Basic Permissions Configuration for SharePoint – A How To Guide
In today's blog we're breaking down how basic permissions work. What works, what doesn't, and more! No matter if you're a SharePoint beginner or expert, it's always a benefit to know what you're doing with permissions.
No matter where you're at in your SharePoint journey, knowing how permissions work and what to avoid will save you from a lot of turmoil. In this case, one old-fashioned rule still rings true, Keep It Simple Stupid (the K.I.S.S. method)
Being a site or team owner is a big responsibility. Not only are you creating content for your users, you’re also the enforcer of who has access to it. It’s important that you understand not only how permissions work in SharePoint, but how to “set and forget” them so you can go back to curating content or other more important work. I’ll lay out 5 basic principles that will make configuring permissions a breeze.
Keep Permissions Simple (Stupid)
Every organization is structured uniquely, so aligning the SharePoint permissions model to your various departments can feel like quite a juggle. Both new and veteran users can run into many roadblocks:
- Site owners don’t always know how permissions cascade down site structures.
- Managers set custom permissions all over just to “fix” access issues.
- Users are unfamiliar with how modern flattening can break out your content spaces instead of breaking permissions inheritance.
- You are at the mercy of your weakest user, so you have to keep an eye on them.
The obstacles above can not only make or break your experience in SharePoint for both owners and visitors alike, but it can cause other headaches to keep happening down the road. To insulate you from the ultimate SharePoint permissions management nightmare, we’ve compiled the best practices below to ensure your job as access enforcer is as easy as possible.
1. Lock Things Down
SharePoint is one of the safer options you can choose for your internal communication and collaboration needs. It offers things like encryption and two-factor authentication, but it’s your job to not only outline what they have access to, but also determine what they can and can’t do. Perhaps the best first step is to ensure that only site owners can set permissions (as opposed to site members being able to add other site members for example) and to disable invitations and access requests. Disabling these features keeps users from sharing outside of your organization and stops users pinging you to get into a site that they don’t need to be in.
Some other additional rules consider:
- Keep the groups that can do the most in your site small. We recommend a minimum of two site owners per site and sometimes that’s a good maximum as well.
- People like to share and create shortcuts. While this feature seems friendly, generating access links can break inheritance and set limited access across sites.
2. Create New Sites to Break Up Content, Not Permissions
Too often SharePoint users are reluctant to create several sites and try to do everything in one site collection, but finding and following sites in is easier than ever now. You should get familiar with navigating between sites and develop a sense for creating dedicated site collections for each departmental site owner operating in your organizations SharePoint space. It could even be argued that one department needs more than one site, if the user managing HR forms is different than the user managing HR templates for example.
The opportunity to organize your content across multiple sites means you can do away with custom permissions set within a site. Think about breaking out your data across multiple site collections and knowing that each one you visit could simply have a site owner and a bunch of members or visitors configured in one spot. Simply put: If you store shared content with different owners together, then you're stuck breaking permissions inheritance to accommodate them because they didn’t get their own site collection.
💡 Pro Tip #1: The same argument above can be applied to folder structures within libraries. Too often users have been selecting a library and then clicking down through several folders just to find a document.
💡 Pro Tip #2: If you are in the middle of modernizing or simply setting up SharePoint sites for the first time, don’t forget to classify your content correctly. Dedicating all-employee content like news and forms to a communications site and reserving collaborative project content to various team sites is key to determining how many site collections you need for both spaces. Check out my video on the perfect site to help guide you.
3. Stick with the Default SharePoint Permissions Groups
Every site you create in SharePoint automatically comes with a site owners' group, a site members group and sometimes a site visitors group. These default permissions groups are set with their own specific levels of access so sticking to those and familiarizing yourself with the differences between Full Control, Contribute, and Read access is a big step towards keeping a handle on managing permissions across your entire organization. While additional types of permissions exist and can be customized further, straying from the big three standards can really blur the lines of how your access is set up. Regardless of the type of site you’re working on, stick to the defaults.
Understanding and accepting that SharePoint cascades permissions through a site structure is the other facet that owners should honor. Document files inherit the permissions that are set on the library they're in, and those libraries inherit the permissions that are set on the site. No matter what type of site you’re using, we advocate for site owners to maintain as much of this configuration as possible so that they can manage their users access from the “top-level” of a site collection rather than navigating between subsites and folders within libraries to check other areas where inheritance has been broken and managed separately.
You can grant access for individual users or groups and also create shared links, but it’s hard to see when giving access breaks permissions. At best, if you’ve proactively given the intended users access to the spaces they need, then sending a link can be a great option, but if you don't understand the difference between breaking inheritance and adding a permissioned link then learn it and be aware. If you find yourself generating a ton of access links, then it may be time to hit the stop sharing button and consider another strategy.
Think of breaking inheritance and setting custom permissions everywhere like constantly swimming upstream, it’s a losing battle and will only cause you more places to troubleshoot anytime a user has an issue with access. I promise you’ll go crazy trying to figure out why users can’t get to something they should ((or even worse, get to something they shouldn’t) This feeling of aimlessness compounds even more when you create new permissions groups with permissions other than the “big three,” so keep it simple (stupid) or permissions management is all you’ll be doing with your time.
4. Assign Permissions with Active Directory Groups
I mentioned avoiding custom SharePoint groups because many site owners aren’t involved with how users in their active directory are set up. Your organization is probably already creating and managing AD groups so you should be using them wherever possible within SharePoint to keep things simple and clean.
This does more than simply keep your permissions setup simple. If your IT group is onboarding employees to your organization, they’ll likely create those users in active directory groups. If you added the correct groups to your site, they should give access to users automatically and revisiting site permissions won’t be a regular occurrence for you.
💡 Pro Tip #3: You can always check user permissions from any site level all the way down to a file. Checking permissions on a specific user gives you insight into what access they have sometimes from multiple groups they belong to.
5. Keep Team Sites Permissions Even Simpler
Speaking of team sites, access to project spaces in team sites should be even more simple (stupid). In a team setting, you’re the owner and everyone else is a member with the same rights to add, update, and delete things. Since you can retrieve anything accidentally deleted from the recycle bit, this is a good system to keep.
In the modern Teams app experience, you’re actually managing an interface built on top of any other SharePoint team site. When you add a member to the team, they’re added to the site member group in SharePoint. When someone adds a channel to the team and puts a file in the chat, SharePoint creates a folder in the document library of the team site and all members have contribute access to it. All this syncing behavior is intended to work for you from the Team, so avoid meddling with permissions on the SharePoint site end as much as possible.
Inviting vendors or suppliers as guest users to your shared spaces has its benefits, but internally if you find yourself or others asking about unique permissions for your users or sequestering content to a uniquely managed library, that’s a red flag that it may be time to rethink either your site structure strategy or the classification of how your content is used.
In the end, saving yourself from the SharePoint permissions management nightmare is all about playing in the site permissions space the way that Microsoft wants you to. Recognizing that a user's issue with access may not be a glitch to fix but an opportunity to reorganize will push you towards a better overall design. There are use cases for going against inheritance or swimming upstream, but these best practices are all about standardizing that one same location for you to govern from when you (hopefully) only check in on it once every blue moon.