Permission, Permission Level and Permission Policy are three very different functionalities yet closely related in SharePoint. This article presents my understanding of what they are and how they work in SharePoint. It has been written with SharePoint 2010 in reference.
Permission means an action allowing someone to do a particular thing. In SharePoint it means the same. So you have permissions like Add Items, Edit Items, Delete Items and 30 more permissions. Yes, there are in all 33 permissions in SharePoint.
Permissions are divided into three categories.
Permissions also depend on other permissions. For e.g. you must be able to open an item to view it. In this way, View Items permission depends on Open permission. Below is the complete list of all the permissions and dependent permissions.
Site permissions
List permissions
Personal permissions
Permissions can be allowed or disallowed at the web application level. You can disallow Override Check-Out permission on a web application so no user would be able to discard or check in a document that is checked out to another user in that web application. For this you go to “Central Administration > Application Management > Manage Web Applications”. Select the web application and click on “User Permissions”.
This will bring you the “User Permissions for Web Application” dialog.
If you disable any permission here then it won’t be available to any of the site collections in the web application.
In SharePoint you cannot assign permissions directly to user. Permissions are grouped together into Permission Level which is then assigned to a user. By default SharePoint provides 10 permissions levels but you are free to add more depending on your requirement.
Each of these permission levels includes one or more of the previously described 33 permissions. So while Full Control permission level includes all the 33 permissions, the Restricted Read permission level only includes 4 permissions of View Items, Open Items, View Pages and Open. Another thing to note here is that you cannot customize or delete the permission levels of Full Control and Limited Access.
To create a permission level in a site collection go to “Site Actions > Site Permissions”.
Click on the “Permission Levels” button on the ribbon.
Now click on “Add a Permission Level”.
You will be able to see all the permissions available to the site. Remember previously I said that you can disable some of the permissions for a web application in Central Administration, so any disabled permission will not be visible to user when creating a permission level.
Once you create a permission level you need to assign it. To assign a permission level to user you go to “Site Actions > Site Permissions”.
Click on “Grant Permissions” in ribbon.
You can then grant one or more permission level to the user.
NOTE: Please be advised, as far as my understanding goes, this is not the preferred way to assign permission levels to users. The preferred way is to create a SharePoint Group and assign permission levels to it and add users to that group.
Permission Policy is available in Central Administration so in turn this option can only be used by Farm Administrators. Initially I was confused as to how Permission Policy worked and how it was different from Permission Level, so I had posted my query on SharePoint StackExchange and got a reply from Benny Skogberg.
Permission Policy is a way to let a group of users or individual users access a part of site setting without having full control permission level in all site settings. If you have a group of auditors who need to access Web Analytics data in site settings, but nothing else that the owners group has access to, you create a Permission policy to Web Analytics data. After the Permission Policy is created you add users or groups in the User Policy setting.
Permission Level is what level of access is granted to individual user or group while Permission Policy is a way to delegate site administration activities to individual user or group.
To set Permission Policy go to “Central Administration > Application Management > Manage Web Applications”. Click on “Permission Policy” in the ribbon.
Now click on “Add Permission Policy Level”.
Give a name to the Permission Policy, say Auditors Role, enable the option of “Site Collection Auditor” and grant the “View Web Analytics Data” (under Site Permissions) permission to it.
Save the permission policy.
In the web application view select the web application and click on “User Policy” in the ribbon.
Now click on “Add Users”.
Enter the name of users and assign them the newly created Auditors Role.
Now if a user with Auditors Role permission policy opens the site collection then he would be able to view the site settings along with Web Analytics report. But if the user tries to edit any other setting, like Title of site collection, then he would get access denied error.
I hope this clarifies the concepts of Permission, Permission Level and Permission Policy in SharePoint.
As I said at the start, this article is my understanding of the concepts of Permission, Permission Level and Permission Policy. This understanding is based on various sources I have read and here are those sources.
Permission
Permission means an action allowing someone to do a particular thing. In SharePoint it means the same. So you have permissions like Add Items, Edit Items, Delete Items and 30 more permissions. Yes, there are in all 33 permissions in SharePoint.
Permissions are divided into three categories.
- Site Permissions (18) – apply generally across a SharePoint site
- List Permissions (12) – apply to content in lists and libraries
- Personal Permissions (3) – apply to content that belongs to a single user
Permissions also depend on other permissions. For e.g. you must be able to open an item to view it. In this way, View Items permission depends on Open permission. Below is the complete list of all the permissions and dependent permissions.
Site permissions
| Permission | Description | Dependent permissions |
| Manage Permissions | Create and change permission levels on the website and assign permissions to users and groups. | Approve Items, Enumerate Permissions, Open |
| View Web Analytics Data | View reports on website usage. | Approve Items, Open |
| Create Subsites | Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites. | View Pages, Open |
| Manage website | Perform all administration tasks for the website, which includes managing content. | View Pages, Open |
| Add and Customize Pages | Add, change, or delete HTML pages or Web Part pages, and edit the website by using a Windows SharePoint Services-compatible editor. | View Items, Browse Directories, View Pages, Open |
| Apply Themes and Borders | Apply a theme or borders to the whole website. | View Pages, Open |
| Apply Style Sheets | Apply a style sheet (.css file) to the website. | View Pages, Open |
| Create Groups | Create a group of users who can be used anywhere within the site collection. | View Pages, Open |
| Browse Directories | Enumerate files and folders in a website, by using an interface such as SharePoint Designer or web-based Distributed Authoring and Versioning (Web DAV). | View Pages, Open |
| Use Self-Service Site Creation | Create a website by using Self-Service Site Creation. | View Pages, Open |
| View Pages | View pages in a website. | Open |
| Enumerate Permissions | Enumerate permissions on the website, list, folder, document, or list item. | View Items, Open Items, View Versions, Browse Directories, View Pages, Open |
| Browse User Information | View information about users of the website. | Open |
| Manage Alerts | Manage alerts for all users of the website | View Items, Create Alerts, View Pages, Open |
| Use Remote Interfaces | Use Simple Object Access Protocol (SOAP), Web DAV, or SharePoint Designer interfaces to access the website. | Open |
| Open | Open a website, list, or folder to access items inside that container. | No dependent permissions |
| Edit Personal User Information | Allow a user to change personal information, such as adding a picture. | Browse User Information, Open |
| Use Client Integration Features | Use features which launch client applications. Without this permission, users will have to work on documents locally and upload their changes. | Use Remote Interfaces, Open |
List permissions
| Permission | Description | Dependent permissions |
| Manage Lists | Create and delete lists, add or remove columns in a list, and add or remove public views of a list. | View Items, View Pages, Open, Manage Personal Views |
| Override Check-Out | Discard or check in a document that is checked out to another user. | View Items, View Pages, Open |
| Add Items | Add items to lists, add documents to document libraries, and add web discussion comments. | View Items, View Pages, Open |
| Edit Items | Edit items in lists, edit documents in document libraries, edit web discussion comments in documents, and customize Web Part Pages in document libraries. | View Items, View Pages, Open |
| Delete Items | Delete items from a list, documents from a document library, and web discussion comments in documents. | View Items, View Pages, Open |
| View Items | View items in lists, documents in document libraries, and web discussion comments. | View Pages, Open |
| Approve Items | Approve a minor version of a list item or document. | Edit Items, View Items, View Pages, Open |
| Open Items | View the source of documents that use server-side file handlers. | View Items, View Pages, Open |
| View Versions | View past versions of a list item or document. | View Items, View Pages, Open |
| Delete Versions | Delete past versions of a list item or document. | View Items, View Versions, View Pages, Open |
| Create Alerts | Create e-mail alerts. | View Items, View Pages, Open |
| View Application Pages | View documents and views in a list or document library. | Open |
Personal permissions
| Permission | Description | Dependent permissions |
| Manage Personal Views | Create, change, and delete personal views of lists. | View Items, View Pages, Open |
| Add/Remove Private Web Parts | Add or remove private Web Parts on a Web Part Page. | View Items, View Pages, Open, Update Personal Web Parts |
| Update Personal Web Parts | Update Web Parts to display personalized information. | View Items, View Pages, Open |
Permissions can be allowed or disallowed at the web application level. You can disallow Override Check-Out permission on a web application so no user would be able to discard or check in a document that is checked out to another user in that web application. For this you go to “Central Administration > Application Management > Manage Web Applications”. Select the web application and click on “User Permissions”.
This will bring you the “User Permissions for Web Application” dialog.
If you disable any permission here then it won’t be available to any of the site collections in the web application.
Permission Level
In SharePoint you cannot assign permissions directly to user. Permissions are grouped together into Permission Level which is then assigned to a user. By default SharePoint provides 10 permissions levels but you are free to add more depending on your requirement.
- Full Control
- Design
- Edit
- Contribute
- Read
- Limited Access
- Approve
- Manage Hierarchy
- Restricted Read
- View Only
Each of these permission levels includes one or more of the previously described 33 permissions. So while Full Control permission level includes all the 33 permissions, the Restricted Read permission level only includes 4 permissions of View Items, Open Items, View Pages and Open. Another thing to note here is that you cannot customize or delete the permission levels of Full Control and Limited Access.
To create a permission level in a site collection go to “Site Actions > Site Permissions”.
Click on the “Permission Levels” button on the ribbon.
Now click on “Add a Permission Level”.
You will be able to see all the permissions available to the site. Remember previously I said that you can disable some of the permissions for a web application in Central Administration, so any disabled permission will not be visible to user when creating a permission level.
Once you create a permission level you need to assign it. To assign a permission level to user you go to “Site Actions > Site Permissions”.
Click on “Grant Permissions” in ribbon.
You can then grant one or more permission level to the user.
NOTE: Please be advised, as far as my understanding goes, this is not the preferred way to assign permission levels to users. The preferred way is to create a SharePoint Group and assign permission levels to it and add users to that group.
Permission Policy
Permission Policy is available in Central Administration so in turn this option can only be used by Farm Administrators. Initially I was confused as to how Permission Policy worked and how it was different from Permission Level, so I had posted my query on SharePoint StackExchange and got a reply from Benny Skogberg.
Permission Policy is a way to let a group of users or individual users access a part of site setting without having full control permission level in all site settings. If you have a group of auditors who need to access Web Analytics data in site settings, but nothing else that the owners group has access to, you create a Permission policy to Web Analytics data. After the Permission Policy is created you add users or groups in the User Policy setting.
Permission Level is what level of access is granted to individual user or group while Permission Policy is a way to delegate site administration activities to individual user or group.
To set Permission Policy go to “Central Administration > Application Management > Manage Web Applications”. Click on “Permission Policy” in the ribbon.
Now click on “Add Permission Policy Level”.
Give a name to the Permission Policy, say Auditors Role, enable the option of “Site Collection Auditor” and grant the “View Web Analytics Data” (under Site Permissions) permission to it.
Save the permission policy.
In the web application view select the web application and click on “User Policy” in the ribbon.
Now click on “Add Users”.
Enter the name of users and assign them the newly created Auditors Role.
Now if a user with Auditors Role permission policy opens the site collection then he would be able to view the site settings along with Web Analytics report. But if the user tries to edit any other setting, like Title of site collection, then he would get access denied error.
I hope this clarifies the concepts of Permission, Permission Level and Permission Policy in SharePoint.
References
As I said at the start, this article is my understanding of the concepts of Permission, Permission Level and Permission Policy. This understanding is based on various sources I have read and here are those sources.
- Understanding permission levels (Office Support)
- Permission levels and permissions (Office Support)
- What is the difference between “Permission Policy” and “Permission Level” in SharePoint? (SharePoint StackExchange)
- Users and Permissions (MSDN)
No comments:
Post a Comment