Unpacking SharePoint & O365 Permission Levels
Do you get that procrastinated-until-Monday-morning-and-didn’t-do-homework feeling when discussing SharePoint and Office 365 permission levels? If you happen to suffer from that occasional feeling of dread, don’t worry! Most admins don’t fully understand what permission levels are all about either.
However, even if you may be one of a million admins who bluff their way through permission levels on SharePoint and Office 365, there’s no taking the back seat to enforcing a strong collaboration environment. Gear up to learn about the different admin roles and permission levels within SharePoint & Office 365 here!
What are the Different Admin Roles in Office 365?
To get started with our discussion on permission levels, we need to first break down all of the different admin roles in Office 365.
Global admins can not only assign other admins with roles, they can also access all of the administrative features within the O365 suite of services in your plan.
Billing admins have a multifaceted management capacity that allows them to assess service health, make purchases, and manage all organizational subscriptions and support tickets.
Exchange admins are central to the organization’s email system. They’re responsible for managing mailboxes and anti-spam policies via the Exchange and Office 365 admin center.
SharePoint admins are responsible for managing content and user activity on SharePoint Online, which is detached from the global admin’s capabilities on Office 365.
Password admins are accountable for all password-related services, including resetting user passwords, managing service requests, and monitoring service health.
Skype for Business Admin
Skype for Business admins not only configure the communications channel for the organization, they also monitor all user activity on Skype for Business.
Compliance admins are responsible for a number of security items across the organization, including compliance policies and security reports on O365, Exchange Online, and Azure AD.
Service admins are granted “View Only” permissions when opening Microsoft support tickets. They can view support requests through the service dashboard and message center.
User Management Admin
User management admins have the capacity to reset user passwords, add or delete accounts, and monitor overall service health. However, they cannot manipulate other admin accounts.
Dynamics 365 Admin
Dynamics 365 admins are split into online and service categories, in which each role is accountable for security, licenses, user accounts, and tenants in Dynamics 365.
Power BI Admin
Power BI admins are responsible for controlling the organization’s usage of Power BI features, including access and usage metrics.
How Do I Assign Admin Roles?
To assign admin roles on Office 365, go to the Office 365 portal (https://portal.office.com), click on the App Launcher icon, and select Admin. From there, you can head to the Active Users tab under the Users section and select the user that you are trying to assign with an admin role. Finally, click on Edit next to the Roles tab and select Customized Administrator to see the list of available roles.
When assigning admin roles, it’s essential not to assign them to users who have not had the relevant training or the capacity to understand the impact of their actions. Considering that admins can both positively and negatively influence their users, it’s crucial for global admins to communicate the weight of their actions.
Understanding SharePoint Online Permission Levels
When creating a new SharePoint site, the following groups are provisioned, unless otherwise stated to inherit permissions:
- Viewers (View only)
- Visitors (Read)
- Members (Edit)
- Owners (Full control)
Here is a quick overview of the default permission levels and their attributes:
How Do I Assign Permission Levels?
To assign permission levels on Office 365, head to the Settings icon at the top right corner of the window and click into the Permissions tab. From there, you can invite users, access Advanced Permission settings, and change user permission levels.
However, when changing permission levels in SharePoint, you must first ensure that you have not navigated up to the parent site. If you are presented with a window stating that you are inheriting permissions, then you will have to break the inheritance before making any changes to your current site.
Understanding Permission Inheritance
When it comes to permission inheritance, it’s important to understand the scope of your permissions settings, including the hierarchy of your sites.
Given that the top level site is the root of your site collection, its subsites will inherit all of the same permissions, as well as its apps, documents, and items.
Personally, I prefer setting up sites with groups of users from the same department or team. This helps to ensure that all of the apps on the site will inherit the same permissions.
Additionally, keep high risk content that should not be accessible to everyone within your organization in OneDrive or create a Microsoft Team specifically to house the sensitive information.
How Do I Break Inheritance or Reinherit Permissions?
To break inheritance or reinherit permissions, click on the Settings icon, select Site Permissions, and browse through the Advanced Permission options. From there, you can apply policies to either break inheritance or reinherit permissions from the parent site.
Fig. 1: Break inheritance from parent site.
Fig. 2: Reinherit permissions from parent site.
Here are a few tips to consider when breaking inheritance or reinheriting permissions:
- The Share button allows users to distribute content with third-party users outside of the department or organization.
- Don’t overcomplicate 80% of your site because 20% of the content is at risk.
- Ensure that your users understand the difference between relevance and risk. Admins don’t have to remove content because it is no longer relevant.
- Note the differences between Edit and Contribute permission levels. Specifically, users with Edit rights can delete apps.
- Creation of Microsoft Teams and Communication sites provision an Office 365 Group for the permissions. These can also be used as distribution lists on Outlook.
How to Create and Edit Permissions Levels
Bear in mind that permission levels can be modified to suit the needs of your users. It’s important for admins not to create too many levels, as this can not only be confusing, but can also make permissions management more challenging than it has to be.
To create or edit permission levels, click on the Settings icon, go into the Site Permissions tab, and select Permissions Levels under the Advanced Permission Settings option. From here, you can have the option to add or modify permission levels.
Fig. 3: Create permission levels.
Fig. 4: Add a permission level.
Personally, I always click on an existing permission level and select Copy Permission Level at the bottom. This allows me to modify a similar permission level with less work.
If you’re looking to customize, add, or delete permission levels on SharePoint and Office 365, you have to acknowledge how incorrect permissions can quickly upset a lot of users. From an administrator perspective, the right permissions will mean that most users will not be aware that they exist at all. In fact, managing permissions often entail doing the job without raising any awareness.
Regardless if your SharePoint or Office 365 environment does not rely heavily on permission levels, procrastinating on your homework and coming into work without understanding permissions can negatively impact your organization’s infrastructure and security in the long run. Remember: there’s never a good reason to compromise a strong collaboration environment!
By applying the foundational knowledge laid out in this post, you can implement a comprehensive permissions strategy on SharePoint and Office 365!
Need Something More Powerful?
Need something more powerful to manage your users, licenses, and content on Office 365? Metalogix can help! Essentials for Office 365 was built to let you better manage your O365 environment with the tools to adjust user permissions on an organizational level—all from one, easy-to-use interface.
Check out a free trial of Essentials for Office 365 today!
Tracy is a Microsoft MVP and an energetic, hyperactive adrenaline junkie who sees challenges and issues as opportunities and thrives on improving processes, environments and the general quality of life. Her broad knowledge about IT and Business gives her the ability to communicate on both levels and convey meaningful requirements and narrow the (ever present) gap between the two.