Friday, April 24, 2015

Permission, Permission Level and Permission Policy in SharePoint

Permission, Permission Level and Permission Policy are three very different functionalities yet closely related in SharePoint. This article presents my understanding of what they are and how they work in SharePoint. It has been written with SharePoint 2010 in reference.


Permission means an action allowing someone to do a particular thing. In SharePoint it means the same. So you have permissions like Add Items, Edit Items, Delete Items and 30 more permissions. Yes, there are in all 33 permissions in SharePoint.

Permissions are divided into three categories.

  • Site Permissions (18) – apply generally across a SharePoint site
  • List Permissions (12) – apply to content in lists and libraries
  • Personal Permissions (3) – apply to content that belongs to a single user

Permissions also depend on other permissions. For e.g. you must be able to open an item to view it. In this way, View Items permission depends on Open permission. Below is the complete list of all the permissions and dependent permissions.

Site permissions

List permissions

Personal permissions

Permissions can be allowed or disallowed at the web application level. You can disallow Override Check-Out permission on a web application so no user would be able to discard or check in a document that is checked out to another user in that web application. For this you go to “Central Administration > Application Management > Manage Web Applications”. Select the web application and click on “User Permissions”.

This will bring you the “User Permissions for Web Application” dialog.

If you disable any permission here then it won’t be available to any of the site collections in the web application.

Permission Level

In SharePoint you cannot assign permissions directly to user. Permissions are grouped together into Permission Level which is then assigned to a user. By default SharePoint provides 10 permissions levels but you are free to add more depending on your requirement.

  • Full Control
  • Design
  • Edit
  • Contribute
  • Read
  • Limited Access
  • Approve
  • Manage Hierarchy
  • Restricted Read
  • View Only

Each of these permission levels includes one or more of the previously described 33 permissions. So while Full Control permission level includes all the 33 permissions, the Restricted Read permission level only includes 4 permissions of View Items, Open Items, View Pages and Open. Another thing to note here is that you cannot customize or delete the permission levels of Full Control and Limited Access.

To create a permission level in a site collection go to “Site Actions > Site Permissions”.

Click on the “Permission Levels” button on the ribbon.

Now click on “Add a Permission Level”.

You will be able to see all the permissions available to the site. Remember previously I said that you can disable some of the permissions for a web application in Central Administration, so any disabled permission will not be visible to user when creating a permission level.

Once you create a permission level you need to assign it. To assign a permission level to user you go to “Site Actions > Site Permissions”.

Click on “Grant Permissions” in ribbon.

You can then grant one or more permission level to the user.

NOTE: Please be advised, as far as my understanding goes, this is not the preferred way to assign permission levels to users. The preferred way is to create a SharePoint Group and assign permission levels to it and add users to that group.

Permission Policy

Permission Policy is available in Central Administration so in turn this option can only be used by Farm Administrators. Initially I was confused as to how Permission Policy worked and how it was different from Permission Level, so I had posted my query on SharePoint StackExchange and got a reply from Benny Skogberg.

Permission Policy is a way to let a group of users or individual users access a part of site setting without having full control permission level in all site settings. If you have a group of auditors who need to access Web Analytics data in site settings, but nothing else that the owners group has access to, you create a Permission policy to Web Analytics data. After the Permission Policy is created you add users or groups in the User Policy setting.

Permission Level is what level of access is granted to individual user or group while Permission Policy is a way to delegate site administration activities to individual user or group.

To set Permission Policy go to “Central Administration > Application Management > Manage Web Applications”. Click on “Permission Policy” in the ribbon.

Now click on “Add Permission Policy Level”.

Give a name to the Permission Policy, say Auditors Role, enable the option of “Site Collection Auditor” and grant the “View Web Analytics Data” (under Site Permissions) permission to it.

Save the permission policy.

In the web application view select the web application and click on “User Policy” in the ribbon.

Now click on “Add Users”.

Enter the name of users and assign them the newly created Auditors Role.

Now if a user with Auditors Role permission policy opens the site collection then he would be able to view the site settings along with Web Analytics report. But if the user tries to edit any other setting, like Title of site collection, then he would get access denied error.

I hope this clarifies the concepts of Permission, Permission Level and Permission Policy in SharePoint.


As I said at the start, this article is my understanding of the concepts of Permission, Permission Level and Permission Policy. This understanding is based on various sources I have read and here are those sources.

No comments:

Post a Comment