Understanding Permission Levels and Groups
SharePoint's permission model is built on two cooperating concepts: permission levels, which are named bundles of individual rights (like the ability to add items, edit items, or manage lists), and SharePoint groups, which are collections of users that you assign a permission level to. Rather than granting rights to people one at a time, an administrator assigns a permission level to a group, and every member of that group inherits those rights on the securable object the group is applied to.
Cricket analogy: It's like the way a franchise assigns a role rather than negotiating a contract clause by clause with every player: naming Rohit Sharma as captain bundles decision rights like batting order and bowling changes into one designation, rather than listing each privilege separately.
The Built-In Permission Levels
SharePoint ships with several out-of-the-box permission levels. Full Control includes every right, including managing permissions themselves, and is reserved for site owners. Design allows creating lists, editing pages, and applying themes. Edit lets users add, edit, and delete lists and list items but not change site structure. Contribute allows adding and editing items in existing lists without deleting the lists themselves. Read grants view-only access to content, and View Only permits viewing items rendered in the browser (such as via Office Online) without downloading the underlying file. Each level is really a named set of the roughly 33 individual base permissions like ViewListItems, AddListItems, and ManagePermissions.
Cricket analogy: Full Control is like the BCCI selection committee, which can pick the XI, change the coach, and rewrite selection policy, while Read access is like a fan with a stadium ticket who can watch the Mumbai Indians play but can't touch the team sheet.
Default and Custom SharePoint Groups
Every SharePoint site created with the standard template gets three default groups: Site Owners (mapped to Full Control), Site Members (mapped to Edit), and Site Visitors (mapped to Read). Administrators can also create custom SharePoint groups—for example, 'Finance Reviewers' or 'HR Approvers'—and assign any permission level to them, including custom levels built from individual rights. Membership in a SharePoint group can come from individual users, Microsoft 365 groups, or synced Azure AD security groups, giving admins flexibility to manage access at the identity-provider layer while SharePoint groups remain the object being granted rights.
Cricket analogy: The three default groups are like a club's fixed roles—Owners as the team management who set strategy, Members as the playing XI who take the field, and Visitors as fans in the stands—while a custom group like 'Selection Panel' can be created for a specific need, the way IPL franchises sometimes form ad hoc scouting committees.
Permission Inheritance and Breaking It
By default, every list, library, folder, and item inherits its permissions from its parent, all the way up to the site. This keeps administration simple: change permissions once at the site level and every subsite, library, and item reflects it. When a specific folder or document needs different access—say, an HR folder that only certain people should see—an admin can 'break inheritance,' which copies the current permissions down to that object as a unique, independent set. From that point forward, changes at the parent no longer propagate to the broken object, and it must be managed separately, which is why Microsoft recommends breaking inheritance sparingly and documenting where it happens.
Cricket analogy: Inheritance is like a franchise's junior teams following the senior team's playing philosophy by default, but if the U-19 side needs its own distinct coaching approach, the academy 'breaks inheritance' and manages that squad's rules independently going forward.
# Connect to a site and grant a custom permission level to a SharePoint group using PnP PowerShell
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/FinanceHub" -Interactive
# Create a custom permission level cloned from Contribute, minus Delete rights
Add-PnPRoleDefinition -RoleName "Contribute No Delete" -Clone "Contribute" -Exclude DeleteListItems,DeleteVersions
# Create a SharePoint group and assign the custom permission level
New-PnPGroup -Title "Finance Reviewers" -Owner "finance-leads@contoso.com"
Set-PnPGroupPermissions -Identity "Finance Reviewers" -AddRole "Contribute No Delete"
# Break inheritance on a specific document library and copy current permissions down
Set-PnPList -Identity "Confidential Budgets" -BreakRoleInheritance -CopyRoleAssignments
Set-PnPListPermission -Identity "Confidential Budgets" -Group "Finance Reviewers" -AddRole "Contribute No Delete"Avoid assigning permission levels directly to individual users on lists, folders, or items. Unique per-item permissions are hard to audit, easy to forget, and multiply quickly. Always assign permissions to a SharePoint group (or a synced Azure AD security group), and manage membership there instead—it keeps access reviews and offboarding manageable.
- Permission levels are named bundles of individual rights (Full Control, Design, Edit, Contribute, Read, View Only).
- SharePoint groups (Owners, Members, Visitors, plus custom groups) are collections of users assigned a permission level.
- Every securable object inherits permissions from its parent by default, all the way up to the site.
- Breaking inheritance copies current permissions down and makes an object's permissions independent going forward.
- Custom permission levels can be built or cloned to grant a narrower set of rights than the built-in defaults.
- Best practice is to assign rights to groups, not individuals, to keep access auditable and easy to offboard.
- PnP PowerShell cmdlets like Set-PnPList -BreakRoleInheritance and Set-PnPGroupPermissions automate governance at scale.
Practice what you learned
1. Which built-in SharePoint permission level allows adding and editing list items but does not allow deleting the list itself or changing site structure?
2. What happens when an administrator breaks permission inheritance on a document library?
3. Which SharePoint group is mapped to the Full Control permission level by default on a standard team site?
4. Why does Microsoft recommend assigning permissions to SharePoint groups rather than individual users?
5. What is a permission level actually composed of under the hood?
Was this page helpful?
You May Also Like
Sharing and Access Requests
How SharePoint sharing links, external sharing settings, and the access request workflow let users collaborate without administrators manually managing every grant.
Information Governance
The policies, labels, and lifecycle controls organizations use in SharePoint to manage content responsibly from creation to disposal.
Site Provisioning
How new SharePoint sites get created, templated, and governed at scale, from self-service creation to automated provisioning pipelines.
Related Reading
Related Study Notes in Programming
Browse all study notesApache Spark Study Notes
Programming · 30 topics
ProgrammingApache Flink Study Notes
Programming · 30 topics
ProgrammingHadoop Study Notes
Programming · 30 topics
ProgrammingSnowflake Study Notes
Programming · 30 topics
ProgrammingApache Airflow Study Notes
Programming · 30 topics
Programmingdbt (Data Build Tool) Study Notes
Programming · 30 topics