Default SharePoint Groups in SharePoint Online

The default SharePoint groups are created automatically when you create a site collection. The default groups use SharePoint’s default permission levels – sometimes called SharePoint roles – to grant users rights and access. The permission levels that these groups have represent common levels of access that users have to have. They are a good place to start when you add users to a SharePoint site.

Administrators can create additional groups to align more closely with specific business needs. Deciding how to design and populate your SharePoint security groups is an important decision that affects security for your site and site content.

In this article


Permission levels for default SharePoint groups

SharePoint groups enable you to control access for sets of users instead of individual users. SharePoint groups are usually composed of many individual users. They can also hold Windows Active Directory security groups (created in Office 365), or can be a combination of individual users and security groups.

Each SharePoint group has a permission level. A permission level is simply a collection of individual permissions, such as Open, View, Edit or Delete. All the users in a group automatically have the permission level of the group. You can organize users into any number of groups, depending on the complexity of your organization, or your needs.

Each site template has a set of SharePoint groups associated with it. When you create a site, you use a site template, and SharePoint automatically creates the correct set of SharePoint groups for the site. The specific collection of groups depends on the type of template that you choose.

For example, the following table shows the groups and permission levels that are created for the Public Website and the Team Site:

SharePoint groups Default permission level Applies to Public Website Applies to Team Sites
Approvers Approve Yes No
Designers Design, Limited Access Yes No
Hierarchy Managers Manage Hierarchy Yes No
<site name> Members Edit Yes Yes
<site name> Owners Full Control Yes Yes
<site name> Visitors Read Yes Yes
Restricted Readers Restricted Read Yes No
Style Resource Readers Limited Access Yes No
Quick Deploy Users Contribute Yes No
Translation Mangers Limited Access Yes No

Suggested uses for SharePoint groups

The following table describes the SharePoint groups that are created when you use a standard site template to create a site. The table also provides suggested uses for each group.

Group Name Permission level ) Use this group for:
Approvers Approve Members of this group can edit and approve pages, list items, and documents.
Designers Design Members of this group can edit lists, document libraries, and pages in the site. Designers can create Master Pages and Page Layouts in the Master Page Gallery and can change the behavior and appearance of each site in the site collection by using master pages and CSS files..
Hierarchy Managers Manage Hierarchy Members of this group can create sites, lists, list items, and documents.
Owners Full Control People who must be able to manage site permissions, settings, and appearance.
Members Edit or Contribute People who must be able to edit site content. Permission level depends on the site template that was used to create the site
Visitors Read People who must be able to see site content, but not edit it.
Restricted Readers Restricted Read People who should be able to view pages and documents but not view versions or permissions.
Style Resource Readers Restricted Read People in this group have Limited Access to the Style Library and Master Page Gallery.
Quick Deploy Users Contribute These users can schedule Quick Deploy jobs (Content Deployment).
Viewers View Only These users see content, but can't edit or download it.

Special SharePoint Groups

In addition, special SharePoint groups support high-level administration tasks, such as site collection administrators, who have Full Control of all sites in a designated site collection.

Company Administrator and Everyone except external users groups for Office 365 users

The Company Administrator and Everyone except external users groups contain admins and users for Office 365. They provide access for Office 365 users on a SharePoint site.

Everyone except external users    When a user is added to Office 365, the user automatically becomes a member of Everyone except external users. By default, the Everyone except external users group is added to the Members group on the SharePoint Team Site. It is automatically assigned a permission level of Contribute. This means all users who are added to Office 365 can view, add, update, and delete items from lists and libraries. If you want to change the permission levels for this group, you can remove it from the Members group and then add it to a group that uses different permissions. For example, you might add the Everyone except external users to the SharePoint Visitors group. This automatically assigns a Read permission level to all users in the Everyone except external users group

Company Administrators    Any user who is a Global admin on Office 365 is a member of the Company Administrator group. By default, the Office 365 Company Administrators group is added into the SharePoint Owners group. In addition, the Company Administrators group is added to the list of Site Collection administrators. This group has a permission level of Full Control.

Although you can change the group membership for Company Administrators, it’s important to be careful. Because the Company Administrators group members are Global admins in Office 365, and also Site Collection administrators, changing their group status might have unexpected consequences. For example, if you remove a Company Administrator from the SharePoint Owners group, the Global admin group might no longer have Full Control permissions.

 Important    Do not remove a Company Administrators or Global admin groups before you configure permissions appropriately. Be sure that these users have the permission level that they must have to perform necessary actions. If you do not make sure that these users have appropriate permission levels, SharePoint security configuration is much more difficult. For example, site administrators can’t configure access for groups, but instead must grant access to sites a per-user basis.

Site collection administrators

SharePoint Online SharePoint On-premises
Who can use this group? Yes Yes

A SharePoint site can have primary and secondary site collection administrators. If you are a site collection administrator, you can designate more site collection administrators.

These users are the main contacts for a whole site collection. Site Collection Administrators have full control of all sites within the site collection, can audit all site content, and receive any administrative alert messages.

In SharePoint On-premises, you designate a site collection administrator when you install a site.

In SharePoint Online, the account that you used when you setup SharePoint Online is automatically a site collection administrator. If you have to add more site collection administrators in SharePoint Online, an existing site collection administrator or the SharePoint online administrator can do so.

SharePoint online

administrators

SharePoint Online SharePoint On-premises
Who can use this group? Yes

No, by default.

Requires special installation.

If you use SharePoint Online for Enterprises, there is also a SharePoint online administrator. Any Office 365 Global Administrator also has permissions to browse and use the tenant administration site. A SharePoint online administrator manages settings for all site collections available to the SharePoint online subscription.

The SharePoint online administrator can do any of the following tasks:

  • Configure user profile and InfoPath forms services
  • Setup search parameters
  • Set up a secure store and business connectivity services
  • Create a term store
  • Define a records management system
  • Monitor quotas
  • Turn on or off the ability to invite external users to access the SharePoint Online site
  • Create, update, or delete site collections
  • Assign primary and secondary site collection owners to any site collection in their venue.

If you are using SharePoint on-premises, you do not have a SharePoint Online Administrator, or SharePoint Online Administrator site, after a standard SharePoint installation.

Top of Page Top of Page

 
 
Applies to:
SharePoint admin center, SharePoint Online Enterprise (E1), SharePoint Online Enterprise (E3 & E4), SharePoint Online Midsized Business, SharePoint Online Small Business, SharePoint Online Website