facebook google plus twitter
Webucator's Free SharePoint 2013 Tutorial

Lesson: Managing SharePoint Site Permissions

Welcome to our free SharePoint 2013 tutorial. This tutorial is based on Webucator's SharePoint 2013 End User Training course.

Permissions on a SharePoint site are assigned when a site is created. The default is that permissions assigned to the root of a site collection are inherited by child sites. At any time, permissions inheritance can be turned off at a site, list, library, or even at the item level in a list or library. The permissions themselves can be assigned to either SharePoint groups, individual users, or groups created outside of SharePoint such as Windows groups.

Lesson Goals

  • Learn about SharePoint groups.
  • Learn how to create SharePoint groups.
  • Learn how to assign permission in SharePoint.
  • Learn how to view permission levels.
  • Learn how to manage permission inheritance at the site level.
  • Learn how to manage permission inheritance at the list or library level.
  • Learn how to manage permission inheritance at the item level.

SharePoint Groups

View the Default SharePoint Groups

SharePoint creates default groups based on the template used to create the root site in the site collection. In the following walk-through you will view the default groups created in your root site, Contoso Home Site is the title of the root site used in the walk-through. Later in this lesson, you will explore how child sites inherit these groups by default and how to change that.

  1. Make sure your browser is open to the root team site.
  2. Click the Settings menu link and then select the Site settings link from the available options. Site Actions menu
  3. Click the Site permissions link on the Site Settings page. Site Settings.
  4. Verify the default groups in the list are Members, Owners, Visitors, and Excel Services Viewers. Note that the Members, Owners, and Visitors groups have the site's name Contoso Home Site appended to them.Site Permissions list
  5. Click the Members link to view the list of members and verify that it is currently empty.Members list

    Note that when you view a SharePoint group's membership list, the Quick Launch menu is modified to provide links to the other SharePoint groups for easy access.

  6. Click the Excel Services Viewers link in the Quick Launch menu to view its members and verify that it is currently empty.Viewers list
  7. Click the Visitors link in the Quick Launch menu to view its members and verify that Wilbur Whipple is a member. Visitors list
  8. Click the Owners link in the Quick Launch menu to view its members and verify it contains your account.Owners list

    These accounts were added during the creation of the root site and site collection. The accounts might be different in your installation.

  9. Navigate back to the original view of all the groups and the PERMISSIONS toolbar.

    Note that you could alternatively click the Groups link or the More... link in the Quick Launch to view the People and Groups: All Groups list. One downside to this view is it does not provide you the PERMISSIONS toolbar.

    1. Click the Settings menu link and then select the Site settings link from the available options. Site Actions menu
    2. Click the Site permissions link on the Site Settings page. Site Settings.
  10. Create a new SharePoint group.
    1. Click the Create Group link button from the PERMISSIONS toolbar. Permission Tools toolbar
    2. Enter Designers in the Name field of the Create Group form.New Group form
    3. Leave the owner user set to your account.New Group form

      Note that we can only have one entry for the Owner, but we can switch the user for a group.

    4. Leave the default options set in the Group Settings region.New Group form
    5. Leave the default options set in the Membership Requests region.New Group form
    6. Select the Design option in the Give Group Permission to this Site region and click the Create button to complete the process.New Group form

      The Design permission has more site level permissions than the Contribute level but less than the Full Control level. Later in this lesson, you will learn about Permission Levels.

Assigning Permissions

Assigning permissions to SharePoint resources can be done several different ways. One method is to assign a user or group account, typically Windows users or groups, directly to a permission level or add them to a SharePoint group.

Grant permissions directly dialog

The recommended method is to grant permissions by adding user or group account into the SharePoint groups. The following walk-through will take this recommended approach.

Add a User Account to a SharePoint Group

This walk-through will use the recommended method of adding a Windows user account into a SharePoint group to receive the permissions level assigned to that group.

  1. Make sure your browser is open to the root team site.
  2. Click the Settings menu link and then select the Site settings link from the available options. Site Actions menu
  3. Click the Site permissions link on the Site Settings page. Site Settings.
  4. Click the Grant Permission link button from the PERMISSIONS tab toolbar.Permission Tools toolbar
  5. Enter DemoUser in the Invite people field and click the SHOW OPTIONS link.Add user dialog
  6. Change the Select a group or permission level drop-down option to <<Site Name>> Visitors [Read] and uncheck the Send an email invitation option. Add user dialog
  7. Click the Share button to complete the action.

Permission Levels

Permission level can only be created by Site Collection administrators or Farm level administrators. For that reason, creating and modifying permission levels is outside the scope of this course. What we will do is view the granular permissions that are combined in a permission level. The permission levels usage you have already seen in the earlier demonstration when we created a new SharePoint group. You can also assign a permission level directly to a user or group, Windows users and groups typically, but this is not recommended.

View Permission Level Permissions

This walk-through will view the granular permissions that are assigned to the Full Control permission level.

  1. Make sure your browser is open on your root team site.
  2. Click the Settings menu link and then select the Site settings link from the available options. Site Actions menu
  3. Click the Site permissions link on the Site Settings page. Site Settings.
  4. Click the Permission Levels link button from the Edit tab of the Permission Tools toolbar.Permission Tools toolbar

    Note that the Permission Levels link button is only available at the root site of the Site Collection.

  5. Click the Full Control link in the Permission Levels page to view the permissions.Permission levels list
  6. Note the permissions are divided into three groups List Permissions, Site Permissions, and Personal Permissions. Take a few moments to read through the list of permissions and their descriptions. Permissions list Permissions list Permissions list
  7. Click the Cancel button at the bottom of the Permission Levels page once you are done viewing the permissions.

Permissions Inheritance

Permissions are initially assigned to the root site of the Site Collection when it is created. Child sites have the option when they are created to use unique permissions or inherit the permissions of the parent site. The default setting is to inherit permissions, but you can always break the inheritance and assign unique permissions any time you like provided you have the permission to do so.

Permissions to lists, libraries, and the items within are similar in that they automatically inherit the permissions of their parent site. Just as with child sites, you can always turn off the inheritance and manage permissions in the list, library, or even the individual item.

Modifying Permissions Inheritance

This walk-through will turn off permissions inheritance first in the Golf Clubs list and then in the child site Sub Site A.

  1. Make sure our browser is open on your root team site.
  2. Modify the permissions of the Golf Clubs list.
    1. Click the Golf Clubs link in the Quick Launch menu. Quick Launch
    2. Click the LIST tab to open the toolbar. List tab.
    3. Click the Shared With link button on the LIST tab toolbar. Share link

      If the browser window is not wide enough, the Shared With icon may not display, but it will be listed under the Settings button menu. Alternatively, you could use the List Settings page and the Permissions for this list link on there.

    4. The Shared With lists the current users who have permissions to the list. Click the ADVANCED link. Shared With list.
    5. Note on the List Permissions page for the Golf Clubs list there is a banner notifying us that the list is inheriting permissions from its parent, Contoso Home Site in this example.List permissions toolbar
    6. Click the Stop Inheriting Permissions link button to turn off the inheritance for the Golf Clubs list.List permissions toolbar
    7. Click the OK button on the Message from webpage dialog window notifying you that permission from the parent will no longer affect this list.Message from webpage
    8. Note that now the List Permissions page banner is notifying you that This list has unique permissions and the PERMISSIONS toolbar has more options.List permissions toolbar
  3. Modify the permission of the Sub Site A child site.
    1. Click the BROWSE tab to close the PERMISSIONS toolbar then click the SubSite A link in the Top Link Bar. Navigate Up menu

      Any child site will do if you do not have one named Sub Site A.

    2. Click the Settings menu link and then select the Site settings link from the available options. Site Actions menu
    3. Click the Site permissions link on the Site Settings page. Site Settings.
    4. Note on the Site Permissions page for the Sub Site A site there is a banner notifying you that the list is inheriting permissions from its parent.Site permissions toolbar
    5. Click the Stop Inheriting Permissions link button to turn off the inheritance for the Sub Site A child site.Site permissions toolbar
    6. Click the OK button on the Message from webpage dialog window notifying you that permission from the parent site will no longer affect this site. Message from webpage
    7. When the inheritance is broken, you are given the option of Use an exiting group or Create a new group. For this walk-through, leave it set to the default and click the OK button. Permission inheritence.
    8. Follow the earlier steps to navigate back the the Site permissions page for SubSite A.
    9. Note that now the Site Permissions page banner is notifying you that This web site has unique permissions. Site permissions toolbar

Working with SharePoint Permissions

Duration: 15 to 25 minutes.

In this exercise, you will learn to manage permissions on your SharePoint site.

  1. Attempt to log in to your root site with an account that does not have any permissions to the site.
    1. While holding down the Shift key, right-click your browser icon and choose the Run as different user option. Run as different user.
    2. In the Widows Security dialog window, enter "Homer" for the account name and "Pa$$w0rd" for the password or any account that does not currently have permissions to the site. Click the OK button to complete the logon.Windows Security dialog window
    3. Try to navigate to root of your team site. Root site url
    4. Verify that you get an Access Required page.Access Denied Message
    5. Leave the browser session you opened with your alternate account open and switch back to the browser window opened with your student account.
  2. Grant a new user Visitor permissions to your root team site.
    1. In the browser window opened with your student account click the Settings menu link and then select the Site settings link from the available options. Site Actions menu
    2. Click the Site permissions link on the Site Settings page. Site Settings.
    3. On the Site Permissions page, take a moment to read the existing entries and their Permission Levels.Contoso Site permissions page
    4. Click the Owners SharePoint group from the list to view its members.
    5. In the Owners list page note that the account you are logged in with is a member. This gives you full permissions to the site.Team Site Owners list
    6. Use your browser's Back button to go back to the Site Permissions page.
    7. Click the Check Permissions link button in the PERMISSIONS tab toolbar.conPermission Tools toolbar
    8. In the Check Permissions dialog form enter the account name of the account you attempted to log in earlier with in the User/Group field and click the Check Now button.Check Permissions dialog
    9. Verify that the results of the permissions check are None. Click the Close button to close the dialog form.Check Permissions dialog
    10. Click the Grant Permissions link button in the PERMISSIONS tab toolbar.Permission Tools toolbar
    11. In the Share dialog form, type "Homer Simpson", or any account name of the account that does not currently have permissions to the site in the Invite people field. The name should resolve as you type and allow you to pick it from a drop-down list. Grant Permissions dialog

      You can also click the SHARE link in the upper-right corner of the page to open the same dialog.

    12. Click the SHOW OPTIONS link to see the permission options. Permissions dialog.
    13. Uncheck the Send an email invitation checkbox and change the Select group or permission level list box to Visitors [Read]. Click the Share button to complete the permissions assignment.Grant Permissions dialog
    14. To verify that the account has the correct permissions now, click the Check Permissions link button in the PERMISSIONS tab toolbar.Permission Tools toolbar
    15. In the Check Permissions dialog form, enter 'Homer Simpson' or whatever account you just added, in the User/Group field and click the Check Now button.Check Permissions dialog
    16. Verify that the results of the permissions check now is Read. The results should be similar to the following image. Click the Close button to close the dialog form.Check Permissions dialog
  3. Test the permissions to verify they have Read permissions to the site.
    1. Switch back to the browser window you opened at the beginning of the exercise as "Homer" or whichever account you used.
    2. Retype the URL of your home site. Root site url

      Note that just refreshing the page does not work. That will just refresh the request access page.

    3. Verify that the account can now see the Home page of your root team site.
    4. Click the Settings drop-down button and note that the items listed are security trimmed based on rights.Site Actions menu trimmed for Homer
    5. Click the Favorite Cars list in the Quick Launch menu and verify that you can see the items in the list.Quick Launch menu
    6. Click the Bugatti link within the Favorite Cars list to view its properties.
    7. Note that the Edit Item button on the VIEW toolbar in the Favorite Cars - Bugatti form is grayed out and you are unable to click it.Bugatti dialog form
    8. Click the Close button to close the Favorite Cars - Bugatti form.
  4. Grant visitor account edit permissions to the Favorite Cars list.
    1. Switch back to the browser window logged in with your student account that has owner permissions. Student00
    2. Click the Favorite Cars link in the Quick Launch menu.
    3. Click the LIST tab to open the toolbar.List Tools List tab
    4. Click the Shared With icon within the Settings region on the LIST tab toolbar.List Tools List tab

      The Shared With icon text may or may not be displayed depending on the size of your browser window.

    5. Click the ADVANCED link on the Shared With dialog. Shaded With dialog.
    6. Click the Stop Inheriting Permissions link button in the PERMISSIONS tab toolbar.Permission Tools toolbar
    7. Click OK to the Message from webpage dialog window to accept the change.Message from webpage dialog
    8. Note that the PERMISSIONS toolbar has changed now that it is no longer inheriting permissions from the parent site. Click the Grant Permissions link button.Permission Tools toolbar
    9. In the Share 'Favorite Cars' dialog form, type the user account you want to grant permissions, 'Homer Simpson', in the Invite people field and click the SHOW OPTIONS link. Favorite Cars Grant Permissions dialog
    10. Uncheck the Send an email invitation checkbox and leave the Select a permission level set to Edit and click the Share button. Share options.
    11. Note that the user account is now in the permissions list for Favorite Cars with Edit permissions.Favorite Cars permission list
  5. Grant an account Full Control permissions to the Accounting child site.
    1. Click the BROWSE tab to close the PERMISSIONS toolbar.Navigate Up menu
    2. Click the Accounting link in the Top Link Bar of the root team site.Top Link Bar menu
    3. Click the Settings menu link and then select the Site settings link from the available options. Site Actions menu
    4. Click the Site permissions link on the Site Settings page. Site Settings.
    5. Note that the permissions of the Accounting site are inheriting the permissions of its parent site.Permission Tools toolbar
    6. Click the Stop Inheriting Permissions button on the PERMISSIONS tab toolbar. Permission Tools toolbar
    7. Click the OK button on the Message from webpage dialog window to accept the unique permissions setting. Message from webpage
    8. When the inheritance is broken you are given the option of Use an exiting group or Create a new group. Leave it set to the default and click the OK button. Permission inheritence.
    9. Repeat the earlier steps to navigate back to the Site permissions page for the Accounting site.
    10. Note that the PERMISSIONS toolbar has changed now that the site has unique permissions. Click the Grant Permissions button. Permission Tools toolbar
    11. In the Share dialog form, type "Homer Simpson", or any account name of the account that does not currently have permissions to the site in the Invite people field. The name should resolve as you type and allow you to pick it from a drop-down list. Grant Permissions dialog

      You can also click the SHARE link in the upper-right corner of the page to open the same dialog but it doesn't have the same choices in the SHOW OPTIONS list.

    12. Click the SHOW OPTIONS link to see the permission options. Permissions dialog.
    13. Uncheck the Send an email invitation checkbox and select Full Control from the Select a group or permission level list-box options. Permission options
    14. Click the Share button at the bottom of the Share 'Accounting' dialog form to save your changes.
  6. Test the new permissions given to account in the Favorite Cars list and the Accounting child site.
    1. Switch back to the browser window logged in as 'Homer Simpson' or whatever account your are testing. Homer Simpson
    2. Click the Settings drop-down button and note that the options are still limited to the user in the root team site.Site Actions menu trimmed for Homer
    3. Click the Favorite Cars list in the Quick Launch menu and verify the user account can see the items in the list.Quick Launch menu
    4. Click the Bugatti link within the Favorite Cars list to view its properties.
    5. Note that the Edit Item button and Delete Item button on the View toolbar in the Favorite Cars - Bugatti form are available to the user to use.Bugatti dialog formFeel free to test the user's editing abilities by changing any of the values you like.
    6. Click the Close button on the Favorite Cars - Bugatti form.
    7. Click the Accounting link in the Top Link Bar of the root site.Top Link Bar menu
    8. Click the Settings menu in the Accounting site and note that the user account has full access to all the items in the menu due to the Full Control permissions at this child site.Site Actions menu
    9. Optional: Take a few moments and test any action in the Accounting site logged in with the new account to verify their permissions.