SharePoint permissions: Levels, inheritance, and IRM

By /

Applies to: SharePoint Online | Microsoft 365

SharePoint permissions control who can view, edit, and manage content in your organization. This article explains how the permission model works, how to configure it, and how to protect content after download using Information Rights Management (IRM).

In this article

  • What you need to know
  • Permission levels
  • Default permission level
  • Permission groups
  • Inheritance
  • Breaking inheritance
  • Information Rights Management
  • Admin checklist

What you need to know

The SharePoint permission model is built on three parts:

  • Permission levels — sets of rights that define what a user can do.
  • Groups — collections of users assigned a permission level.
  • Inheritance — how permissions flow down from a parent item to child items.

By default, permissions flow from the top down:

  1. Site collection.
  2. Site.
  3. List or library.
  4. Item or file.

Understanding each part separately makes it easier to manage access at scale.

Permission levels

A permission level is a named set of rights. You assign a level to a user or group rather than assigning individual rights one by one.

SharePoint Online includes several built-in permission levels.

LevelAccess typeWhat users can doRisk
Full ControlEverythingManage settings, assign permissions, delete the site and all contentHighest
DesignDesign and EditCreate and modify pages, layouts, and master pagesHigh
EditRead and WriteAdd, edit, and delete lists, libraries, columns, and public viewsMedium
ContributeRead and Write itemsAdd, update, and delete documents and list items onlyMedium
ReadRead onlyView pages and documentsLow
View OnlyView, no downloadView items in the browser onlyLowest

To review built-in levels, go to Site Settings > People and Groups > Permission Levels.

Create a custom permission level

Create a custom permission level when the built-in levels do not meet your needs. A common example is a level that lets users add files but not delete them.

[!IMPORTANT]
Do not edit built-in permission levels. Changes affect every user and group assigned that level across the entire site collection. Create a new custom level instead.

To create a custom permission level:

  1. Go to Site Settings.
  2. Select Permission Levels.
  3. Select Add a Permission Level.
  4. Select only the rights you need.
  5. Enter a clear name and description.
  6. Select Create.

The new level is immediately available to assign to any group in that site collection.

Default permission level

In SharePoint Online, the default permission level for all users is Edit.

The Edit level lets users:

  • Add, edit, and delete list items and documents.
  • Create and delete lists and libraries.
  • Add and remove columns.
  • Create and delete public views.

This is more access than most users need. Most administrators change the default to Contribute or Read, then grant Edit or Full Control only to users who require it.

Default SharePoint groups

Every SharePoint team site includes three default groups.

GroupDefault permissionIntended use
OwnersFull ControlSite administrators and designated site owners
MembersEditActive contributors
VisitorsReadUsers who only need to view content

Assign users to one of these three groups rather than managing individual user permissions directly.

Permission groups

Groups let you assign a permission level once, then control access by managing membership. This is much easier to maintain than managing individual users.

For users who need access across multiple site collections, use a Microsoft 365 security group. Add the security group to the relevant SharePoint group on each site. When someone joins or leaves, update the security group once and access updates everywhere.

[!TIP]
Name security groups clearly so their purpose is obvious. For example: SP-Finance-Editors or SP-HR-Readers.

Create a Microsoft 365 security group

  1. Open the Microsoft 365 admin center at admin.microsoft.com.
  2. Go to Groups > Active groups.
  3. Select Add a group.
  4. Select Security, then Next.
  5. Enter a name and description.
  6. Add members.
  7. Select Create group.
  8. In SharePoint, go to Site Settings > People and Groups.
  9. Open the relevant SharePoint group, such as Members.
  10. Add the new security group as a member.

Inheritance

By default, every item in SharePoint inherits its permissions from the level above it. A permission set at the site level automatically applies to every list, library, and item in that site.

The inheritance hierarchy is:

  1. Site collection.
  2. Site.
  3. List or library.
  4. Item or file.[!NOTE]
    You can break inheritance at the site, list/library, and item/file levels. You cannot break inheritance at the column level. To restrict access to specific fields, use separate lists or libraries instead.

Breaking inheritance

Break inheritance when a specific item needs different permissions from its parent. Common examples include a restricted document library, a private subsite, or a sensitive file for a small group.

[!WARNING]
Once you break inheritance, future changes to the parent’s permissions will not flow down to that item. If you have many items with unique permissions, managing access changes becomes a significant task. Document every case where inheritance is broken.

Break inheritance on a library

  1. Open the library.
  2. Select the Library tab on the ribbon.
  3. Select Library Settings.
  4. Select Permissions for this document library.
  5. Select Stop Inheriting Permissions in the ribbon.

The library now has its own unique permission set, copied from the parent. Edit it as needed.

Break inheritance on a file or item

  1. Select the ellipsis () next to the item.
  2. Select Shared With, then Advanced.
  3. Select Stop Inheriting Permissions.

Restore inheritance

  1. Go to the item’s permissions page.
  2. Select Delete Unique Permissions.

All custom permissions are removed and the item reverts to inheriting from the parent.

Information Rights Management

SharePoint permissions protect content inside the platform. They do not protect a file after it has been downloaded.

Information Rights Management (IRM) encrypts files and enforces usage rules even after download. A protected file can be configured to prevent users from:

  • Printing.
  • Copying text.
  • Forwarding.
  • Editing.

The policy travels with the file, even when it leaves SharePoint.

Step 1: Activate IRM in the Microsoft 365 admin center

  1. Open the Microsoft 365 admin center at admin.microsoft.com.
  2. Go to Settings > Org settings > Services.
  3. Select Microsoft Azure Information Protection.
  4. Select Manage Microsoft Azure Information Protection settings.
  5. Select Activate.
  6. Confirm the status shows Active before proceeding.

Step 2: Enable IRM on a document library

  1. Open the document library.
  2. Select Library Settings.
  3. Under Permissions and Management, select Information Rights Management.
  4. Select Restrict permissions on this library on download.
  5. Enter a policy title and description.
  6. Configure the restrictions you want, such as print or copy permissions.
  7. Select OK.[!IMPORTANT]
    IRM protection applies at download time. Files downloaded before IRM was enabled are not protected automatically. Users must re-download the files after the policy is active, or protect them individually using Azure Information Protection labels.

Admin checklist

Use this checklist when auditing or setting up SharePoint permissions.

  • Review the default permission level. Change Edit to Contribute or Read if it is too permissive.
  • Limit the Owners group to designated administrators only.
  • Use Microsoft 365 security groups instead of individual users.
  • Document every place where inheritance is broken and why.
  • Create custom permission levels for scenarios not covered by built-in levels.
  • Do not edit built-in permission levels.
  • Enable IRM in the Microsoft 365 admin center before configuring it in SharePoint.
  • Apply IRM to libraries that contain sensitive documents users may download.
  • Test permission changes in a non-production site before rolling out.
  • Review permissions regularly, especially after org changes or offboarding.

Related content

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Start typing and press enter to search

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top