Overview
This article outlines the hierarchical structure of SharePoint permissions, explaining how access typically flows from the site level down to specific libraries and files. It highlights the differences between broad site-level access and granular unique sharing, while defining common roles like Read, Edit, and Full Control to help prevent unauthorized data access.
Only Site Administrators (those with Full Control) or Site Editors can manage permissions for a SharePoint site or its contents.
Hierarchy of Permissions
SharePoint usually follows a "top-down" approach. By default, permissions are inherited from the parent. For example, if someone has access to a Site, they automatically have access to all Libraries and files within that site.
-
Site Level: The highest level. Access here usually covers everything on the site.
-
Library/List Level: You can "break inheritance" here to make a specific folder or library private from the rest of the site.
-
Item/File Level: The most granular level, where you share a single document with one specific person.
Permission Inheritance
To manage access efficiently and reduce manual errors, SharePoint uses a system called Inheritance. Understanding how this "waterfall" effect works is key to keeping your site secure.
-
The Default Rule: By default, every folder, sub-folder, and file automatically inherits the permissions of its parent library or site. If you give a user access to a folder, they automatically gain access to everything inside it.
-
Breaking Inheritance: If you need to restrict a specific file so only certain people can see it, you must "Break Inheritance." This creates a "Unique Permission" set for 그 specific item.
-
A Word of Caution: While powerful, breaking inheritance too frequently makes a site much harder to manage. It can become difficult to track who has access to what, so it is generally best to manage permissions at the site or library level whenever possible.
Common Permission Levels
Understanding these three standard roles will help you prevent accidental "data leaks" or unauthorized edits:
- View/Read: Users can view and download files but cannot change them, delete them, or upload new ones. This is perfect for handbooks or policy documents.
- Contribute/Edit: Users can view, add, modify, and delete files. This is the standard level for active team collaboration.
- Full Control: Usually reserved for Site Owners. This allows a user to change the actual structure of the site, including deleting the entire library or changing other people's permissions.
Site-Level Permissions vs. Unique Sharing
It is important to distinguish between inviting someone to your "team" and simply sending them a "link."
Site-Level Permissions (The Front Door)
When you add a user to a SharePoint Group (like "Members" or "Visitors"), you are giving them persistent access to the workspace. This is best for departmental colleagues who need to see everything.
Unique File Sharing (The Specific Key)
Sometimes you only need a colleague from another department to see one specific file.
- Sharing Links: When you click "Share" on a file, SharePoint creates a unique entry for that person.
- A Word of Caution: Over-sharing individual files can make permissions hard to manage over time. If you find yourself sharing every file in a folder one by one, it might be time to move them to a library with its own specific permissions.
How to Break Inheritance (Unique Permissions)
If you need to share a specific folder or file with someone who doesn’t have access to the rest of the site, follow these steps:
-
Select the Item: Hover over the file or folder and click the three dots (...), then select Manage Access.
-
Advanced Settings: In the panel that appears, click the Advanced link (usually at the bottom) to open the permissions page.
-
Stop Inheriting: In the top ribbon, click the button that says Stop Inheriting Permissions.
- Modify Access: You can now select specific users or groups to Remove User Permissions or use Grant Permissions to add new people to just this item.
How to Restore Permission Inheritance
-
Open Manage Access: Select the library, file or folder, click the three dots (...), and choose Manage Access.
-
Go to Advanced: Click the Advanced link at the bottom of the panel.
-
Delete Unique Permissions: In the top ribbon, look for the Delete Unique Permissions button.
-
Confirm the Reset: A warning will appear stating that you are about to inherit permissions from the parent. Click OK.
Result: Any custom users you added specifically to that file will lose access unless they already have permission at the site level.
FAQs
Q: What happens to permissions if I move a file to a different folder? A: If you move a file within the same SharePoint site, it will usually lose its unique permissions and "pick up" (inherit) the permissions of the new destination folder. If you want to keep specific access, it is often better to copy the file and re-share it.
Q: Can a user have two different permission levels at the same time? A: Yes. If a user is given "Read" access individually but is also part of a group that has "Edit" access, SharePoint will grant them the highest level of permission available (in this case, Edit).
Q: If I share a single file with an external user, can they see the rest of the folder? A: No. When you share a specific file, SharePoint creates a unique entry for that person. They will only see that specific file and will not even see the names of other files in the same folder.
Q: Why can't I see the "Advanced" permissions link? A: Only Site Owners or those with "Full Control" can access the Advanced permission settings. If you don't see this option, you likely have "Edit" or "Read" access and will need to contact the site administrator.
Additional Resources