SharePoint is an extremely useful collaboration and document management platform. Whether you are using SharePoint for hosting wiki articles, running internal project sites or exposing SharePoint to customers and partners for collaboration and document sharing, one of the most important areas to familiarize yourself with is how permission levels work within SharePoint. Improper use of SharePoint permission levels can lead to sensitive documents being widely available to anybody inside or outside of your organization or other inappropriate access. It can also lead to a lot of frustration as you try to share a document or site with a co-worker and can’t seem to give them the right level of access.
Permission levels are sets of granular rights that can be assigned when creating a new permission on a site, library, document or any securable object. SharePoint ships with a few out-of-the-box permission levels which most SharePoint users will recognize. In SharePoint 2013 those are:
|View Only||Enables users to view application pages. The View Only permission level is used for the Excel Services Viewers group.|
|Limited Access||Enables users to access shared resources and a specific asset. Limited Access is designed to be combined with fine-grained permissions to enable users to access a specific list, document library, folder, list item, or document, without enabling them to access the whole site. Limited Access cannot be edited or deleted.|
|Read||Enables users to view pages and list items, and to download documents.|
|Contribute||Enables users to manage personal views, edit items and user information, delete versions in existing lists and document libraries, and add, remove, and update personal Web Parts.|
|Edit||Enables users to manage lists.|
|Design||Enables users to view, add, update, delete, approve, and customize items or pages in the website.|
|Full Control||Enables users to have full control of the website.|
With these permissions levels available by default, when granting a new permission to SharePoint it is pretty simple to choose the right access you want to give to the user or group you are assigning.
However, there are two major challenges with permissions levels:
- They can be modified (on every site collection)
- Custom permission levels can be created
Modification of permission levels is by far the biggest challenge and potential security risk for SharePoint administrators. With the exception of the Limited Access and Full Control permission levels, all other permission levels can be edited. Each site collection has its own permission levels. Each permission level maps to a set of the 33 available granular permissions. For a full list of these granular permissions, you can visit TechNet here: http://technet.microsoft.com/en-us/library/cc721640%28v=office.15%29.aspx
By allowing users to edit permission levels you could feasibly take the Read permission level and check all 33 granular options. This would make the Read role equivalent to Full Control. Moreover, it wouldn’t be obvious this change was made so any normal user who is provisioning rights would expect to be giving Read rights when in fact they were giving full access to the site.
This capability is a completely different approach than the way file and folder permissions work with NTFS where roles like Read & Execute, Modify, and List Folder Contents all have very specific meanings that cannot be altered.
In addition to modifying permission levels, brand new permission levels can be created with any name and mapped to the 33 granular rights. This creates, even more, complexity when granting access or trying to understand who can do what on SharePoint.
In order to effectively secure SharePoint and avoid giving users far more access than they need, it is very important to understand how permission levels are configured and what rights are really being granted. Because this has to be done across every site collection this can sometimes be challenging to do once SharePoint has grown to a reasonable size.
For more information on how to secure SharePoint and understand who really has access to your SharePoint data, visit our SharePoint solutions page, check out StealthAUDIT for SharePoint, or contact STEALTHbits.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is Stealthbits’ General Manager, Products. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product, and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.