SharePoint Permissions – What You Cannot Do

During a collaborative consulting session today I walked a SharePoint Site Owner through the steps to edit the page of a Document Library. The purpose was to add a Content Editor web part to the top of the page so she could add a couple sentences of instructions to reduce any confusion her non-technical end users might have.

We compared this method to adding Web Parts to a Wiki Page, discussing the pros and cons of each approach. The conversation eventually landed on permissions, and I reassured her that Site Members who had Contribute level permissions would not be able to edit the Web Part Page.

That conversation greased the gears in my head and I realized I had never taken the time to fully delve into the details of permission levels so now is as good a time as any.

OneNote Fans: If you are wondering why you would care about this sort of information, well, my favourite place to store OneNote Notebooks is in SharePoint. Since the site’s permissions trump those used for sharing Notebooks within OneNote, I’d consider this useful information.

The following “Quick Reference List” is the result of reviewing the Edit Permission Level pages side-by-side to compare check boxes between each out-of-the-box (i.e. not customized) permission level – and noting down what users cannot do.

 

Note: This information is relevant for SharePoint 2013 only.

(Why?  SharePoint 2010 only has six permission levels – the Edit permission level was not available until SharePoint 2013.)

 

SharePoint 2013 Permission – What You CANNOT Do:

#1 – Full Control

Can do everything.

#2 – Design

Cannot:
  • Manage Permissions – including assign permissions to users and groups.
  • Create Subsites.
  • Create Groups.
  • Manage Alerts.

#3 – Edit

Cannot do everything above plus:
  • Discard or check in a document which is checked out to another user.
  • Approve a minor version of a list item or document.
  • Add, change, or delete HTML pages or Web Part Pages.
  • Apply Themes and Borders.
  • Apply Style Sheets (.CSS files).

#4 – Contribute

Cannot do everything above plus:
  • Create, manage, and delete lists.
  • Add or remove columns in a list.
  • Add or remove public views of a list.

#5 – Read

Cannot do everything above plus:
  • Add items to lists and documents to document libraries.
  • Edit items in lists and documents in document libraries.
  • Customize Web Part Pages in document libraries.
  • Delete items from a list and documents from a document library.
  • Delete past versions of a list item or document.
  • Create, change, and delete personal views of lists.
  • Add or remove personal Web Parts on a Web Part Page.
  • Update Web Parts to display personalized information.

#6 – View Only

Cannot do everything above plus:
  • Open Items – View the source of documents with server-side file handlers.
  • Edit Personal User Information.
Everyone can do the following (unless you customize a level):
  • Open a Web site, list, or folder in order to access items inside that container.
  • View forms, views, and application pages. Enumerate lists.
  • View information about users of the Web site.
  • Use features which launch client applications. (Without this permission, users will have to work on documents locally and upload their changes).

Screenshot of SharePoint 2013:

SharePoint-2013-Permissions

There are tons of great resources that already exist on the internet for permissions. For the time being, this one works for me,  and I urge you to post links in the comment section to any particular gems you come across in your research (especially ones with graphics or diagrams!).

Until next time, SharePoint on, Garth!

*

Update – some great resources include:

User permissions and permission levels in SharePoint 2013:
https://technet.microsoft.com/en-us/library/cc721640.aspx

User permissions and permission levels (SharePoint Foundation 2010):
https://technet.microsoft.com/en-us/library/cc288074(v=office.14).aspx

Default permissions and permission levels (Office SharePoint Server – SP 2007):
https://technet.microsoft.com/en-us/library/cc263127(v=office.12).aspx

8 responses to “SharePoint Permissions – What You Cannot Do

  1. Where did you find the documentation for these permission levels also applys to SP2010 ?
    There are 6 permission levels in SP2101 and 7 permission levels in SP2013.
    As far as I know the Edit permission level is new in SP2013 and only applies to SP2013.

    1. Thank you so much for pointing this out! You are absolutely correct, and a quick search of TechNet articles confirmed this – it did not list Edit as a default permission level for SP2010 (see links below).

      What I discovered is that the SP 2010 environment my colleague created for me was not a true instance. It was created in our SP2013 environment so what I was seeing was the look and feel of SP2010 on top of SP2013 functionality.
      I’ve now been given access to an isolated VM running a true instance of SP2010 so this sort of error does not occur again. I will update my blog post immediately to ensure misinformation is not spread.

      Sources:
      User permissions and permission levels in SharePoint 2013:
      https://technet.microsoft.com/en-us/library/cc721640.aspx

      User permissions and permission levels (SharePoint Foundation 2010):
      https://technet.microsoft.com/en-us/library/cc288074(v=office.14).aspx

      Default permissions and permission levels (Office SharePoint Server – SP 2007):
      https://technet.microsoft.com/en-us/library/cc263127(v=office.12).aspx

  2. Little (to none) detail information can be found on which SP-functionalities are not working anymore per “Permission Level”.

    Because we use custom permission levels, we want to disable disable “Manage Permission” permission level.

    What is still OK:
    – add and remove users from security groups
    – Can’t create new or change existing permission levels
    – People can’t give themselves Full Control anymore

    What is not OK:
    – “Send Invitation Email” is not working anymore. No error, no message,… I’m still looking for a workaround.
    – No access to “Site Access Requests”
    – Document’s Share button is visible, but when using –> access denied.

    Such nice features to manage your site. But you loose these features when you want to implement a good governance…

    1. That’s really odd breaking behaviour Koen. I’ll post your comments in my company’s Yammer Network to see if any of the SharePoint MVPs I work with have any ideas of workarounds.

      Questions:
      1. Are you Cloud, on-premises, or hybrid?
      1a. If on-premises, what version of SharePoint – 2013, 2010, 2007 or older?
      1b. If on-premises, what edition of SharePoint – Foundation, Server, or Enterprise?

      If you want, we can take this conversation offline – send me an email at kmarshall@itgroove.net with your answers and we can troubleshoot together.

  3. Hi Kelly,

    I really like the fact you point out what a user CANNOT do. The documentation that lists all the things a user CAN do for each level is much more confusing. Thanks for making it simple!

    -Kim

    1. Thanks Kim! I’m glad people have found it helpful. When I’m coaching end users on using SharePoint, they always ask “so as a [insert Permission Level], what am I not allowed to do?”

  4. My company is using Sites to replace our fileshare server. At this point, we only want to utilize the Document Library feature.

    How do I restrict users from being able to delete a web part? I want them to have access to remove and add documents but do not want them to have edit permissions to the page.

    If they have edit or contribute access, it still allows them to edit the page. I have gone in and removed the individual edit option in the permission level, but then it breaks their ability to create a new document or edit an existing one.

Leave a Reply

Your email address will not be published. Required fields are marked *