100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Programming

Permission Levels and Groups

How SharePoint controls who can do what on a site through permission levels, SharePoint groups, and inheritance.

Permissions & GovernanceIntermediate9 min readJul 10, 2026
Analogies

Understanding Permission Levels and Groups

SharePoint's permission model is built on two cooperating concepts: permission levels, which are named bundles of individual rights (like the ability to add items, edit items, or manage lists), and SharePoint groups, which are collections of users that you assign a permission level to. Rather than granting rights to people one at a time, an administrator assigns a permission level to a group, and every member of that group inherits those rights on the securable object the group is applied to.

🏏

Cricket analogy: It's like the way a franchise assigns a role rather than negotiating a contract clause by clause with every player: naming Rohit Sharma as captain bundles decision rights like batting order and bowling changes into one designation, rather than listing each privilege separately.

The Built-In Permission Levels

SharePoint ships with several out-of-the-box permission levels. Full Control includes every right, including managing permissions themselves, and is reserved for site owners. Design allows creating lists, editing pages, and applying themes. Edit lets users add, edit, and delete lists and list items but not change site structure. Contribute allows adding and editing items in existing lists without deleting the lists themselves. Read grants view-only access to content, and View Only permits viewing items rendered in the browser (such as via Office Online) without downloading the underlying file. Each level is really a named set of the roughly 33 individual base permissions like ViewListItems, AddListItems, and ManagePermissions.

🏏

Cricket analogy: Full Control is like the BCCI selection committee, which can pick the XI, change the coach, and rewrite selection policy, while Read access is like a fan with a stadium ticket who can watch the Mumbai Indians play but can't touch the team sheet.

Default and Custom SharePoint Groups

Every SharePoint site created with the standard template gets three default groups: Site Owners (mapped to Full Control), Site Members (mapped to Edit), and Site Visitors (mapped to Read). Administrators can also create custom SharePoint groups—for example, 'Finance Reviewers' or 'HR Approvers'—and assign any permission level to them, including custom levels built from individual rights. Membership in a SharePoint group can come from individual users, Microsoft 365 groups, or synced Azure AD security groups, giving admins flexibility to manage access at the identity-provider layer while SharePoint groups remain the object being granted rights.

🏏

Cricket analogy: The three default groups are like a club's fixed roles—Owners as the team management who set strategy, Members as the playing XI who take the field, and Visitors as fans in the stands—while a custom group like 'Selection Panel' can be created for a specific need, the way IPL franchises sometimes form ad hoc scouting committees.

Permission Inheritance and Breaking It

By default, every list, library, folder, and item inherits its permissions from its parent, all the way up to the site. This keeps administration simple: change permissions once at the site level and every subsite, library, and item reflects it. When a specific folder or document needs different access—say, an HR folder that only certain people should see—an admin can 'break inheritance,' which copies the current permissions down to that object as a unique, independent set. From that point forward, changes at the parent no longer propagate to the broken object, and it must be managed separately, which is why Microsoft recommends breaking inheritance sparingly and documenting where it happens.

🏏

Cricket analogy: Inheritance is like a franchise's junior teams following the senior team's playing philosophy by default, but if the U-19 side needs its own distinct coaching approach, the academy 'breaks inheritance' and manages that squad's rules independently going forward.

powershell
# Connect to a site and grant a custom permission level to a SharePoint group using PnP PowerShell
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/FinanceHub" -Interactive

# Create a custom permission level cloned from Contribute, minus Delete rights
Add-PnPRoleDefinition -RoleName "Contribute No Delete" -Clone "Contribute" -Exclude DeleteListItems,DeleteVersions

# Create a SharePoint group and assign the custom permission level
New-PnPGroup -Title "Finance Reviewers" -Owner "finance-leads@contoso.com"
Set-PnPGroupPermissions -Identity "Finance Reviewers" -AddRole "Contribute No Delete"

# Break inheritance on a specific document library and copy current permissions down
Set-PnPList -Identity "Confidential Budgets" -BreakRoleInheritance -CopyRoleAssignments
Set-PnPListPermission -Identity "Confidential Budgets" -Group "Finance Reviewers" -AddRole "Contribute No Delete"

Avoid assigning permission levels directly to individual users on lists, folders, or items. Unique per-item permissions are hard to audit, easy to forget, and multiply quickly. Always assign permissions to a SharePoint group (or a synced Azure AD security group), and manage membership there instead—it keeps access reviews and offboarding manageable.

  • Permission levels are named bundles of individual rights (Full Control, Design, Edit, Contribute, Read, View Only).
  • SharePoint groups (Owners, Members, Visitors, plus custom groups) are collections of users assigned a permission level.
  • Every securable object inherits permissions from its parent by default, all the way up to the site.
  • Breaking inheritance copies current permissions down and makes an object's permissions independent going forward.
  • Custom permission levels can be built or cloned to grant a narrower set of rights than the built-in defaults.
  • Best practice is to assign rights to groups, not individuals, to keep access auditable and easy to offboard.
  • PnP PowerShell cmdlets like Set-PnPList -BreakRoleInheritance and Set-PnPGroupPermissions automate governance at scale.

Practice what you learned

Was this page helpful?

Topics covered

#Programming#SharePointStudyNotes#PermissionLevelsAndGroups#Permission#Levels#Groups#Built#StudyNotes#SkillVeris#ExamPrep