SharePoint permissions limit visibility of content to specific users and groups of users. They can be set at the site, library, folder, and item level.
Review permissions for a document library by clicking on “Permissions for this document library” in the settings screen for that document library. You’ll see a list of users and groups who have permission view or edit documents in the library.
Permissions are inherited from parent elements. Since a document library lives on a site, the site is the parent, and the library is the child. If you want a library to require different permissions than its parent, you have to break permissions by clicking on “Stop Inheriting Permissions”. This can cause a real mess, especially during migration so use it sparingly.
If instead you’d like to edit the permissions of the parent element, click on “Manage Parent” to go up one level.
Once permissions inheritance has been broken, changes to the permissions on the parent element will not be reflected in child elements. For example, if a subsite allows access by members of departments “A” and “B”, and a user creates a library with broken permissions, then updates to the subsite will not be felt in the document library. If the subsite is changed to allow access to department “C”, then document library with broken permissions will have to be manually updated to include department “C”.
This can get complex, especially if special permissions have been created on the document level.
Permissions Best Practices
Assign permission by groups not by individuals. Groups are much easier to manage. If you assign access to an asset by individuals then maintaining who can see what can be very difficult. If a new employee is hired, an administrator would need to manually go through every asset and assign them permission to see it. If an employee is promoted, every asset will have to be reviewed. Groups are much better.
Adding or removing employees from groups can update permissions for hundreds of assets with a single click.
Another permission mistake is getting to granular. Permissions can be assigned at the item level, but this should be avoided if at all possible. It is too easy to make a mistake and hide or show content that a user should or shouldn’t see.
Getting into trouble with permissions
There are a few ways permissions can break.
- IT Admins get nosy. Make sure IT can only see the content they need to see. Looking through sensitive data is not necessary to take care of the site.
- Saving documents where they don’t belong – If a user opens a document from a protected document library and then saves it to a new unprotected location, the document security is lost.
- Workflows creating copies- Some workflows create copies of documents in other document libraries. The receiving document library must also be secured to limit visibility.
- OneDrive – OneDrive is usually set up to store a copy of each document on the workstation’s local hard drive. These files are still password protected, but OneDrive may break a company’s document security policy.
There are a couple of other ways to limit who can see what content.
Within the Advanced settings of any library or list is an option to prevent SharePoint from indexing the content for search results. Security Trimming will already strip out search results for items that users do not have permission to see, but it may also be helpful to disallow indexing for extra protection.
Specific list items or documents can be targeted to specific audiences. For example, if some links in a list are targeted to members of Human Resources and some are targeted to finance, then each group of users will only see the links that are useful to them.
This is not a substitute for security. Users with any knowledge of SharePoint can still get to documents and items that are trimmed from their view. Audience targeting is a filter, not a safe, but it works well if the requirement is simply cleaning up the content on the page and not locking out prying eyes.