Amjad Izhar Blog

SharePoint Site Permissions and Access Management

Written by

Amjad Izhar

in

, ,

The provided sources offer a comprehensive guide to SharePoint Online, detailing the distinctions and functionalities of Team Sites and Communication Sites, highlighting their primary uses for collaboration and information broadcasting, respectively. They thoroughly explain SharePoint permissions, including site groups, permission levels, and the concept of permission inheritance, demonstrating how to manage access at various levels, from the entire site to individual documents and list items. Furthermore, the text covers essential features like document libraries, lists, subsites, and Hub Sites, providing practical steps for their creation, configuration, and management within the SharePoint environment.

SharePoint Site Types: A Comprehensive Guide

SharePoint offers different types of sites, each designed for specific purposes and with distinct features and management characteristics. Understanding these differences is key to effectively utilizing the platform.

Here’s a discussion of the site differences based on the sources:

1. SharePoint Server vs. SharePoint Online

These are the fundamental product versions of SharePoint, differing primarily in their hosting and management:

  • SharePoint Server:
  • Deployment: Deployed on-premises, meaning on your organization’s own infrastructure.
  • Data Storage: All files, documents, and data are stored on your on-premises servers.
  • Management: Your IT team is responsible for managing these servers, including deploying updates and patches.
  • Cost: Requires purchasing hardware for deployment and paying software licensing costs to Microsoft.
  • Versions: Examples include SharePoint Server 2016 and 2019, available in Standard and Enterprise flavors. The Enterprise version offers more advanced features like advanced search, social networking capabilities, and formation settings.
  • Item Retention: Deleted items are retained for a default of 30 days, which administrators can increase.
  • SharePoint Online:
  • Deployment: It is the latest and most advanced version of SharePoint, operating as an online, web-based platform. You only need a web browser to access it from any device and anywhere.
  • Data Storage: Data is stored in Microsoft data centers in the cloud.
  • Management: Microsoft manages updates and patching, relieving your organization of server management responsibilities.
  • Cost: Operates on a subscription-based model as part of Microsoft 365, eliminating hardware and software purchase costs.
  • Features: Includes all the features and capabilities offered by SharePoint Enterprise version.
  • Item Retention: Deleted items are retained for 93 days across two stages of the recycle bin (First Stage and Second Stage). After 93 days, Microsoft retains a backup for an additional 14 days, during which an administrator can contact Microsoft support for restoration if no retention policy is applied.

2. Team Sites vs. Communication Sites (within SharePoint Online)

When creating a new site in SharePoint Online, you primarily choose between a Team Site and a Communication Site. These differ significantly in their purpose, layout, and associated features:

  • Team Sites:
  • Purpose: Primarily designed as a private space for collaboration among specific departments or project teams. They are workspaces where team members can store information, upload documents, and collaborate with each other.
  • Collaboration: Highly collaborative, allowing users with permissions to upload documents and make changes within the site.
  • Microsoft 365 Group Association: Creates a Microsoft 365 group with the same name when formed. The membership of the team site is controlled through this Microsoft 365 group, which also provides a mailbox, shared calendar, and can be associated with Microsoft Teams and Planner. Members of this group automatically get access to all associated applications.
  • Privacy: Can be created as public (accessible by anyone in the organization) or private (accessible only by site members).
  • Layout/Navigation: Typically have the menu bar on the left (also called the Quick Launch menu). They often focus on displaying recently worked documents.
  • Content Types: Allow creation of various document libraries and lists to track project progress or tasks.
  • Permissions Management: Permissions are largely managed via the associated Microsoft 365 group. While you can add members directly to the site, bypassing the M365 group, this means they only get access to the SharePoint site and not the other associated M365 applications. By default, you can assign “member” or “owner” permissions from the site interface; to add “visitors” (read-only), you typically manage it through the M365 group.
  • Communication Sites:
  • Purpose: Designed as intranet sites for broadcasting information to a wide audience. They are not primarily open for collaboration by all users.
  • Collaboration: Generally read-only for users, who can view information, read articles, and news, but cannot make changes. Only users with “author” permission can modify content.
  • Microsoft 365 Group Association: Do not create a Microsoft 365 group.
  • Privacy: Do not have privacy settings like public/private because they are intended for broadcasting.
  • Layout/Navigation: Feature the menu bar at the top. They often have larger areas for posting information and sections like news and events created by default. They do not have the Quick Launch menu found in team sites.
  • Permissions Management: Permissions are managed directly from the site itself, not through an associated M365 group. You can assign “read,” “full control,” or “edit” permissions directly.
  • Hub Site Recommendation: Communication sites are generally recommended to be used as hub sites because they are accessible by all users.

3. Team Site with Microsoft 365 Group vs. Team Site without Microsoft 365 Group

While most team sites are created with an associated Microsoft 365 group, a specific type of team site exists that does not have this group:

  • Team Site without M365 Group:
  • Creation: Can only be created by a SharePoint administrator or global administrator from the SharePoint Online admin center, not directly by end-users from the SharePoint home page.
  • Group Association: Does not have an associated Microsoft 365 group.
  • Permission Management: Permissions are managed directly on the site level, similar to how communication sites are managed. You can add users and assign read, full control, or edit permissions directly from the site access settings. This contrasts with the typical team site where group membership dictates permissions.

4. Parent Sites vs. Subsites

SharePoint allows for a hierarchical structure of sites:

  • Parent Sites:
  • The main or top-level site from which subsites can be created.
  • Serve as the primary site for a department or organization.
  • Can have their own unique URL, navigation, design, and permissions.
  • Subsites:
  • Creation: Can be created under a parent site, forming a hierarchical structure (e.g., a sub-department within an IT department). Subsite creation is disabled by default and needs to be enabled by an administrator.
  • Group Association: A subsite does not have a Microsoft 365 group associated with it, regardless of the template used (Team Site, Classic Team Site, Project Site).
  • Permissions Inheritance: By default, subsites inherit permissions from their parent site. This means users with permissions on the parent site also have those permissions on the subsite.
  • Unique Permissions: This inheritance can be broken to assign a different set of permissions to the subsite, allowing for granular access control.
  • URL Structure: Their URL is an extension of the parent site’s URL (e.g., parentsite.sharepoint.com/subsite).
  • Navigation: By default, there’s no direct option within the subsite to navigate back to the parent site, though links can be manually added to the quick launch menu. The parent site can easily navigate to subsites via the ‘Subsites’ link in its menu.
  • Limitations (Why Hub Sites are Preferred):
  • Search Scope: Search within a subsite is limited to that specific subsite; it cannot search documents located on the parent site or other subsites.
  • Branding/Layout: Subsites have their own distinct layout, branding, navigation menu, and theme, making it difficult to apply a common look and feel across a collection of related sites.
  • Management: Moving subsites to different locations can be a difficult task.

5. Hub Sites vs. Associated Sites

Hub sites represent a modern approach to organizing and connecting related sites, overcoming many of the limitations of subsites:

  • Hub Sites:
  • Purpose: A site registered as a “hub site” ties other related sites together through a common navigation, branding, and theme. They are useful for linking different departments or projects under a common umbrella.
  • Recommendation: A communication site should always be used as a hub site because hub sites should be accessible by all users.
  • Creation/Management: Only a SharePoint administrator or global administrator can register a site as a hub site from the SharePoint admin center.
  • Hub Navigation: Once registered, the hub site displays a hub navigation bar at the top, which is inherited by all associated sites.
  • Search Scope: From the hub site, you can search across all associated sites, making it a centralized search location.
  • Branding/Theme: Associated sites inherit the common branding and theme defined on the hub site.
  • Permissions: Associating a site with a hub site does not change the security levels or permissions of the individual sites. Users still need specific permissions on an associated site to access it. However, hub permissions can be synced to associated sites to ensure wider access, if allowed by the site owner.
  • Association Control: Administrators can specify which users can associate their sites with a particular hub site. Approval workflows can also be set up for site association requests.
  • Mega Menus: Hub sites support creating mega menus for navigation, useful when many sites are associated.
  • Associated Sites:
  • These are individual SharePoint sites (team sites or communication sites) that are connected to a hub site.
  • They inherit the hub’s common navigation, branding, and theme.
  • They benefit from the centralized search capabilities of the hub site.
  • Association can be done from the SharePoint admin center or from the site itself (if the user is an owner of that site).

In summary, the choice of SharePoint site type largely depends on its intended use: SharePoint Online for cloud-based flexibility, Team Sites for internal collaboration, Communication Sites for broad information dissemination, and Hub Sites for connecting and organizing related sites with shared navigation and branding. Subsites, while offering hierarchy, are generally less recommended in modern SharePoint due to the advantages provided by hub sites for site organization and discoverability.

SharePoint Document Libraries: Comprehensive Guide

Document libraries in SharePoint are secure, sophisticated storage spaces designed for organizing and managing an organization’s documents and files. They serve as a single place to store all documents, allowing for collaborative work and information sharing.

Here’s a comprehensive discussion of document libraries:

Purpose and Core Functionality

  • Centralized Storage: A primary use of SharePoint Online is document storage, providing a single place to store all organizational documents.
  • Secure Storage: Document libraries offer a secure space where documents can be stored, worked on collaboratively, shared, and accessed from anywhere and any device.
  • Collaboration Tool: SharePoint allows organizations to collaborate with internal or external users by uploading and sharing documents. Multiple users can work on the same document in real-time, a feature known as co-authoring. Changes made by multiple users are tracked and saved as new versions.
  • Content Management System: SharePoint can be used for content management, allowing you to create, schedule, sort, and filter content based on metadata.
  • Information Sharing: It provides an efficient way to share documents from a single location with various users, allowing real-time monitoring of changes and assignment of specific permissions during sharing, which avoids creating multiple copies of a document as in traditional methods.
  • Project and Task Management: Document libraries, along with lists, can be used to track the progress of a project.

Comparison with Other Storage & SharePoint Components

  • Vs. OneDrive/Google Drive: While OneDrive and Google Drive offer document management, they are primarily personal storage spaces with a typical folder structure. SharePoint, however, allows you to associate metadata to group documents based on specific requirements, making them easier to find.
  • Vs. Traditional Methods: Unlike storing documents on hard drives or network drives, where sharing creates multiple copies and management is complicated, document libraries offer a secure, collaborative, and trackable environment for documents.
  • Vs. Lists: A key distinction is that a document library primarily contains information about documents (like name, modified date, modifier). A list, conversely, is a collection of various data items (e.g., contacts, tasks, inventory), showing items within the list directly. A document library includes a default column for the document name, while a list has a default “Title” column.

Creating and Managing Document Libraries

  • Default Library: When a SharePoint site (team site or communication site) is created, a default document library named “Documents” is automatically provided.
  • Creating New Libraries: You can create multiple document libraries within a site to organize different types of content (e.g., a dedicated library for images or reports).
  • From Scratch: Create a blank library.
  • Clone: Copy the formatting, columns, and views from an existing library (but not the documents themselves).
  • Templates: Use pre-built templates.
  • Naming Conventions: Spaces in a document library name will be replaced by “%20” in the URL, but renaming a library later will not change its URL.
  • Uploading/Creating Files: You can upload files and folders by dragging and dropping or using the “Upload” option. New documents (Word, Excel, PowerPoint, etc.) can be created directly within the library, and changes are automatically saved. You can also rename documents from within the online application or by right-clicking on the file in the library.
  • Creating Folders: New folders can be created within a document library, and files can be moved into them.

Key Features and Capabilities in Detail

  • Sync to Computer: Document libraries can be synced to your computer using OneDrive for Business, allowing you to work on documents using desktop applications, with changes automatically syncing back to SharePoint Online.
  • Document Versioning: SharePoint Online automatically creates a new copy (version) whenever a modification is made to a document.
  • It creates a historical record, showing the date, time, and user who made the changes.
  • Users can view previous versions and restore a document to an earlier state.
  • Individual versions can also be deleted.
  • Check Out/Check In: This feature allows a user to “lock” a document for exclusive editing, preventing others (even those with edit permissions) from making changes until the document is checked back in.
  • While checked out, others have view-only access, and the editor’s changes are not visible until check-in.
  • Comments can be added during check-in to provide context for changes.
  • If no changes are made, a checkout can be discarded.
  • Sharing Documents & Folders:
  • Documents and folders can be shared with internal or external users.
  • Permission Levels for Sharing: When sharing, you can assign different access levels:
  • Can edit: Users can edit and share the document.
  • Can view: Users can only view the document (read-only).
  • Can’t download: Users can view but not download the document.
  • Can review: (Specific to Word documents) Users can view and add comments but cannot modify the document.
  • Link Settings: You can control who can access the shared link:
  • Anyone: Most restrictive, allows anyone (internal or external) with the link to access, often disabled by organizations.
  • People in Office 365 Concepts (your tenant name): Limits sharing to internal users.
  • People with existing access: For re-sharing a link with someone who already has access.
  • People you choose: Allows sharing with specific internal or external users; if the link is forwarded, the new user cannot access it.
  • Expiration Date: You can set an expiration date for the shared link, after which it becomes inactive.
  • Manage Access: You can view and remove existing sharing permissions for users or stop sharing completely. Sharing a document only grants access to that specific document, not the entire SharePoint site or library where it’s stored.
  • Metadata: This involves adding additional information or attributes (columns) to documents beyond the default “Name,” “Modified,” and “Modified by”.
  • Purpose: Metadata helps categorize, organize, filter, sort, and group documents, making them easier to find and understand.
  • Creating Columns: You can add various data types as columns (e.g., text, choice, date and time, person, number).
  • Updating Metadata: Information can be added to metadata columns by right-clicking a document or using the “Edit in Grid view” option.
  • Filtering, Sorting, Grouping: Documents can be filtered, sorted, and grouped based on the metadata in these custom columns.
  • Personal vs. Global Views: Filtering and grouping actions are personal views unless saved as a shared view.
  • Site-Level Metadata: Metadata created at the document library level is specific to that library. To display it across multiple libraries, it needs to be created at the site level.
  • Integration with Power Apps: SharePoint lists and document libraries can serve as data sources for building applications using Power Apps, allowing for customized applications that interact with the SharePoint data.
  • Automation with Power Automate: Workflows (flows) can be created using Power Automate to automate tasks within document libraries, such as sending notifications when a document is deleted.

Permissions in Document Libraries

  • Permission Inheritance: By default, document libraries inherit permissions from their parent SharePoint site. This means that users with specific permission levels (e.g., owner, member, visitor) on the site will have the corresponding permissions (full control, edit, read) on the document library and its contents.
  • Breaking Inheritance (Unique Permissions): You can break this inheritance at the document library level or even at the individual file/folder level. This allows you to assign a different set of permissions to a specific library, folder, or file than what is defined at the site level.
  • To break inheritance, select “Stop Inheriting Permissions” from the library/file/folder’s permission settings. This copies the current parent permissions, then allows you to modify them uniquely.
  • Once inheritance is broken, you can remove or add users/groups and assign specific permission levels only for that item.
  • Site Groups and Permission Levels: Document libraries utilize the same site groups (Site Owners, Site Members, Site Visitors) and standard permission levels (Full Control, Design, Edit, Contribute, Read) defined within SharePoint.
  • Recycle Bin Permissions:
  • Site Members (Edit permission): Can restore documents from the first stage recycle bin (site recycle bin), including items deleted by themselves or other members. They cannot recover items from the second stage recycle bin.
  • Site Owners (Full Control) / Site Collection Administrators: Can restore content from both the first and second stage recycle bins.
  • Site Visitors (Read-only): Can see the recycle bin but cannot access its content or restore items.
  • There are no specific settings to modify recycle bin permission levels; they are linked to the permissions of the documents, sites, or items.

SharePoint Permissions: Access Control and Management

SharePoint permissions are essentially the mechanism to restrict and control access to anything within a particular SharePoint site. They are highly customizable, allowing for granular control at various levels.

Here’s a comprehensive discussion of SharePoint Permissions:

I. Core Components of SharePoint Permissions

SharePoint permissions are constructed from two main components: site groups and permission levels.

  • Site Groups
  • When a SharePoint site (whether a team site or a communication site) is created, three default site groups are automatically provided: Site Owners, Site Members, and Site Visitors.
  • These groups are used to categorize users.
  • Site Owners: Have “Full Control” over the site. They can modify site content, manage permissions, and delete the site.
  • Site Members: Have “Edit” permission. They can edit and upload documents, edit and delete list items, but cannot delete the site or manage permissions or the recycle bin.
  • Site Visitors: Have “Read” (read-only) permission. They can view the site, view and download documents, but cannot make any changes.
  • While these are default, multiple custom groups can be created based on organizational requirements.
  • In the “classic view” or “Advanced permission settings,” these groups are typically named with the SharePoint site’s name (e.g., “News Members” for a site named “News”) for easy identification.
  • Permission Levels
  • Permission levels are collections of permissions that define what a user can do.
  • Five standard permission levels are available:
  • Full Control: Grants full control over the site.
  • Design: Allows viewing, customizing, updating content, and approving requests.
  • Edit: Allows editing and deleting lists/list items and documents.
  • Contribute: Allows viewing content, adding/updating/deleting list items, and deleting documents.
  • Read: Allows viewing site content and downloading documents, but no changes.
  • By default, the Site Owners group has Full Control, Site Members have Edit, and Site Visitors have Read permission.
  • Custom permission levels can be created by adding a new permission level from scratch or by cloning an existing one and modifying it. This allows for highly specific access, such as “can view and add but can’t update or delete”.
  • Custom permission levels are specific to the site where they are created and do not replicate to other SharePoint sites in the tenant.

II. Permission Inheritance

  • By default, SharePoint sites, lists, and document libraries inherit permissions from their parent SharePoint site. This means that if a user has a certain permission level on the site, they will automatically have the same permission level on all lists, document libraries, and their contents within that site.
  • For example, a user with “Edit” permission on the site will have “Edit” permission on all documents and list items within that site, by default.
  • When inheritance is active, changes to permissions must be made at the parent (site) level.

III. Managing Permissions by Site Type

SharePoint sites come in different types, and how permissions are managed depends on the site type.

  • Communication Sites
  • Communication sites are primarily for one-way information sharing.
  • They do not have an associated Microsoft 365 group.
  • Permissions are managed directly from the site itself via “Site Access” or “Site Permissions” settings.
  • Users can be added to “Read,” “Edit,” or “Full Control” permissions when sharing the site.
  • You can also add default groups like “Everyone” or “Everyone except external users” for broader access.
  • Team Sites (with Microsoft 365 Group)
  • Team sites are designed for collaboration and are associated with a Microsoft 365 group.
  • The membership of the team site is managed through this Microsoft 365 group.
  • Users added to this group automatically get access to the group’s mailbox, calendar, Microsoft Teams, Planner, and the SharePoint team site itself.
  • Adding members/owners usually happens via the “Members” section on the site, which in turn manages the M365 group. You can only assign “Member” or “Owner” permissions this way.
  • To add “Site Visitors” (Read-only) to a team site associated with an M365 group, you typically need to go to the Microsoft 365 group settings itself, not directly from the site’s “Share site” option.
  • Team Sites (without Microsoft 365 Group)
  • These sites are created only by SharePoint or Global Administrators from the SharePoint admin center.
  • They function similarly to communication sites in terms of permission management: permissions are managed directly on the site. You can assign “Read,” “Edit,” or “Full Control” directly.
  • Bypassing Microsoft 365 Group Membership (for Team Sites with groups)
  • It’s possible to add a user only to the team site’s permissions, bypassing the M365 group membership.
  • This is done by selecting “Share site only” when adding members from the site’s “Site Permissions” settings.
  • Such users will have access only to the SharePoint site and its content but not to other associated M365 applications like Teams, Outlook mailbox, or Planner.

IV. Breaking Permission Inheritance (Unique Permissions)

  • Purpose: Inheritance can be broken to assign a different, unique set of permissions to a specific list, document library, folder, or even an individual file or list item, overriding the parent site’s permissions. This is crucial for confidential documents or specific access requirements.
  • How to Break Inheritance:
  • Navigate to the specific list, document library, folder, or file.
  • Go to its permissions settings (e.g., “Permissions for this document library,” “Manage Access,” “Advanced settings”).
  • Select “Stop Inheriting Permissions”. This copies the existing parent permissions and then allows them to be modified independently.
  • Impact: Once inheritance is broken, any changes made to the parent site’s permissions will not affect the item with unique permissions.
  • Re-inheriting Permissions: You can re-inherit permissions from the parent at any time by selecting “Delete Unique Permissions”.

V. Advanced Permission Settings

The “Advanced permission settings” area offers comprehensive tools for managing permissions.

  • Grant Permissions: Allows assigning permissions to users or groups by specifying their name and choosing a permission level (including custom ones).
  • Create Group: Enables the creation of custom security groups with specific owners, membership settings, and assigned permission levels.
  • Edit User Permissions: Modifies the permission level for an existing user or custom group. This option is not available for the three default site groups.
  • Remove User Permissions: Removes permissions for a user or custom group. Also not available for default site groups.
  • Check Permissions: Verifies the effective permissions of a user or group on the current site.
  • Access Request Settings: Configures whether users can request access to the site and who receives these access requests (default is site owners). It also controls whether members can share the site or invite others.
  • Site Collection Administrators: Defines who has full control over the site collection. By default, site owners are site collection administrators, but additional users can be added.

VI. Item-Level Permissions (Lists and Document Libraries)

  • Applying Unique Permissions: Similar to libraries/lists, individual files, folders, and list items can have their inheritance broken to apply unique permissions. This allows for fine-grained control, e.g., restricting access to a single confidential document within a shared folder.
  • List Item-Level Permissions (Advanced Settings):
  • Read Access: Controls who can read items in a list. Options include “Read all items” or “Read items that were created by the user” (so users only see what they added).
  • Create and Edit Access: Controls who can create and edit list items. Options include “Create and edit all items,” “Create items and edit items that were created by the user,” or “None” (preventing any edits).

VII. Hub Site Permissions

  • Hub sites do not inherently change the security levels of associated sites. Associating a site with a hub site provides common navigation, branding, and search scope, but it does not grant users access to all connected sites.
  • Users must have existing permissions on each associated site to access its content.
  • There is an option to “Sync Hub permissions to Associated sites” from the Hub site settings, which creates a “Hub visitors” group to facilitate read-only access across connected sites, if site owners allow it.

VIII. Removing Users

  • Communication Sites: Users can be removed directly from the “Site Access” or “Site Permissions” settings. Removing a user here removes them from the site.
  • Team Sites (with Microsoft 365 Group):
  • To fully remove a user from the site and all associated M365 applications, they must be removed from the Microsoft 365 group membership. This can be done via the M365 admin center or the site’s “Members” section.
  • If a user was added only at the site level (bypassing the M365 group), they can be removed directly from the site’s “Site Permissions”.

Understanding SharePoint permissions is vital for effective content management and collaboration, ensuring that the right people have the right access to information while maintaining security.

SharePoint Sites: Team vs. Communication & Permissions

SharePoint Online is a web-based platform developed by Microsoft that allows organizations to create sites and content for collaboration with internal or external users. It can be accessed from any device and anywhere using a web browser. SharePoint is primarily used for purposes like document storage, content management, knowledge management, project and task management, online forms, and automating workflows.

When creating a site in SharePoint Online, you are presented with two primary options: Team Site or Communication Site. Understanding the differences between these two site types is crucial, as they serve distinct purposes and have different permission management approaches.

Here’s a detailed discussion of each:

1. Team Sites

Team sites are designed primarily for collaboration and provide a private workspace for specific departments or projects.

  • Purpose and Use:
  • They are ideal for scenarios where a group of users, like a project team or a department, needs a shared space to upload files, store information, and work together.
  • Users with permissions can upload documents and make changes within the site.
  • Microsoft 365 Group Association:
  • A key characteristic of a team site is that it creates and is associated with a Microsoft 365 group of the same name.
  • This Microsoft 365 group provides additional collaborative tools such as a mailbox, a shared calendar, integration with Microsoft Teams, and Planner.
  • When users are added to the Microsoft 365 group, they automatically gain access to the group’s mailbox, calendar, Microsoft Teams, Planner, and the SharePoint team site.
  • Permission Management:
  • The membership of a team site is primarily controlled through its associated Microsoft 365 group.
  • When adding users directly from the site’s “Members” section, you typically have only two permission options: “Member” or “Owner”.
  • To assign read-only permission (Site Visitors) to a team site associated with an M365 group, you generally need to go to the Microsoft 365 group settings itself, rather than directly using the site’s “Share site” option.
  • It is possible to bypass the Microsoft 365 group membership by selecting “Share site only” when adding members from the site’s “Site Permissions” settings. Users added this way will only have access to the SharePoint site and its content, not the other associated M365 applications.
  • Layout and Features:
  • Team sites typically have the menu bar on the left side of the page.
  • They often prominently display recently worked-on documents.
  • Creation Process:
  • During creation, you are usually asked if you want to create a public or private site. A private site means only members can access it, while a public site is open to anyone within your organization.
  • The system will assign an email address to the associated Microsoft 365 group.

2. Communication Sites

Communication sites are designed for one-way communication and for broadcasting information to a wide audience.

  • Purpose and Use:
  • They are primarily used to publish news, updates, and share information with users.
  • General users can view the information, read articles, and news, but cannot make any changes. Only users with “author” or “edit” permissions can modify the site content.
  • Communication sites are not open for extensive collaboration by the general audience.
  • Microsoft 365 Group Association:
  • Unlike team sites, communication sites do not have an associated Microsoft 365 group.
  • Permission Management:
  • Permissions for communication sites are managed directly from the site itself via “Site Access” or “Site Permissions” settings.
  • When sharing a communication site, you can directly assign “Read,” “Edit,” or “Full Control” permissions to users or groups.
  • You can also add default groups like “Everyone” or “Everyone except external users” for broader access.
  • Layout and Features:
  • Communication sites typically feature the menu bar at the top.
  • They often include default sections for news and events.
  • Creation Process:
  • When creating a communication site, you are not asked about privacy settings (public/private) or to add members and owners, nor is an email address generated for an associated M365 group, because it doesn’t have a group.

Key Differences and Permission Implications Summarized:

FeatureTeam SiteCommunication SiteSource(s)Primary PurposeCollaboration, Private WorkspaceInformation Broadcasting, One-way CommunicationMicrosoft 365 GroupYes, associatedNo, not associatedPermission ManagementPrimarily via M365 Group MembershipDirectly from the site itself (“Site Access”)Default User AccessMembers can edit, upload, delete contentUsers are typically read-only; authors editLayoutMenu bar on the leftMenu bar at the topPrivacy Option (creation)Yes (public/private)NoDefault Groups DisplayDisplays M365 group name in site permissionsDisplays site name in site permissionsSubsites and Hub Sites in Relation to Site Types:

While team sites and communication sites are the primary types for site creation, SharePoint also features subsites and hub sites, which interact with permissions and site structure.

  • Subsites:
  • Subsites are created under a parent site and can be of a “team site” or “project site” template.
  • However, even if a subsite is created using a “team site” template, it will NOT have an associated Microsoft 365 group.
  • By default, subsites inherit permissions from their parent site, but this inheritance can be broken to assign unique permissions.
  • Hub Sites:
  • A hub site is a way to tie multiple, independent SharePoint sites together with a common navigation, branding, and search scope.
  • It is generally recommended to use a communication site as a hub site because they are designed for broad accessibility.
  • Associating a site with a hub site does NOT inherently change the security levels or permissions of the associated sites. Users still need existing permissions on each site to access its content.
  • There is an option to “Sync Hub permissions to Associated sites” from the Hub site settings, which creates a “Hub visitors” group to facilitate read-only access across connected sites, if site owners allow it. This option can include “Everyone” or “Everyone except external users” for broad read-only access.
  • Organizations are encouraged to focus on hub sites instead of subsites due to advantages in common branding, navigation, and searching across multiple sites from a single location.

SharePoint Permission Inheritance: Understanding and Breaking Default Behavior

Permission inheritance in SharePoint refers to the default behavior where a site, list, or document library utilizes the same level of permissions as its parent entity. This means that permissions defined at a higher level are automatically applied to the components nested within it.

Here’s a detailed breakdown of permission inheritance:

  • Core Concept:
  • When a SharePoint site is created, it establishes a set of permissions for various user groups, such as Site Owners, Site Members, and Site Visitors.
  • By default, any lists and document libraries created within that site, as well as the files, folders, and items within those libraries and lists, inherit these permissions from the parent site.
  • For instance, if a user is part of the “Site Owners” group with “Full Control” permission on a SharePoint site, they will automatically have “Full Control” on all lists, list items, document libraries, files, and folders within that site. Similarly, a user in the “Site Members” group with “Edit” permission will have edit access across the site’s content.
  • How to Check Inheritance:
  • You can verify if a document library or a list is inheriting permissions by navigating to its settings. For a document library, go to “Settings,” then “Library settings,” “More Library settings,” and “Permissions for this document Library”. For a list, go to “Settings,” “List settings,” and “Permissions for this list”.
  • In both cases, you will typically see a message indicating “This Library inherits permissions from parent” or “This list inherits permissions from its parent”.
  • If inheriting, any changes to permissions for that document library or list must be made at the site level; direct changes are not allowed on the inherited component.
  • Breaking Permission Inheritance (Unique Permissions):
  • While inheritance is the default, SharePoint allows you to “break” this inheritance. This is done when you need to assign “unique permissions” to a specific list, document library, folder, file, or list item, different from its parent.
  • Purpose: Breaking inheritance is useful for scenarios requiring more granular control, such as:
  • Restricting access to confidential documents within a document library, allowing only site owners (or a specific group) to view them, even if other users have edit access at the site level.
  • Granting different permission levels on specific items within a list or document library than what’s applied to the entire list or library.
  • Allowing users to view all items in a list but only edit items they themselves created.
  • Process:
  • To break inheritance for a document library or list, you’ll find an option like “Stop inheriting permissions” within its permission settings. When this is selected, the library/list copies the existing permissions from its parent and then becomes an independent entity in terms of permission management.
  • Once inheritance is broken, you can then remove or add specific users or groups and assign them unique permission levels directly on that component (e.g., folder, file, list item).
  • For example, you can remove “Site Members” and “Site Visitors” from a specific folder, ensuring only “Site Owners” have access.
  • You can also apply unique permissions at the individual item level within a list or document library by right-clicking the item and selecting “Manage Access” or “Advanced settings” to stop inheritance.
  • Implications: Once inheritance is broken, any future changes made to the parent site’s permissions will not affect the child component (the list, library, folder, or item) that now has unique permissions. These changes apply only to the specific component where unique permissions were set.
  • Restoring Inheritance: If needed, you can re-establish inheritance (delete unique permissions) on a component, and it will revert to inheriting permissions from its parent.
  • Permission Inheritance and Site Types/Subsites:
  • Permission inheritance applies to both Team Sites and Communication Sites.
  • Subsites also play a role in inheritance. By default, subsites inherit permissions from their parent site. However, when creating a subsite, you can explicitly choose to “use unique permissions” instead of inheriting, allowing for a distinct set of permissions for that subsite. Even if a subsite is created using a “team site” template, it will not have an associated Microsoft 365 group, and its permissions are managed directly from the site itself, similar to a Communication Site or a Team Site created without a group association.
  • Hub Sites, on the other hand, do not inherently change the security levels or permissions of the associated sites. While a hub site can sync “Hub permissions to Associated sites” (creating a “Hub visitors” group for read-only access), this feature still respects individual site owners’ permissions.
SharePoint Training | SharePoint Online Complete Course

By Amjad Izhar
Contact: amjad.izhar@gmail.com
https://amjadizhar.blog

Affiliate Disclosure: This blog may contain affiliate links, which means I may earn a small commission if you click on the link and make a purchase. This comes at no additional cost to you. I only recommend products or services that I believe will add value to my readers. Your support helps keep this blog running and allows me to continue providing you with quality content. Thank you for your support!

Discover more from Amjad Izhar Blog

Subscribe to get the latest posts sent to your email.

Comments

Leave a comment

More posts