Understanding Permissions

201
As a rule, the Site Collection Administrators group can never be empty. If you
try to remove all the users, you will receive an error. If you fi nd a way to do it
programmatically, very bad things happen.
Site Administration
Users in the Site Owners group have been added to the Owners group and have Full Control to con-
tent on this site. Unlike site collection administrators, this access can be overridden by customizing
permissions settings on a child site or lower level. By default, if you specify this at site creation, a
[site name] Owners group is created. This group’s members will have full control to the site.
Administration Beneath the Site Level
Management of content below the site level does not always require group membership:
Document library or list

— There is no specifi c group that manages content at this level, but
permissions can be confi gured. This is useful when you want only a small portion of your
content, on one site, to have restricted access.
Individual items

— Similar to the previous level, there is no set group that administers indi-
vidual items at this level, but permissions can be confi gured. Providing granular control over
user access is a powerful feature in SharePoint 2010.
UNDERSTANDING PERMISSIONS
When SharePoint is installed, a set of permissions is created. This set can be viewed by opening
Central Administration and clicking on Application Management  Manage Web Applications.
From there, highlight a web application and click on User Permission (in the Ribbon, under the Web
Applications tab). Not only can you view the available permissions, you can select the permissions
that will be available for the web application and its site collections.
It is these permissions that enable administrators to confi gure user access at a granular level and,
by doing so, secure content at various levels within SharePoint sites. Each permission level is one of

three types of permissions: List, Site, or Personal. As previously mentioned, these permissions are
combined to create permission levels. This method is the recommended approach for confi guring
SharePoint security. Figure 8-5 shows a partial list of the available options; for a more comprehen-
sive look at permissions, see Table 8-1. This table provides the list of all permission levels, including
what type of permission it is. It also displays the default permission levels that have each of these
permissions out of the box.
202

CHAPTER 8 secUriNg aNd maNagiNg site coNteNt
TABLE 81: User Permissions
PERMISSION DESCRIPTION TYPE PERMISSION LEVEL
Manage Lists Create and delete lists, add
or remove columns in a list,
and add or remove public
views of a list.
List Full Control, Design, Manage
Hierarchy
Override
Check Out
Discard or check in a docu-
ment that is checked out to
another user.
List Full Control, Design, Approve,
Manage Hierarchy
Add Items Add items to lists, and add
documents to document
libraries.
List Full Control, Design, Contribute,
Approve, Manage Hierarchy
Edit Items Edit items in lists, edit docu-

ments in document libraries,
and customize Web Part
pages in document libraries.
List Full Control, Design, Contribute,
Approve, Manage Hierarchy
Delete Items Delete items from a list, and
documents from a document
library.
List Full Control, Design, Contribute,
Approve, Manage Hierarchy
View Items View items in lists, and docu-
ments in document libraries.
List Full Control, Design, Contribute,
Read, Approve, Manage
Hierarchy, Restricted Read
Approve Items Approve a minor version of a
list item or document.
List Full Control, Design, Approve
Open Items View the source of docu-
ments with server-side file
handlers.
List Full Control, Design, Contribute,
Read, Approve, Manage
Hierarchy, Restricted Read
View Versions View past versions of a list
item or document.
List Full Control, Design, Contribute,
Read, Approve, Manage
Hierarchy
Delete

Versions
Delete past versions of a list
item or document.
List Full Control, Design, Contribute,
Approve, Manage Hierarchy
Create Alerts Create alerts List Full Control, Design, Contribute,
Read, Approve, Manage
Hierarchy
Understanding Permissions

203
PERMISSION DESCRIPTION TYPE PERMISSION LEVEL
View
Application
Pages
View forms, views, and appli-
cation pages; enumerate lists.
List Full Control, Design, Contribute,
Read, Approve, Manage
Hierarchy
Manage
Permissions
Create and change permis-
sion levels on the website
and assign permissions to
users and groups.
Site Full Control, Manage Hierarchy
View Web
Analytics Data
View reports on website

usage.
Site Full Control, Manage Hierarchy
Create
Subsites
Create subsites such
as Team sites, Meeting
Workspace sites, and
Document Workspace sites.
Site Full Control, Manage Hierarchy
Manage
Web Site
Grant the ability to perform
all administrative tasks for
the website, as well as man-
age content.
Site Full Control, Manage Hierarchy
Add and
Customize
Pages
Add, change, or delete
HTML pages or Web Part
pages, and edit the website
using a Microsoft SharePoint
Foundation compatible editor.
Site Full Control, Design, Manage
Hierarchy
Apply Themes
and Borders
Apply a theme or borders to
the entire website.

Site Full Control, Design
Apply Style
Sheets
Apply a style sheet (.
CSS file)
to the website.
Site Full Control, Design
Create Groups Create a group of users that
can be used anywhere within
the site collection.
Site Full Control
Browse
Directories
Enumerate files and folders
in a website using SharePoint
Designer and WebDAV
interfaces.
Site Full Control, Design, Contribute,
Approve, Manage Hierarchy
Use Self-
Service Site
Creation
Create a website using Self-
Service Site Creation.
Site Read, Contribute, Design,
Full Control
continues
204

CHAPTER 8 secUriNg aNd maNagiNg site coNteNt

PERMISSION DESCRIPTION TYPE PERMISSION LEVEL
View Pages View pages in a website. Site Full Control, Design, Contribute,
Read, Approve, Manage
Hierarchy, Restricted Read
Enumerate
Permissions
Enumerate permissions on
the website, list, folder, docu-
ment, or list item.
Site Full Control, Manage Hierarchy
Browse User
Information
View information about users
of the website.
Site Full Control, Design, Contribute,
Read, Limited Access, Approve,
Manage Hierarchy
Manage Alerts Manage alerts for all users of
the website.
Site Full Control, Manage Hierarchy
Use Remote
Interfaces
Use SOAP, Web DAV, the
Client Object Model, or
SharePoint Designer inter-
faces to access the website.
Site Full Control, Design, Contribute,
Read, Approve, Manage
Hierarchy
Use Client

Integration
Features
Use features that launch cli-
ent applications. Without this
permission, users must work
on documents locally and
upload their changes.
Site Full Control, Design, Contribute,
Read, Limited Access, Approve,
Manage Hierarchy
Open Allow users to open a web-
site, list, or folder in order
to access items inside that
container.
Site Full Control, Design, Contribute,
Read, Limited Access, Approve,
Manage Hierarchy, Restricted
Read
Edit Personal
User
Information
Allow a user to change his
own user information, such
as adding a picture.
Site Full Control, Design, Contribute,
Approve, Manage Hierarchy
Manage
Personal
Views
Create, change, and delete

personal views of lists.
Personal
Permissions
Full Control, Design, Contribute,
Approve, Manage Hierarchy
Add/Remove
Personal
Views
Add or remove personal Web
Parts on a Web Part page.
Personal
Permissions
Full Control, Design, Contribute,
Approve, Manage Hierarchy
Update
Personal Web
Parts
Update Web Parts to display
personalized information.
Personal
Permissions
Full Control, Design, Contribute,
Approve, Manage Hierarchy
TABLE 81
(continued)
Permission Levels

205
PERMISSION LEVELS
Permission levels are the sets of permissions that administrators use to grant users access to site

content. Depending upon the access a user or group of users require, an administrator can use the
out-of-the-box permission levels or create one that will fulfi ll the user access requirements.
Unlike permissions, permission levels are manageable from the site where they are being used.
From the Site Permissions page, you can access the current permission levels available for your site.
It is here you can create your own permission levels, delete existing permission levels, and modify
existing permission levels.
There are a few “best practices” when it comes to managing permission levels:
It is not a good idea to modify a default permission level. If a default

permission level is not confi gured the way you like, you can create a
new permission level.
When you create a new permission level, you are often only changing one

or more permissions assigned to a default permission level. To ensure that
you keep all the desired permissions, make a copy of the default permission
level and then edit the permissions for the copied permission level.
It is not recommended to delete a default permission level. If you don’t

think you need it, there is no harm in keeping it. If you need it down the
road, you won’t have to create it from scratch and risk not confi guring it
the same way it was originally.
By default, a set of permission levels is available when a new site is created. This set of permis-
sions will depend upon the site template that was used to create the site. For team sites there are six
default permission levels:
Full Control

— Users and groups with this permission level will have access to everything on
the site and can perform any site administrative tasks. This shouldn’t be confused with site
collection administrators. Users and groups with Full Control permissions cannot perform
site collection administrative tasks.

Design

— Can view, add, update, delete, approve, and customize. A step up from Contribute,
this permission also allows users to customize the site and its pages. Additionally, this group
can approve items that are in containers with Content Approval enabled. For the most part,
users and groups with this permission level can do anything on the securable object except
for administrative tasks.
Contribute

— Can view, add, update, and delete list items and documents. This is the stan-
dard permission level used to grant users access to content and containers when they need to
add, edit, and delete content.
206

CHAPTER 8 secUriNg aNd maNagiNg site coNteNt
Read

— Can view pages and list items and download documents. This is the standard per-
mission level for users and groups you want to access content, but not have the permissions
to add, edit, or delete content.
Limited Access

— Can view specific lists, document libraries, list items, folders, or documents
when given permissions. This permission level cannot be assigned. Instead, it is the result of
customizing permissions for a securable object. In essence, when you see this permission level
for a user or group, the users have access to a securable object in the current container, but
not to all the securable objects in the container.
View Only

— Can view pages, list items, and documents. Document types with server-side

file handlers can be viewed in the browser but not downloaded. The key concept here is that
users and groups with this permission level can’t download copies of documents with server-
side file handlers.
Figure 8-5 shows the permission levels for team sites.
FIGURE 85
To see all of the default permission levels, you have to create a site based on a Publishing site tem-
plate. Only the Publishing site template deploys the total set of permission levels. These include the
permission levels available with the team site as well as those in the following list:
Restricted Read

— View pages and documents. For Publishing sites only. This permission
level is similar to the Read permission level, but it only has four of the eleven Read permis-
sion level permissions. Key distinctions are that users with this permission level will not be
able to create alerts, browse user information, or use client integration.
View Only

— View pages, list items, and documents. If the document has a server-side file
handler available, users can only view the document by using that file handler. Again, this
Permission Levels

207
permission level is based on the Read permission, but it doesn’t have all the same permissions.
A few key distinctions are that users with this permission level will not be able to open list
and document library items, browse user information, or use client integration.
Approve

— Edit and approve pages, list items, and documents. For Publishing sites only. This
permission level is designed to work with the Publishing Approval workflow template. Users
and groups with this permission level will be able to edit and approve items submitted, and
leverage the Publishing Approval workflow. They will also be able to approve items in lists

and document libraries that have Content Approval enabled.
Manage Hierarchy

— Create sites; edit pages, list items, and documents. For Publishing sites
only. Similar to the Design permission, this permission level allows users to edit the design
and components that make up the site. This permission level does not include all the permis-
sions that users with the Design permission level have. A key difference is that users with the
Manage Hierarchy permission level cannot approve items leveraging the Publishing Approval
workflow or Content Approval features.
Figure 8-6 shows the default Publishing permission levels when using the Publishing template.
FIGURE 86
An important thing to remember when working with these permission levels is that, for the most
part, moving down the hierarchy of permission levels, levels will contain all the permissions of the
permission levels that precede them. Therefore, Full Control contains all the permissions of all
the permission levels combined. The Contribute permission will have all the permissions of Read,
Restricted Read, View Only, and Limited Access.