of the audiences you specified.

Reference and Steps

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged sharepoint sharepoint-2010 sharepoint-2013 web-parts sharepoint-designer or ask your own question .

• Featured on Meta
• Upcoming sign-up experiments related to tags
• Should we burninate the [lib] tag?
• Policy: Generative AI (e.g., ChatGPT) is banned
• What makes a homepage useful for logged-in users

Hot Network Questions

• Which numbers are sums of finite numbers of reciprocal squares?
• How will the ISS be decommissioned?
• Weird behavior by car insurance - is this legit?
• Can I tell a MILP solver to prefer solutions with fewer fractions?
• Aligning definition of terms of a sequence
• How are "pursed" and "rounded" synonymous?
• "All due respect to jazz." - Does this mean the speaker likes it or dislikes it?
• Is it legal to discriminate on marital status for car insurance/pensions etc.?
• How do I pour *just* the right amount of plaster into these molds?
• DSP Puzzle: Advanced Signal Forensics
• Did James Madison say or write that the 10 Commandments are critical to the US nation?
• How to patch command to work differently in math mode?
• Do IDE data lines need pull-up resistors?
• Does Not(A and not-A) = Not(A nand A) in intuitionistic logic?
• Why is there no catalog of black hole candidate?
• How can I take apart a bookshelf?
• Why depreciation is considered a cost to own a car?
• Huygens' principle and the laws of reflection/refraction
• Should mail addresses for logins be stored hashed to minimize impact of data loss?
• Were there engineers in blimp nacelles, and why were they there?
• How can a landlord receive rent in cash using western union
• Why is completeness (as in Gödel completeness theorem) a desirable feature?
• Could space habitats have large transparent roofs?
• Why only Balmer series of hydrogen spectrum is visible?

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User Rights Assignment

• 1 contributor
• Windows 10

Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local device by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see Configure security policy settings .

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Related topics

• Security policy settings reference

Additional resources