How SharePoint Permission Levels Work

How SharePoint Permission Levels Work

SharePoint is an extremely useful collaboration and document management platform. Whether you are using SharePoint for hosting wiki articles, running internal project sites or exposing SharePoint to customers and partners for collaboration and document sharing, one of the most important areas to familiarize yourself with is how permission levels work within SharePoint. Improper use of SharePoint permission levels can lead to sensitive documents being widely available to anybody inside or outside of your organization or other inappropriate access. It can also lead to a lot of frustration as you try to share a document or site with a co-worker and can’t seem to give them the right level of access.

Permission levels are sets of granular rights that can be assigned when creating a new permission on a site, library, document or any securable object. SharePoint ships with a few out-of-the-box permission levels which most SharePoint users will recognize. In SharePoint 2013 those are:

Permission Level Description
View Only Enables users to view application pages. The View Only permission level is used for the Excel Services Viewers group.
Limited Access Enables users to access shared resources and a specific asset. Limited Access is designed to be combined with fine-grained permissions to enable users to access a specific list, document library, folder, list item, or document, without enabling them to access the whole site. Limited Access cannot be edited or deleted.
Read Enables users to view pages and list items, and to download documents.
Contribute Enables users to manage personal views, edit items and user information, delete versions in existing lists and document libraries, and add, remove, and update personal Web Parts.
Edit Enables users to manage lists.
Design Enables users to view, add, update, delete, approve, and customize items or pages in the website.
Full Control Enables users to have full control of the website.

With these permissions levels available by default, when granting a new permission to SharePoint it is pretty simple to choose the right access you want to give to the user or group you are assigning.

However, there are two major challenges with permissions levels:

  1. They can be modified (on every site collection)
  2. Custom permission levels can be created

Modification of permission levels is by far the biggest challenge and potential security risk for SharePoint administrators. With the exception of the Limited Access and Full Control permission levels, all other permission levels can be edited. Each site collection has its own permission levels. Each permission level maps to a set of the 33 available granular permissions. For a full list of these granular permissions, you can visit TechNet here: http://technet.microsoft.com/en-us/library/cc721640%28v=office.15%29.aspx

By allowing users to edit permission levels you could feasibly take the Read permission level and check all 33 granular options. This would make the Read role equivalent to Full Control. Moreover, it wouldn’t be obvious this change was made so any normal user who is provisioning rights would expect to be giving Read rights when in fact they were giving full access to the site.

This capability is a completely different approach than the way file and folder permissions work with NTFS where roles like Read & Execute, Modify, and List Folder Contents all have very specific meanings that cannot be altered.

In addition to modifying permission levels, brand new permission levels can be created with any name and mapped to the 33 granular rights. This creates, even more, complexity when granting access or trying to understand who can do what on SharePoint.

In order to effectively secure SharePoint and avoid giving users far more access than they need, it is very important to understand how permission levels are configured and what rights are really being granted. Because this has to be done across every site collection this can sometimes be challenging to do once SharePoint has grown to a reasonable size.

For more information on how to secure SharePoint and understand who really has access to your SharePoint data, visit our SharePoint solutions page, check out StealthAUDIT for SharePoint, or contact STEALTHbits.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.