Permissions enable users to access resources that they need. For example, permissions enable users to do something such as open an item in a library or create a subsite. Often, single permissions are grouped into a collection of permissions known as a “permissions level”. For example, if you want to give someone permission to read items on your site, you must also give them permission to open the page that contains the item. The Read permission level includes all the single permissions that a user has to have read items.
To save time, SharePoint Online pre-defines different combinations of permissions. These pre-defined permission levels are known as the “default permission levels”.
This article describes the default permission levels that are included with SharePoint Online for Enterprises and SharePoint Online for Professionals.
In this article
Overview
A permission level is a combination of SharePoint permissions. Permission levels specify which permissions users have for a site or list, and therefore whether people can view, change, or manage a site. By default, SharePoint pre-defines some permission levels.
Default Permission Levels
The following table describes the default permission levels in SharePoint Online.
| Permission Level |
|
Description |
| Full Control |
Contains all available SharePoint permissions. By default, this permission level is assigned to the Owners group. It can’t be customized or deleted. |
| Design |
Create lists and document libraries, edit pages and apply themes, borders, and style sheets on the site. There is no SharePoint group that is assigned this permission level automatically. |
| Edit |
Add, edit, and delete lists; view, add, update, and delete list items and documents. |
| Contribute |
View, add, update, and delete list items and documents. |
| Read |
Add, edit, and delete items in existing lists and document libraries. By default, this permission level is assigned to the Members group. |
| Limited Access |
The Limited Access permission level is unusual. It enables a user or group to browse to a site page or library to access a specific content item. Typically, the user was given access to a single item in a list or library, but does not have permission to open or edit any other items in the library. The Limited Access permission level includes all the permissions that the user must have to access the required item.
You cannot assign Limited Access permission level directly to a user or group. Instead, you assign appropriate permission to the single item, and then SharePoint automatically assigns Limited Access to other required locations.
|
| Approve |
Edit and approve pages, list items, and documents. By default, the Approvers group has this permission. |
| Manage Hierarchy |
Create sites and edit pages, list items, and documents. By default, this permission level is assigned to the Hierarchy Managers group. |
| Restricted Read |
View pages and documents, but not historical versions or user permissions. |
| View Only |
View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded. |
|
|
Security Office 365 plans create a security group called “Everyone except external users” that contains every person you add into the Office 365 directory (except people who you add explicitly as External Users). This security group added to the Members group automatically, so that users in Office 365 can access and edit the SharePoint Online site. In addition, Office 365 plans create a security group called “Company Administrators”, which contains Office 365 Admins (such as Global and Billing Admins). This security group is added to the Site Collection Administrators group.
Top of Page
Permission levels and SharePoint groups
To help make managing site access more efficient, permission levels work together with SharePoint groups. A SharePoint group is a set of users who all have the same permission level. That is, all users in a SharePoint group have the same collection of permissions.
By default, each kind of SharePoint site includes certain SharePoint groups. For example, a Team Site automatically includes the Owners, Members, and Visitors group. A Publishing Portal site includes those groups and several more, such as Approvers, Designers, Hierarchy Managers, and so on. When you create a site, SharePoint automatically creates a pre-defined set of SharePoint groups for that site. In addition, a SharePoint admin can define custom groups and permission levels.
To learn more about SharePoint groups, see Understanding SharePoint groups.
The SharePoint groups and permission levels that are included by default in your site may differ, depending on:
- The template that you choose for the site
- Whether the site is an internal site for SharePoint Online for Enterprise users or a public website
- Whether a SharePoint admin created a unique permissions set on the site that has a specific purpose, such as Search
The following table describes the default permission levels and associated permissions for three standard groups: Visitors, Members, and Owners.
| Group |
Permission level |
| Visitors |
Read This level includes these permissions:
- Open
- View Items, Versions, pages, and Application pages
- Browse User Information
- Create Alerts
- Use Self-Service Site Creation
- Use Remote Interfaces
- Use Client Integration Features
|
| Members |
Edit. This level includes all permissions in Read, plus:
- View, add, update and delete Items
- Add, Edit and Delete Lists
- Delete Versions
- Browse Directories
- Edit Personal User Information
- Manage Personal Views
- Add, Update, or Remove Personal Web Parts
|
| Owners |
Full Control This level includes all available SharePoint permissions |
Permission levels and permission inheritance
By default, permissions are inherited in SharePoint—that is, permissions set at the site collection level are copied to every site, list, and item in the site collection. This means that the permission levels that you set when you first create SharePoint groups can affect access for every site, list, library, folder, and item in the site.
If the default settings are what you want for your organization, you can customize how you assign permissions by uniquely securing sites, lists, folders, and items in SharePoint. For more information, see What is uniquely secured content?
Site, list, and personal permissions and permission levels
SharePoint permissions apply to three categories of content: list permissions, site permissions, and personal permissions.
The following sections contain tables that describe each of these categories. The tables list the SharePoint permissions and the permission levels that use these permissions.
- Site permissions and permission levels
- List permissions and permission levels
- Personal permissions and permission levels
Top of Page
Site permissions and permission levels
Site permissions apply generally across a SharePoint site. The following table describes the permissions that apply to sites, and show the permission levels that use them.
| Permission |
Full Control |
Design |
Edit |
Contribute |
Read |
Limited Access |
Approve |
Manage Hierarchy |
Restricted Read |
View Only |
| Manage Permissions |
X |
|
|
|
|
|
|
X |
|
|
| View Web Analytics Data |
X |
|
|
|
|
|
|
X |
|
|
| Create Subsites |
X |
|
|
|
|
|
|
X |
|
|
| Manage Web Site |
X |
|
|
|
|
|
|
X |
|
|
| Add and Customize Pages |
X |
X |
|
|
|
|
|
X |
|
|
| Apply Themes and Borders |
X |
X |
|
|
|
|
|
|
|
|
| Apply Style Sheets |
X |
X |
|
|
|
|
|
|
|
|
| Create Groups |
X |
|
|
|
|
|
|
|
|
|
| Browse Directories |
X |
X |
X |
X |
|
|
X |
X |
|
|
| Use Self-Service Site Creation |
X |
X |
X |
X |
X |
|
X |
X |
|
X |
| View Pages |
X |
X |
X |
X |
X |
|
X |
X |
X |
X |
| Enumerate Permissions |
X |
|
|
|
|
|
|
X |
|
|
| Browse User Information |
X |
X |
X |
X |
X |
X |
X |
X |
|
X |
| Manage Alerts |
X |
|
|
|
|
|
|
X |
|
|
| Use Remote Interfaces |
X |
X |
X |
X |
X |
|
X |
X |
|
X |
| Use Client Integration Features |
X |
X |
X |
X |
X |
X |
X |
X |
|
X |
| Open |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
| Edit Personal User Information |
X |
X |
X |
X |
|
|
X |
X |
|
|
Top of Page
List permissions and permission levels
List permissions apply to content in lists and libraries. The following table describes the permissions that apply to lists and libraries, and show the permission levels that use them.
| Permission |
Full Control |
Design |
Edit |
Contribute |
Read |
Limited Access |
Approve |
Manage Hierarchy |
Restricted Read |
View Only |
| Manage Lists |
X |
X |
X |
|
|
|
|
X |
|
|
| Override Check-Out |
X |
X |
|
|
|
|
X |
X |
|
|
| Add Items |
X |
X |
X |
X |
|
|
X |
X |
|
|
| Edit Items |
X |
X |
X |
X |
|
|
X |
X |
|
|
| Delete Items |
X |
X |
X |
X |
|
|
X |
X |
|
|
| View Items |
X |
X |
X |
X |
X |
|
X |
X |
X |
X |
| Approve Items |
X |
X |
|
|
|
|
X |
|
|
|
| Open Items |
X |
X |
X |
X |
X |
|
X |
X |
X |
|
| View Versions |
X |
X |
X |
X |
X |
|
X |
X |
|
X |
| Delete Versions |
X |
X |
X |
X |
|
|
X |
X |
|
|
| Create Alerts |
X |
X |
X |
X |
X |
|
X |
X |
|
X |
| View Application Pages |
X |
X |
X |
X |
X |
|
X |
X |
|
X |
Top of Page
Personal permissions and permission levels
Personal permissions apply to content that belongs to a single user. The following table describes the permissions that apply to personal views and web parts, and show the permission levels that use them.
| Permission |
Full Control |
Design |
Edit |
Contribute |
Read |
Limited Access |
Approve |
Manage Hierarchy |
Restricted Read |
View Only |
| Manage Personal Views |
X |
X |
X |
X |
|
|
X |
X |
|
|
| Add/Remove Private Web Parts |
X |
X |
X |
X |
|
|
X |
X |
|
|
| Update Personal Web Parts |
X |
X |
X |
X |
|
|
X |
X |
|
|
Top of Page
Permissions and dependencies
SharePoint permissions can depend on other SharePoint permissions. For example, you must be able to open an item to view it. In this way, View Items permission depends on Open permission.
When you select a SharePoint permission that depends on another, SharePoint automatically selects the associated permission. Similarly, when you clear SharePoint permission, SharePoint automatically clears any SharePoint permission that depends on it. For example, when you clear View Items, SharePoint automatically clears Manage Lists (you can't manage a list if you can't view an item).
Tip The only SharePoint permission without a dependency is Open. All other SharePoint permissions depend on it. To test a custom permission level, you can just clear “Open”. This automatically clears all other permissions.
The following sections contain tables that describe SharePoint permissions for each permission category. For each permission, the table shows the dependent permissions.
- Site permissions and dependent permissions
- List permissions and dependent permissions
- Personal permissions and dependent permissions
Top of Page
Site permissions and dependent permissions
The following table describes the permissions that apply to sites, and show the permissions that depend on them.
| Permission |
Description |
Dependent permissions |
| Manage Permissions |
Create and change permission levels on the website and assign permissions to users and groups. |
Approve Items, Enumerate Permissions, Open |
| View Web Analytics Data |
View reports on website usage. |
Approve Items, Open |
| Create Subsites |
Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites. |
View Pages, Open |
| Manage website |
Perform all administration tasks for the website, which includes managing content. |
View Pages, Open |
| Add and Customize Pages |
Add, change, or delete HTML pages or Web Part pages, and edit the website by using a Windows SharePoint Services-compatible editor. |
View Items, Browse Directories, View Pages, Open |
| Apply Themes and Borders |
Apply a theme or borders to the whole website. |
View Pages, Open |
| Apply Style Sheets |
Apply a style sheet (.css file) to the website. |
View Pages, Open |
| Create Groups |
Create a group of users who can be used anywhere within the site collection. |
View Pages, Open |
| Browse Directories |
Enumerate files and folders in a website, by using an interface such as SharePoint Designer or web-based Distributed Authoring and Versioning (Web DAV). |
View Pages, Open |
| Use Self-Service Site Creation |
Create a website by using Self-Service Site Creation. |
View Pages, Open |
| View Pages |
View pages in a website. |
Open |
| Enumerate Permissions |
Enumerate permissions on the website, list, folder, document, or list item. |
View Items, Open Items, View Versions, Browse Directories, View Pages, Open |
| Browse User Information |
View information about users of the website. |
Open |
| Manage Alerts |
Manage alerts for all users of the website |
View Items, Create Alerts, View Pages, Open |
| Use Remote Interfaces |
Use Simple Object Access Protocol (SOAP), Web DAV, or SharePoint Designer interfaces to access the website. |
Open |
| Open* |
Open a website, list, or folder to access items inside that container. |
No dependent permissions |
| Edit Personal User Information |
Allow a user to change personal information, such as adding a picture. |
Browse User Information, Open |
Top of Page
List permissions and dependent permissions
The following table describes the permissions that apply to lists and libraries, and show the permissions that depend on them.
| Permission |
Description |
Dependent permissions |
| Manage Lists |
Create and delete lists, add or remove columns in a list, and add or remove public views of a list. |
View Items, View Pages, Open, Manage Personal Views |
| Override Check-Out |
Discard or check in a document that is checked out to another user. |
View Items, View Pages, Open |
| Add Items |
Add items to lists, add documents to document libraries, and add web discussion comments. |
View Items, View Pages, Open |
| Edit Items |
Edit items in lists, edit documents in document libraries, edit web discussion comments in documents, and customize Web Part Pages in document libraries. |
View Items, View Pages, Open |
| Delete Items |
Delete items from a list, documents from a document library, and web discussion comments in documents. |
View Items, View Pages, Open |
| View Items |
View items in lists, documents in document libraries, and web discussion comments. |
View Pages, Open |
| Approve Items |
Approve a minor version of a list item or document. |
Edit Items, View Items, View Pages, Open |
| Open Items |
View the source of documents that use server-side file handlers. |
View Items, View Pages, Open |
| View Versions |
View past versions of a list item or document. |
View Items, View Pages, Open |
| Delete Versions |
Delete past versions of a list item or document. |
View Items, View Versions, View Pages, Open |
| Create Alerts |
Create e-mail alerts. |
View Items, View Pages, Open |
| View Application Pages |
View documents and views in a list or document library. |
Open |
Top of Page
Personal permissions and dependent permissions
The following table describes the permissions that apply to personal views and web parts, and show the permissions that depend on them.
| Permission |
Description |
Dependent permissions |
| Manage Personal Views |
Create, change, and delete personal views of lists. |
View Items, View Pages, Open |
| Add/Remove Private Web Parts |
Add or remove private Web Parts on a Web Part Page. |
View Items, View Pages, Open, Update Personal Web Parts |
| Update Personal Web Parts |
Update Web Parts to display personalized information. |
View Items, View Pages, Open |
Top of Page
