Quick Wins #3 – Custom Permission Levels
When working on migration projects or rework of site architectures one of the first things I like to ask is “Do you have issues with permissions”? I know it seems silly as I know 99.99% of the time the answer is going to be yes. The other .01% says they are solid and then you start digging in and realize its not so solid. Permissions are on of the hardest parts to get a handle on in pretty much ALL applications. Think about a file share… How many can say and mean that they’re permissions are correct? So why would SharePoint/O365 be any different? It’s completely understandable as to how it happens as normally it is due to lack of training, governance or understanding of how it works and what each type of permission level gives individuals the ability to do.
When creating a new SharePoint/O365 site by default you see the following groups and Permission Levels. Notice “Team Site Owners” and the permission level of “Full Control”. What does that exactly mean? It means and user group or individual user that has been added to the “Team Site Owners” group will be able to do anything they want to with that site; including deleting it!!
Unfortunately, that is just the tip of the iceberg in regards to what the individual or group of individuals can do. Below you will find a complete list of List Permissions, Site Permissions and Personal Permissions that “Full Control” provides.
Now that you have seen what the “Full Control” permission provides to the users who have access, do you think it’s a good idea to give them that permission? I hope you are thinking NO because that is the right answer. No Site Owner\Site Champion or whatever you choose to call them should have that many permissions. You will find you are spending more time fixing issues that are caused by these users because they are not formally trained as a “Full Permission Site Owner”. However, there is good news you can create a “Custom Permission Level” and I like to call it “Site Admin” or “Site Content Admin” and then I only give them the permissions that they are trained and want them to be able to do.
By implementing a custom site permission level you can ensure sub-sites are not randomly being created, sites being deleted, branding (that you paid for) is not being removed, custom template features/functionality are not broken, etc. Essentially, you can build, provide the proper permission and then let them have at it as they can only do what they have permission to do!! Talk about cutting back on those support tickets!!! Below you will find the formal documentation to creating the new custom permission level and then updating current sites with this new permission and moving users & groups from “Site Owners” to the new “Site Admins” permission level.
If you have any issues or questions feel free to reach out to me by replying here, Twitter or LinkedIn. Hope this helps and that you enjoy!
Documentation (On-Prem Implementation) & O365 Script Implementation: