Photo credit Iker Urteaga
Article Last Updated: Feb. 6th, 2019
So, this is my first real article. SharePoint groups and permissions. I initially wrote my first article, ran it by a colleague, and he said – and I may be paraphrasing – “Are you having a laugh? This thing is 18 pages long!”. So, I went back to the drawing board and noticed that I had several articles spanning the same topic – SharePoint permissions. Each one of these would need some foundational text and links so I decided to write that part myself. And this is it.
The Building Blocks of SharePoint Permissions
SharePoint has used the same three default groups when a site is created, since I started working with SharePoint 2007. In this article, I wanted to talk about these default groups, detail how they relate to the permissions and security of a SharePoint site, and show how to interact with them.
What are the Default Groups?
When you add a new site collection in SharePoint, three default groups are created to classify users’ access to the site. These groups are called:
- <Site Name> Visitors
- <Site Name> Members
- <Site Name> Owners
Checking the Default Groups
There are ways to switch the default groups through the SharePoint interface, but there is no easy way to detect what the current default groups are. My recommended approach has always been to use the following URL:
<URL to site>/_layouts/15/permsetup.aspx
This will take you to an interface showing something like this:
If any of the default groups are missing, you will see the “Create a new group” option selected, and a default group name may be presented.
Each default group has a default permission level assigned. I could probably write an entire article on permission levels, but for now, I’ll settle for linking to this article on Microsoft Docs. The default permission levels are set as follows:
- <Site Name> Visitors – Read
- <Site Name> Members – Edit
- <Site Name> Owners – Full Control
Before SharePoint 2013, the Members group was set to Contribute instead of Edit. The Contribute level gave the Members group the ability to interact with documents and list items but did not allow them to create and edit lists/libraries on the site. In SharePoint 2013, this level was increased to Edit, causing many SharePoint experts to manually set it back to Contribute as their first step when creating a new site.
Site Collection Administrators
Site collection administrators are not one of the default groups that I mentioned above, however, it is a standard “group” on every site collection, and these users have unlimited access to the site.
Accessing the Groups
Except for the permissions panel introduced in the modern SharePoint interface, interacting with these groups directly has been the main interface for managing permissions in SharePoint sites. Historically, you would need to navigate to Site Settings and choose the Site Permissions link to arrive at a page showing all the users and groups with permissions to the site. In modern SharePoint, this process starts at the Site Permissions panel. The panel allows you see the membership of the default groups without leaving the current page and gives you access to the classic site permissions page through the “Advanced Permissions settings” link.
Site Permissions Panel
Location: Gear > Site Permissions
The information from the classic site permissions page is presented through the modern interface as the site permissions panel. The panel doesn’t use the default names exactly as they exist in the SharePoint, but it does include the familiar Owners, Members, and Visitors labels.
Advanced Permissions Page
Location: Gear > Site Permissions > Advanced permissions settings
The advanced permissions page is the classic Site Settings > Site Permissions page. From here you can see and interact with the default groups that have been created. You will need to select a group to modify the members.
Note: People can be added here and given a permissions level directly, without a group. Never do this. At some point you will need to replace that user with a different user or add another user with the same permissions. These things are difficult to do without groups and should be avoided at all costs.
Relationship between the Permissions Panel and the Default groups
Generally, the relationship between the panel and the default groups is straightforward. The membership of each group on the panel directly relates to the members in the advanced permissions group.
Note: I said “Generally” above because there is a situation where the panel may in fact lie about the users in the Site Owners group. But that’s for a future article.
I haven’t seen Microsoft come out and say it, but I really believe they want us to leave the default groups alone (other then adding and removing users). The site permissions panel will only interface with the default groups and in some cases the panel may not detail the groups if you change the default permission levels.
So that’s default SharePoint groups. Not rocket science but it is an important concept. They really are the building blocks of SharePoint permissions and this have never been truer than in the world of “Flat SharePoint” or “Modern SharePoint”.