A single permission in SharePoint is a
specific action that a user may take on a securable object. For
example—reading the value of a SharePoint list item is a specific
permission, often granted to groups of users who need to read lists and
their contained items. SharePoint maintains many permissions in the
platform, and the different permissions available to users depend on
what an administrator (or owner of content) wishes to secure. Documents
in document libraries offer a different set of permissions from those
of a site in a site collection. Table 1 shows a sample subset of permissions available for lists; other permissions exist for sites and personalization.
Table 1. Subset List Permissions in SharePoint
| Add Items |
Add new items to lists and add new documents to document libraries. |
| Edit Items |
Edit items in lists and edit documents in document libraries. |
| Delete Items |
Delete items from lists and documents from document libraries. |
| View Items |
View items in lists and documents in document libraries. |
| Open Items |
View the content within documents of a document library, not just the metadata of the associated list item. |
| View Versions |
View previous versions of a list or document library. |
| Delete Versions |
Delete previous versions of a list or document library. |
| Create Alerts |
Create e-mail alerts for lists whenever something changes (configured when the user creates the alert). |
| View Application Pages |
View forms, views, and application pages. The view lockdown feature
turns off this permission on pages and document libraries in publishing
sites so anonymous users may not view back-end list content. |
| Approve Items |
Approve a minor version of a list item in a list or document in a document library. |
| Override Checkout |
Override checkout by another user on a list item in a list or document in a document library. |
| Manage Lists |
Create and delete lists, add and remove columns in a list, and add and remove public views of the list. |
With the vast number of permissions available
in the SharePoint platform, managing them and assigning the correct
permissions to users or groups of users is no trivial task, which is
where permission levels come in. A permission level is
analogous to a permission set—a set of permissions that group together
and when applied to a securable object provide the user or user group
with related operations on the securable object. For example, the Read
permission level consists of various read permissions for most
read-like operations of a securable object and the Contribute
permission level provides a number of write permissions to securable
objects.
Microsoft labels permission levels with
role-like titles, which new users sometimes confuse with those of
SharePoint security groups. If you think about it, using role names
makes sense, as a set of permissions often defines the role of the user
or groups of users applied. Table 2 defines the standard set of permission levels available in SharePoint.
Table 2. Standard Permission Levels
| Full Control |
Users with this permission level have full access to all operations
on the secured object, including that of administrative operations.
This is not the same as the distinct set of permissions granted to site
collection administrators, who have a greater set of administration
capabilities. |
| Design |
Users at this permission level have contributor rights and certain
permissions to effect change of a securable object, but not
administrative rights. Designers typically have permission to change
the content in containers (lists and sites) and configure containers,
whereas contributors can only write and delete content within
containers. Users with Design permission level may also approve content
in lists with content approval enabled. |
| Contribute |
This is a standard permission level to grant users or groups of
users add, edit, and delete rights to lists and list items. Typically,
users asked to join a SharePoint site to collaborate on content have
contribute rights to make edits to existing content, add new content,
or delete old content. |
| Read |
Users with the Read permission level can access all content in
containers in read-only mode. Readers may download documents in
document libraries and view lists and list items but not change
anything. |
| Limited Access |
This permission level is special in that SharePoint grants it to
users or groups of users for a specific secured object that has custom
permissions. For example, if the owner of a list applies specific
permissions, not as part of a specific permission set, then SharePoint
shows the permission set as Limited Access. Limited Access permissions
typically apply only to one item at a time in the container, not to all
other items. |
| View Only |
Users or groups of users with View Only permissions cannot download
content. This level has similar permissions to the Read permission
level but does not allow users to download documents from document
libraries. |
| Restricted Read |
This permission level is similar to the Read permission level but
has only four of the eleven permissions that Read contains. This
permission is available only in publishing sites. It provides users
with this permission level access to read content without the ability
to create alerts, browse user information, or use client integration
(interact with Microsoft Office). |
| Approve |
This permission level is available in publishing sites only and
grants users or groups the capability to edit list items and documents
as well as approve items in lists with content approval enabled. |
| Manage Hierarchy |
This permission level is available in publishing sites only and is
similar to the Design permission level. It enables users or groups of
users to create sites and edit list items and documents. The major
difference between the Design permission level and the Manage Hierarchy
level is that this permission level does not grant approval rights on
list items or documents in lists that have content approval enabled. |
Figure 3
shows an example list of permission levels applied to a site. To get to
this page, select Site Permissions under the Users and Permissions
section within Site Settings, and then click Permission Levels on the
ribbon.
