The SharePoint permissions structure is very flexible. There are many ways you can accomplish simple tasks, such as granting user access to a site. Although the result is the same, if you don’t understand the subtle differences between them, it can cause a lot of pain. So, let’s get into how you can have effective SharePoint permissions management.
First, a quick reminder of the three key aspects of SharePoint permissions management:
Understanding the first aspect of SharePoint permissions management – securable objects and permissions inheritance is an important part, but we won’t be focusing on that in this post. You can read more about it in our recent blog, which covers the topics of Microsoft 365 inheritance and unique permissions. And we also have an in-depth blog that tells you everything you need to know about SharePoint permission levels.
In this blog, we will focus more on the second and third part of the equation – who should get access to a resource and which method to use. When it comes to a method part, it’s critical to decide whether to grant access to a user directly or use groups. If you choose groups, you still need to decide between different kinds of groups.
Assigning permissions to users directly is the simplest solution. So, where is the problem? The problem comes into play when it comes to long-term SharePoint permissions management. If John were granted permissions to 50 documents and he’s leaving a company, you need to remove him from 50 different locations. It’s going to be a slow and cumbersome process.
In most cases, it is smarter to grant permissions to groups instead of directly to users. The groups are the ones that have permissions, and all you have to do is manage their members. If you need to remove access for a user, you can remove him from the group. You don’t need to find all the different locations with permissions and remove him manually.
So now you know that using groups is smarter. But you still might get confused about which kind of group you should use. In SharePoint Online, there are four main choices you should consider:
There are a lot of factors to consider when making a choice. Some of them are:
Let’s go over each kind of group and see which scenario makes the most sense to use them in.
SharePoint groups are defined at the site level, and they only exist inside SharePoint; therefore they cannot be used for other workloads. Each site, depending on its template, comes with a few default SharePoint groups that already have permissions assigned.
You can also create your own SharePoint groups and assign them permissions to any securable object. The advantage of a SharePoint group is that you can manage permissions on the current site, and you don’t have to go to Microsoft Entra to change group memberships.
Here’s a detailed overview of SharePoint groups and their permissions:
|
Group name
|
Default permission level
|
Explanation
|
|---|---|---|
|
Owners
|
Full Control |
Use this group to grant people Full Control permissions to the SharePoint site. |
|
Members
|
Edit |
Use this group to grant people Edit permissions to the SharePoint site. |
|
Visitors
|
Read |
Use this group to grant people Read permissions to the SharePoint site. |
|
Viewers
|
View Onlys |
Use this group to grant people View Only permissions to the SharePoint site. |
DO Use it:
DON’T Use it:
As you can see, SharePoint groups still have their place in classic SharePoint, and their use is encouraged in the old share experience. But keep in mind that Microsoft is moving away from them in modern SharePoint.
Security groups live inside Microsoft Entra, and they have a similar purpose as the groups from on-premises AD. You can even sync groups from on-premises to the cloud. They can be used across multiple workloads and for custom applications inside your tenant.
DO Use It:
DON’T Use It:
As you can see, Security groups are the right choice if you need to ensure access just to SharePoint Online without worrying about other workloads. One of the potential downsides of plain old Security groups is that group management is usually reserved for the admins using the Microsoft Entra portal or Microsoft 365 admin center making them less flexible.
From an IT point of view, Microsoft 365 groups are Security groups but also much more. Microsoft 365 Groups are associated with a collection of shared resources such as a SharePoint site, Outlook inbox, shared calendar, and optionally a chat in Microsoft Teams. You don’t have to worry about manually assigning permissions to all those resources. Adding members to the group automatically gives them the permissions they need to access the tools your group provides.
Group owners can easily manage group members through almost any Microsoft app like Outlook, SharePoint Online, or Teams application, making their management more decentralized than traditional security groups.
DO Use It:
DON’T Use It:
It’s a good practice to use groups to do SharePoint permissions management. In the long run, this will make your life easier with less administration and manual work. Based on the information from this article, try to figure out which group type works best for you. If you need SharePoint groups but don’t want to miss out on all the benefits of modern SharePoint experience, this is still possible. Microsoft has not made it easy, but with the help of 3rd party products like Syskit Point and SPDockit, this approach is much easier. Syskit’s SharePoint permissions management tools provide all the options and reporting needed to get the work done.
Remember that Microsoft 365 Groups already come with their own SharePoint site and predefined permissions structure, so you need to consider that when comparing them to other group types. Learn more about the differences between management and reporting of Microsoft 365 Groups and SharePoint permissions management by exploring our blog and subscribing to it.