“Best” Practices for Permission Management in Windows SharePoint Services 3.0


Permissions management tends to be one of the areas that SharePoint Users have issues with in terms of understanding and over-engineering. Challenges with these differences can be minimized by considering these principles of permission management or thinking about how you want to optimize your information security.

  1. Take a good look at who your intended audience is for your site(s) when designing an Access strategy
  2. Groups are your friends
    1. In general, I have found that managing access in ANY system is much more manageable, controllable, easier to troubleshoot when you use groups based on user properties. (e.g. AD groups or SharePoint Groups)
    2. The Key is to be consistent with picking Active Directory or SharePoint Groups for access control and permissions
  3. Use built in Roles
    1. Whenever possible, easier to use and easier to troubleshoot issues
  4. Inherit permissions wherever you can
    1. Once you break inheritance, you lose your customizations
  5. Limit the granularity of restrictions
    1. Improves performance of the system and makes troubleshooting permission issues much easier

Levels of Permissions and Inheritance

  1. Web Application (Web Application Security Policy)
    1. Site Collection (Top Site Security Permissions)
      1. Subsite (Subsite Security Permissions)
        1. List (or library)
          1. Item (or document or folder)



Built In Roles

    Site Owners and users with the Full Control permission level have the Manage Permissions permission and can manage permissions on a particular securable object.

    Default SharePoint groups and permissions

    SharePoint group name Default permission level
    Site name Owners Full Control
    Site name Members Contribute
    Site name Visitors Read



  1. Online Help for your WSS site
    1. “Managing permissions and security”
    2. “Permission levels and permissions”
  2. Excellent BOOK!
    1. Microsoft® Office SharePoint® Server 2007 Best Practices
    2. http://www.microsoft.com/MSPress/books/12197.aspx



Comments (2)

  1. jwmiller5 says:

    I’ve got a powershell script that will enumerate your sites and permssions at a Site-Level. I try not to go too far beneath that. Maintenance nightmare.

    This needs to be run on your server (it needs stsadm and the Microsoft.Sharepoint dlls)

Skip to main content