What is the permissions model used by SharePoint Online?

I have noticed a lot of confusion around SharePoint Online security, its accounts and permissions. I am here merely copying information already published on the Office 365 Wiki page, by doing this I intend to make easier to locate the information pertaining solely to SharePoint Online. I am not by any means wearying a creative or deep analyses hat here, more like a librarian one, enjoy it.
 

Note: This article is specific to Office 365 pre-upgrade. To learn about permissions in Office 365 after the service upgrade, see the following topics: 

• Office 365 Enterprises & Office 365 Midsize Business: Assigning admin roles
• Office 365 Small Business: Assigning admin permissions

Office 365

Microsoft Office 365 for enterprises follows a role-based access control (RBAC) model: permissions and capabilities are defined by management roles. The person who signs up for Office 365 for his or her organization automatically becomes a global administrator, or top-level administrator. There are a total of five administrator roles within Office 365 for enterprises: global administrator, billing administrator, password administrator, service administrator, and user management administrator. Note that if you did not purchase Office 365 for enterprises from Microsoft, you will not be able to make billing changes and therefore will not have the billing administrator role available to you. For more information about administrator roles in Office 365 for enterprises, see Assigning administrator roles.

 

Support agents who work for Microsoft partner companies that are authorized to provide delegated administration on behalf of a customer can also have administrator permissions assigned to them in Office 365 for enterprises. There are two levels of administrator permissions that support agents can have: full administration and limited administration. Full administration has privileges equivalent to those of a global administrator. Limited administration has privileges equivalent to those of a password administrator. Before you assign delegated administration permissions, you must first add a delegated administrator to your account. This process is initiated by a Microsoft partner sending you an email message asking you to authorize them to be a delegated administrator. For more information about this process, see Add or remove a delegated administrator.

 

In Office 365 for professionals and small businesses, users either have administrator permissions or they don’t; there is no concept of RBAC. The person who signs up for Office 365 for professionals and small businesses automatically becomes an administrator. He or she can then grant administrator permissions to other users in the organization, as needed. For more information about administrator permissions in Office 365 for professionals and small businesses, see Assigning administrator permissions.

SharePoint Online

Microsoft SharePoint Online follows an RBAC model. When you sign up for an Office 365 account, you automatically become an Office 365 global administrator and a SharePoint Online Administrator. This global administrator is added to the team site that is automatically created for you during your Office 365 account setup (for example, https://yourcompany.sharepoint.com), and is assigned the site collection administrator role.

 

The SharePoint Online Administrator in Office 365 for enterprises has access to a special administrative site called SharePoint Online Administration. It is from this site that the SharePoint Online Administrator can assign other users as site collection administrators.

 

A site collection is the root of permissions for all the sites (known as subsites) underneath it. Site collection administrators have permissions to manage SharePoint Online at the site collection level (or top level) of a SharePoint Online site, meaning that their permissions extend to all the content in the site collection that they administer. Also, those permissions are inherited down through all the subsites underneath the site collection, by default. This means changes that site collection administrators make at https://www.contoso.com/ are inherited in subsites like https://www.contoso.com/InformationTechnology. It’s important to note that a new site collection is its own permissions root. For example, a new top-level site collection created at https://www.contoso.com/sites/Marketplace does not have the same permissions as https://www.contoso.com/ .

 

The majority of users of a SharePoint Online site will be non-administrators. They may be assigned to a default SharePoint Online security group (such as Members, Owners, Viewers, or Visitors), or they may be placed in custom groups created by the site owner or site collection administrators. It’s preferable to place users into groups, instead of giving them permissions to the site on an individual basis. Granting a large number of users individual permissions creates management issues. For more information, see the following Help topics:

• Sharing administrative tasks
• Step 1: Plan sites and manage users (Small Business)
• Step 2: Plan sites and manage users (Enterprise) 

Other Office 365 administrator roles (password administrator, billing administrator, and user management administrator) do not play a part in SharePoint Online’s security model. SharePoint Online has its own separate security model that will be discussed in detail later in this FAQ.

 

Which services do my Office 365 permissions extend to?

Office 365

Think of the Office 365 portal as a dashboard from which you launch the different Office 365 services. Because it’s serving as a dashboard, the permissions you set in the Office 365 portal apply only to objects in the Office 365 portal.

Certain administrator roles in Office 365 for enterprises have a corresponding role in Exchange Online, SharePoint Online, and Lync Online. The table below describes how these Office 365 administrator roles translate into roles in the different Office 365 services.

 

Office 365 admin role	Translates to this in Exchange Online…	Translates to this in SharePoint Online…	Translates to this in Lync Online…
global administrator*	Exchange Online administrator Company Administrator	SharePoint Online administrator	Lync Online administrator
billing administrator	N/A	N/A	N/A
password administrator*	Help Desk Administrator	N/A	Lync Online administrator
service administrator	N/A	N/A	N/A
user management administrator	N/A	N/A	Lync Online administrator

 

* For details about how the global administrator and password administrator roles appear in Exchange Online, see the Exchange Online response to this FAQ question.

SharePoint Online

By default, the person who signed up for Office 365 and became a global administrator is going to be your SharePoint Online Administrator. He or she will be included as the primary site collection administrator for the team site that was automatically set up for SharePoint Online. Note that when you add users to your Office 365 account and assign them roles in the Office 365 portal, this does not add them to Exchange Online, Lync Online, or SharePoint Online.

 

SharePoint Online has its own separate security model and groups, designed specifically to secure sites, lists, and items in SharePoint Online. When you add users to your Office 365 account from the Office 365 portal, those users become available for you to add into SharePoint Online groups within your SharePoint Online team site.

Who can assign permissions within the different Office 365 services?

Office 365

In Office 365 for enterprises, only global administrators can assign an administrator role (global, billing, password, service, or user management) to other Office 365 users. Within partner companies, only those support agents with delegated full administration permissions can assign administrator permissions to other Office 365 users within a customer’s account. For more information about administering Office 365 for enterprises, see About administering your account.

In Office 365 for professionals and small businesses, only someone with administrator permissions can assign administrator permissions to other Office 365 users. For more information about administering Office 365 for professionals and small businesses, see About administering your account.

SharePoint Online

If you’re a SharePoint Online Administrator, site collection administrator, or a site owner, you can manage user permissions. Global administrators in Office 365 for enterprises are automatically SharePoint Online Administrators.

One of the important things that the SharePoint Online Administrator (or a global administrator) can do is designate more site collection administrators for your sites. For SharePoint Online Administrators using SharePoint Online for enterprises, this is done using the Owners button in the SharePoint Online Administration Center.

Site collection administrators and site owners control permissions on a team site through the Site Settings page; however, there are site settings options that are only available to site collection administrators. The site collection administrator can add more site collection administrators via this page, or add site owners by adding a user to the Owners group.

Site owners are granted rights to manage permissions on a specific site. Because sites, lists, and items in SharePoint Online are subject to permissions inheritance by default, those permissions may be inherited by subsites that users create underneath the site where they are site owners; however, a site owner cannot see or make changes to permissions or settings that belong at the site collection level. For more information, see Manage administrators for a site collection.

 

Where are permissions assigned?

Office 365

In the Office 365 portal, click Admin > Users (under Management in the navigation pane). On the Users page, select a user, and then click Edit. Click the Settings tab to assign administrator permissions in Office 365 for professionals and small businesses and administrator roles in Office 365 for enterprises. Delegated administration permissions in Office 365 for enterprises are also assigned from the Settings tab. For instructions on how to assign administrator permissions, see the following Help topics:

• Assigning administrator roles and delegated administration permissions in Office 365 for enterprises
• Assigning administrator permissions in Office 365 for professionals and small businesses

SharePoint Online

Adding a user to your Office 365 account from the Office 365 portal (either individually or via importing from a .CSV file) does not automatically add that user to a SharePoint Online group. Also, Office 365 uses administrator roles that do not impact user access or security in SharePoint Online, including:

• Billing administrator
• Password administrator
• Service administrator
• User management administrator

Site collection administrator permissions are granted under Manage Site Collections via the Owners button. This button remains dimmed until you select a specific site collection. Also, your site collection administrator will see a “Site collection administrators” link under Site Actions and Site Settings within a team site. This will allow the site collection administrator to add (or remove) users as back-up site collection administrators.

 

A site collection administrator and a site owner have access to “People and Groups” and “Site permissions” links. These links lead to the SharePoint Online groups that will house the majority of users with access to SharePoint Online sites (the non-administrative users). For example, the Members group uses the Contribute role. Users in the Members group have access to the site based on the Contribute role and can therefore view, add, update, and delete list items and documents.

 

After the users have been added to SharePoint Online groups, permissions inheritance can be addressed. For example, if you create a new subsite, you can decide whether to inherit permissions or not (to do this, when in the Create dialog box, click More Options). Likewise, when in a document library, list, or item, you can manage permissions and assign unique permissions. In this way, you can create a library where all SharePoint Online groups have been removed (that is, had their rights revoked) from an item, leaving only the Members group. The item becomes invisible to everyone but users in the Members group and site collection administrators. For more information, see the following Help topics:

• Roadmap: Grant permissions for a site
• Video: Create a site with special permissions

 

What does it mean to have certain permissions or a certain admin role assigned to me? What actions am I allowed to perform?

Office 365

For a description of the permissions associated with each administrator role in Office 365 for enterprises, see View administrator permissions by role.

For a description of administrator permissions in Office 365 for professionals and small businesses, see Assigning administrator permissions.

SharePoint Online

A site owner has permissions within a specific site; a site collection administrator has permissions to the site collection and all subsites created underneath it; and the SharePoint Online Administrator has permissions over all site collections. However, the majority of users will not be administrators of any kind; they will be added to SharePoint Online groups. It’s important to understand how groups work in SharePoint online. Each group is associated with a role/permission level. These roles/permission levels are made up of individual permissions. The permissions in the following table combine into a role/permission level called Contribute.

 

List permissions	Site permissions	Personal permissions
Add Items Edit Items Delete Items View Items Open Items View Versions Delete Versions Create Alerts View Application Pages	Browse Directories Use Self-Service Site Creation View Pages Browse User Information Use Remote Interfaces Use Client Integration Features Open Edit Personal User Information	Manage Personal View Add/Remove Personal Web Parts Update Personal Web Parts

Each role/permission level is associated with a group. For example, when the Contribute role is assigned to the Members group, users in the Members group can automatically contribute.

Aside from the default groups and roles/permission levels that SharePoint Online provides by default, you can also use different combinations of permissions to create your own groups to meet your specific needs.

The following table outlines permissions for SharePoint Online Administrators and global administrators, site collection administrators, and site owners.

 

SharePoint Online Administrator and global administrators	Site collection administrators	Members of a team site’s Owner group
Can access the Office365 Admin Overview page in the Office 365 portal and has permissions to add users, manage subscriptions, create service requests, and manage Lync Online, Exchange Online, SharePoint Online, and the Microsoft Office Desktop Apps. In SharePoint Online for enterprises, can manage SharePoint Online from the SharePoint Online Administration Center. In SharePoint Online for professionals and small businesses, can manage team sites and documents from the Admin Overview page in the Office 365 portal. Can add their user accounts as site collection administrators within the SharePoint Online Administration Center. Can do the following from the SharePoint Online Administration Center: Manage SharePoint Online site collections and assign site collection administrators Manage SharePoint Online storage and resource allocation Manage My Sites and user profile data Manage metadata across all site collections Rename the website domain Access any site collection or site at the organization level Within the automatically created SharePoint Online team site, the SharePoint Online Administrator has all available rights to administer the site. Global administrators will need to add themselves as a site collection administrator to gain the same permissions. These permissions allow them to: Manage users and permissions Manage galleries, including master pages, site content types, and site columns Complete all actions included in site administration (such as managing regional settings, user alerts, search, sites, and workflow settings) Manage the look and feel of the site (such as the top link bar and quick launch bar) Manage site actions (such as activating features and saving the site as a template) Manage site collection administration settings at the top-level website (including the Recycle Bin, site collection features, and search settings)	Can browse to a site collection top-level site (which is the permissions root of all other sites in the site collection) and manage SharePoint Online sites at the site collection level, including changing user permissions. Has full permissions on the site where he or she is a site collection administrator under Site Actions > Site Settings. (This administrator can see and navigate to all the available Site Collection Administration options on this page.) Has permissions to add more site collection administrators. Has permissions to add or change site owners, and add users to any other SharePoint Online group. Can change permissions for any site, list, or item in the collection. Can do the following from within any SharePoint Online team site: Manage users and permissions Manage galleries, including master pages, site content types, and site columns Complete all actions included in site administration (such as managing regional settings, user alerts, search, sites, and workflow settings) Manage the look and feel of the site (such as the top link bar and quick launch bar) Manage site actions (such as activating features and saving the site as a template) Manage site collection administration settings at the top-level website (including the Recycle Bin, site collection features, and search settings)	Can manage a site under a site collection. Can manage permissions for a site (and any subsite inheriting permissions). Has permissions under Site Actions > Site Settings on the team site. (This user will not see any site collection administration options on this page.) Can do the following: Manage users and permissions Manage galleries, including master pages, site content types, and site columns Complete all actions included in site administration (such as managing regional settings, user alerts, search, sites, and workflow settings) Manage the look and feel of the site (such as the top link bar and quick launch bar) Manage site actions (such as activating features and saving the site as a template)

 

For more information about SharePoint Online groups, see the following Help topics:

• Default administrative roles and user groups
• Default permission levels
• Roadmap: Grant permissions for a site

 

How do permissions work in PowerShell?

Office 365

When users connect to Office 365 for enterprises using Windows PowerShell, they have access only to the cmdlets and parameters that are defined by the administrator role that is assigned to them. An RBAC role is basically a list of cmdlets and parameters that define the capabilities of the role.  If users attempt to run a cmdlet or a parameter on a cmdlet that isn't available to them, they'll receive an error as if the cmdlet or parameter doesn't exist. For more information about using PowerShell with Office 365 for enterprises, see Use Windows PowerShell to manage Office 365.

SharePoint Online

Not applicable

 

Does Active Directory play a part in determining permissions?

Office 365

Active Directory does not play a part in determining permissions; it is simply a repository for user accounts. In other words, it’s a directory store of all users, passwords, and objects. In Office 365 for enterprises, you can synchronize data from your local Active Directory to Office 365 using the Microsoft Online Services Directory Synchronization tool. For more information about Active Directory synchronization in Office 365 for enterprises, see Active Directory synchronization: Roadmap.

 

When you install the Directory Synchronization tool, the Directory Synchronization Configuration wizard creates a service account to read from your local Active Directory and write to the Office 365 for enterprises synchronization database. The wizard creates this account using both your local Active Directory permissions and your Office 365 permissions, which you provide as part of setup. To run the Directory Synchronization tool, you must have Administrator permissions for the computer running the Directory Synchronization tool, and you must provide the credentials for an account with Enterprise Administrator permissions on your company's local Active Directory service. This account must have Enterprise Administrator permissions in the Active Directory forest to which the computer running the Microsoft Online Services Directory Synchronization tool is joined. For more information about credentials, see Active Directory Credentials.

SharePoint Online

Active Directory doesn’t play a part in determining permissions; it is simply a repository for user accounts.

 

How does “permission inheritance” work in SharePoint Online? When do I need to break inheritance and how do I do this?

Office 365

Not applicable

SharePoint Online

By default, permissions inheritance flows down to all objects (sites, lists and libraries, and items) from the site collection level. When you create a root site collection (for example, https://fabrikam.sharepoint.com), it’s assigned a default set of permissions, permission levels, and groups. Permissions are grouped into a permission level, such as Full Control, which uses all of the available permissions. This permission level is assigned to a SharePoint Online group (such as Owners). Thus, when you add users into these groups, they have only certain permissions (for example, visitors can’t delete or edit items, but members can).

 

These groups automatically inherit down to every object in the site collection. This means that when you create https://fabrikam03.sharepoint.com/budget as your root site collection and you do NOT select the “Use same permissions as parent site” option, the same groups of users are automatically copied there. If you do select unique inheritance, you’ll get a fresh, blank copy of the default groups and permission levels in the new site. If you’re in a list, and you want to break inheritance on an item, you’ll be able to click the drop-down menu for the item and then select Manage Permissions in the menu. For more information, see Create or delete a site collection.

 

If I migrate mailboxes from Exchange to Exchange Online, will mailbox permissions be migrated over?

Office 365

Not applicable

SharePoint Online

Not applicable