Security Management in SharePoint Groups, Permissions and Users

SharePoint Groups

SharePoint Groups are used to group SharePoint users together to make the administration and maintenance of security in SharePoint easier. By security we are specifically referring to the types of things a user needs can do on 'things' in SharePoint, such as :

  • Document / List Item
  • Library
  • Site
  • Site Collection


To do most things in SharePoint you need to have been given permission to do so. This permission will be granted by someone, who has been granted the 'Manage Permissions' permission.

The types of permissions that a user can potentially carry out on a site or a list is varied. For example, for a SharePoint list a user may be granted the following permissions :

  • Manage Lists - Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
  • Override List Behaviors - Discard or check in a document which is checked out to another user, and change or override settings which allow users to read/edit only their own items
  • Add Items - Add items to lists and add documents to document libraries.
  • Edit Items - Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries.
  • Delete Items - Delete items from a list and documents from a document library.
  • View Items - View items in lists and documents in document libraries.
  • Approve Items - Approve a minor version of a list item or document.
  • Open Items - View the source of documents with server-side file handlers.
  • View Versions - View past versions of a list item or document.
  • Delete Versions - Delete past versions of a list item or document.
  • Create Alerts - Create alerts.
  • View Application Pages - View forms, views, and application pages. Enumerate lists.

There are also separate set of permissions that can be applied to a site and also to the user personally.

Permission Levels

As there are lots of different permissions that all allow quite low level things, it's simply easier to group a few together to make administration easier. This is where permission levels come into play. In fact there are already several Permission levels that ship with SharePoint and it's possible to create your own. In a new installation of SharePoint 2013 you will have the following Permission Levels created :

  • Full Control. Has full control.
  • Design. Can view, add, update, delete, approve, and customize.
  • Edit. Can add, edit and delete lists; can view, add, update and delete list items and documents.
  • Contribute. Can view, add, update, and delete list items and documents.
  • Read. Can view pages and list items and download documents.
  • Limited Access. Can view specific lists, document libraries, list items, folders, or documents when given permissions.
  • Approve. Can edit and approve pages, list items, and documents.
  • Manage Hierarchy. Can create sites and edit pages, list items, and documents.
  • Restricted Read. Can view pages and documents, but cannot view historical versions or user permissions.

Members of a SharePoint group

Simply put, a group can contain 3 things :

  • AD User (People)
  • AD Groups (Collections of People from AD)
  • Distribution Lists.

It's also possible, depending on how SharePoint has been configured, to define users and groups from other sources such as a database for example. However, using Active Directory with SharePoint is by far the most commonly used approach.