Default SharePoint Groups
The default SharePoint groups are created automatically when you create a site collection. The default groups use SharePoint's default permission levels – sometimes called SharePoint roles – to grant users rights and access. The permission levels that these groups have represent common levels of access that users have to have. They are a good place to start when you add users to a SharePoint site.
Administrators can create additional groups to align more closely with specific business needs. Deciding how to design and populate your SharePoint security groups is an important decision that affects security for your site and site content.
Note: The SharePoint Online Public Website information in this article applies only if your organization purchased Office 365 prior to March 9, 2015. Customers who currently use this feature will continue to have access to the feature for a minimum of two years after the changeover date of March 9, 2015. New customers who subscribed to Office 365 after the changeover date don't have access to this feature. Moving forward, Office 365 customers have access to industry-leading third-party offerings that enable them to have a public website that provides a complete online solution and presence. For more information about this change, see Information about changes to the SharePoint Online Public Website feature in Office 365.
Here are links to information on understanding and setting SharePoint permissions.
In this article
Permission levels for default SharePoint groups
SharePoint groups enable you to control access for sets of users instead of individual users. SharePoint groups are usually composed of many individual users. They can also hold Windows Active Directory security groups (created in Office 365), or can be a combination of individual users and security groups.
Each SharePoint group has a permission level. A permission level is simply a collection of individual permissions, such as Open, View, Edit or Delete. All the users in a group automatically have the permission level of the group. You can organize users into any number of groups, depending on the complexity of your organization, or your needs.
Each site template has a set of SharePoint groups associated with it. When you create a site, you use a site template, and SharePoint automatically creates the correct set of SharePoint groups for the site. The specific collection of groups depends on the type of template that you choose.
For example, the following table shows the groups and permission levels that are created for the Public Website and the Team Site:
| SharePoint groups | Default permission level | Applies to Public Website | Applies to Team Sites |
| Approvers | Approve | Yes | No |
| Designers | Design, Limited Access | Yes | No |
| Hierarchy Managers | Manage Hierarchy | Yes | No |
| <site name> Members | Edit | Yes | Yes |
| <site name> Owners | Full Control | Yes | Yes |
| <site name> Visitors | Read | Yes | Yes |
| Restricted Readers | Restricted Read | Yes | No |
| Style Resource Readers | Limited Access | Yes | No |
| Quick Deploy Users | Contribute | Yes | No |
| Translation Mangers | Limited Access | Yes | No |
Suggested uses for SharePoint groups
The following table describes the SharePoint groups that are created when you use a standard site template to create a site. The table also provides suggested uses for each group.
| Group Name | Permission level ) | Use this group for: |
| Approvers | Approve | Members of this group can edit and approve pages, list items, and documents. |
| Designers | Design | Members of this group can edit lists, document libraries, and pages in the site. Designers can create Master Pages and Page Layouts in the Master Page Gallery and can change the behavior and appearance of each site in the site collection by using master pages and CSS files.. |
| Hierarchy Managers | Manage Hierarchy | Members of this group can create sites, lists, list items, and documents. |
| Owners | Full Control | People who must be able to manage site permissions, settings, and appearance. |
| Members | Edit or Contribute | People who must be able to edit site content. Permission level depends on the site template that was used to create the site |
| Visitors | Read | People who must be able to see site content, but not edit it. |
| Restricted Readers | Restricted Read | People who should be able to view pages and documents but not view versions or permissions. |
| Style Resource Readers | Restricted Read | People in this group have Limited Access to the Style Library and Master Page Gallery. |
| Quick Deploy Users | Contribute | These users can schedule Quick Deploy jobs (Content Deployment). |
| Viewers | View Only | These users see content, but can't edit or download it. |
Special SharePoint Groups
In addition, special SharePoint groups support high-level administration tasks, such as site collection administrators, who have Full Control of all sites in a designated site collection.
Company Administrator and Everyone except external users groups for Office 365 users
The Company Administrator and Everyone except external users groups contain admins and users for Office 365. They provide access for Office 365 users on a SharePoint site.
Everyone except external users When a user is added to Office 365, the user automatically becomes a member of Everyone except external users. This group has a default permission level of Contribute. When you grant permissions to this group, all users who are added to Office 365 can view, add, update, and delete items from lists and libraries (unless you change the default permission level for the group).
Company Administrators Any user who is a Global admin on Office 365 is a member of the Company Administrator group. By default, the Office 365 Company Administrators group is added into the SharePoint Owners group. In addition, the Company Administrators group is added to the list of Site Collection administrators. This group has a permission level of Full Control.
Although you can change the group membership for Company Administrators, it's important to be careful. Because the Company Administrators group members are Global admins in Office 365, and also Site Collection administrators, changing their group status might have unexpected consequences. For example, if you remove a Company Administrator from the SharePoint Owners group, the Global admin group might no longer have Full Control permissions.
Important: Do not remove a Company Administrators or Global admin groups before you configure permissions appropriately. Be sure that these users have the permission level that they must have to perform necessary actions. If you do not make sure that these users have appropriate permission levels, SharePoint security configuration is much more difficult. For example, site administrators can't configure access for groups, but instead must grant access to sites a per-user basis.
Site collection administrators
| SharePoint Online | SharePoint On-premises | |
| Who can use this group? | Yes | Yes |
A SharePoint site can have primary and secondary site collection administrators. If you are a site collection administrator, you can designate more site collection administrators.
These users are the main contacts for a whole site collection. Site Collection Administrators have full control of all sites within the site collection, can audit all site content, and receive any administrative alert messages.
In SharePoint On-premises, you designate a site collection administrator when you install a site.
In SharePoint Online, the account that you used when you setup SharePoint Online is automatically a site collection administrator. If you have to add more site collection administrators in SharePoint Online, an existing site collection administrator or the SharePoint online administrator can do so.
SharePoint online administrators
| SharePoint Online | SharePoint On-premises | |
| Who can use this group? | Yes | No, by default. Requires special installation. |
If you use SharePoint Online in Office 365 plans other than Office 365 Small Business and Office 365 Small Business Premium, there is also a SharePoint online administrator. Any Office 365 global administrator also has permissions to browse and use the tenant administration site. A SharePoint online administrator manages settings for all site collections available to the SharePoint online subscription.
The SharePoint online administrator can do any of the following tasks:
-
Configure user profile and InfoPath forms services
-
Setup search parameters
-
Set up a secure store and business connectivity services
-
Create a term store
-
Define a records management system
-
Monitor quotas
-
Turn on or off the ability to invite external users to access the SharePoint Online site
-
Create, update, or delete site collections
-
Assign primary and secondary site collection owners to any site collection in their venue.
If you are using SharePoint on-premises, you do not have a SharePoint Online Administrator, or SharePoint Online Administrator site, after a standard SharePoint installation.
No comments:
Post a Comment