If you’re new to SharePoint, the permissions can seem intimidating. Don’t worry. The whole system is built on a few simple ideas. Think of your SharePoint site not just as a filing cabinet, but as a digital office space for your team. Permissions are just the digital keycards that determine which doors each person can open.
Let’s dive deep into how it all works.
Part 1: The Core Concepts (The “Need to Know”)
Before we click any buttons, let’s understand two key things.
1. The “Russian Doll” Hierarchy of Permissions
Permissions in SharePoint flow downwards, like a waterfall. It’s like a set of nesting Russian dolls:
The Site (The biggest doll): This is your main team site. When you give someone permission at this level, they get that permission on everything inside it by default.
Libraries & Lists (The next doll inside): Inside a site, you have Document Libraries (where files live) and Lists (like a simple spreadsheet). They inherit their permissions from the site.
Folders (A smaller doll): Inside a library, you can have folders. They inherit permissions from the library.
Individual Files (The smallest doll): A single Word doc or PDF. It inherits permissions from the folder it’s in.
Why this matters: If you make someone a “Member” at the Site level, they can edit all files in all folders in that site. You can break this inheritance and set unique permissions on a specific folder or file (we’ll touch on that), but it’s best to keep things simple and manage permissions at the Site level when possible.
2. The Three Main Roles (Expanded)
We mentioned these before, but let’s be more descriptive about who should be in each group.
Owners (The Architects & Janitors):
What they do: They have total control. They build the site, create new document libraries, change the look and feel, and manage all permissions. They can delete the entire site.
Who this is for: The team lead, the project manager, and maybe one other trusted person as a backup. Keep this group extremely small. You don’t want too many people with the power to change everything.
Members (The Contributors):
What they do: This is the “get work done” group. They can add new documents, edit existing ones, delete files, create folders, and collaborate freely. This is the standard permission for most team members.
Who this is for: The vast majority of your project team. The people who are actively creating and modifying content every day.
Visitors (The Audience):
What they do: They are strictly “read-only.” They can open files to read them and download copies, but they cannot change the original, upload new files, or delete anything.
Who this is for: Stakeholders who need to see progress but not participate, senior managers who just want to view reports, or a wider department that needs access to finished policy documents.
Part 2: Step-by-Step Sharing a File or Folder (For Daily Use)
This is the most common task. Let’s go through it with extreme detail.
Scenario: You have a final report (Demo doc file.docx) you need to share with your manager for review.
Navigate to the File: Open your web browser and go to your SharePoint site. Click into the “Documents” library and find the Demo doc file.docx file.
Select the File: To the left of the file name, you’ll see a small circle. Click that circle. A blue checkmark will appear, and the entire row will be highlighted. This tells SharePoint, “This is the item I want to do something with.”
Find and Click “Share”: Once the file is selected, a new toolbar will appear at the top of the file list. Click the “Share” button. It usually has an icon of a box with an arrow pointing out of it.
The Sharing Window – This is the Critical Part: A new window will pop up. Don’t just type a name and hit send! Let’s analyze the options carefully.
At the very top, you’ll see a line that says something like “People in [Your Org] with the link can edit”. Click this entire line to open up your sharing options.
Choose WHO you are sharing with:
Anyone with the link: Creates a public link. Use Case: Sharing a marketing flyer or a public announcement. Be very careful; this means anyone on the internet with the link can open it. This option might be greyed out by your admin.
People in [Your Organization] with the link: Use Case: Sharing a company-wide newsletter or a holiday schedule that isn’t sensitive but is for internal eyes only.
People with existing access: Use Case: Your manager already has access to the site, but you want to send them a direct link to the specific file so they don’t have to search for it. This doesn’t grant any new permissions.
Specific people: This is your safest and best option for most work.Use Case: Sharing that report draft with only your manager and a specific teammate. It ensures only the people you list can ever use the link.
Choose WHAT they can do:
Under “Other settings,” you’ll see a dropdown that says Can edit.
Can edit: Allows them to make changes to your original document.
Can view: Allows them to read and download, but not change the original. For our scenario of a final review, you might choose this.
Block download: This switch only appears when you select “Can view.” It prevents the person from even downloading a copy. This is great for highly sensitive information.
Finalize and Send:
Select Specific people.
Choose Can edit (since your manager needs to add comments).
Click Apply.
Now, in the “To:” field, start typing your manager’s name. SharePoint will suggest the correct person. Select them.
Add a brief message like, “Here is the final report for your review.”
Click Send. Your manager will get an email with a secure link that only they can open.
Part 3: Step-by-Step Guide to Managing an Entire Site’s Permissions (For Site Owners)
Scenario: A new member, Jane, has joined your project team. You need to give her access to the entire project site.
Go to Your Site’s Homepage: Navigate to the main landing page of the SharePoint site you manage.
Find the Settings Gear: In the top-right corner of the page, in the same bar as your profile picture, look for the settings gear icon ⚙️. Click it.
Select “Site permissions”: A dropdown menu will appear. Click on the option that says “Site permissions”.
Understand the Permissions Panel: A panel will slide out from the right side of your screen. It is neatly organized into the three groups we discussed:
Site owners
Site members
Site visitors You can see who is already in each group here.
Invite the New Person:
Click the blue “Add members” button. A small window will pop up.
Select “Add members to group”.
In the “Enter names or email addresses” box, start typing “Jane”. SharePoint will search your organization’s directory and suggest the correct “Jane Doe”. Click on her name to add her.
By default, she will be added to the “Members” group, which is what we want. This will give her edit rights.
(Optional) If you wanted to add her as a Visitor instead, you could click the dropdown menu that says “Member” and change it to “Visitor”.
Uncheck the “Send email” box if you plan to tell her in person; otherwise, leave it checked to send her an automatic welcome email.
Click Add.
Jane now has Member-level access to everything on the site. It’s that simple.
Part 4: The Ultimate Control Panel: A Step-by-Step Guide for M365 Admins
This is the highest level of control. The settings you configure here dictate what all your Site Owners and users are allowed to do across the entire company.
Objective: To review and set the company-wide sharing policy to ensure data security.
Log in using an account that has either “Global Administrator” or “SharePoint Administrator” privileges. A regular user account will not work.
Navigate to the SharePoint Admin Center:
On the left-hand navigation menu, you may need to click “Show all” to expand the menu.
Scroll down to the “Admin centers” section.
Click on “SharePoint”. This will open a new browser tab for the SharePoint-specific admin center.
Locate the Global Sharing Policies:
In the SharePoint Admin Center, look at the left-hand menu.
Click on “Policies”. The menu will expand.
Click on “Sharing”.
Configure the Master Sharing Slider:
The main part of this page is a set of sliders for SharePoint and OneDrive. The SharePoint slider is our focus. This slider sets the absolute maximum sharing level allowed in your organization. A user can never choose an option more permissive than what you set here.
Read each level carefully:
Anyone: Users can create anonymous links. Security implication: High risk. A link could be posted on the internet, and you’d never know who was accessing your data.
New and existing guests: Users can share with any external person by typing in their email address. SharePoint will make that person a “guest” in your system. Security implication: Medium risk. Good for collaboration but requires you to trust your users to share with the right people.
Existing guests only: Users can only share externally with guests who have already been approved and exist in your directory. Security implication: Low risk. Excellent for working with established, long-term partners.
Only people in your organization: Completely disables all external sharing. Security implication: Very low risk. The most secure setting if your company has a strict no-external-sharing policy.
Fine-Tune with “More external sharing settings”:
Scroll down to see more granular controls. The most useful are:
Limit external sharing by domain: This lets you create an “allow list” or “block list.” For example, you can set it to only allow sharing with users from partnercompany.com, or to block sharing with personal email domains like gmail.com.
Guests must sign in using the same account to which sharing invitations are sent:Strongly recommended to keep this checked. It ensures that if you send an invite to bob@partner.com, only the person who can log in as Bob can use the link. It prevents Bob from forwarding the link to someone else.
Configure the Default Link Settings:
Further down, you can set the default link type. When a user clicks “Share,” this is the option that is selected for them automatically.
It is best practice to set the default link type to “Specific people”. This forces your users to consciously choose a more permissive option if they need it, reducing accidental oversharing.
Click Save at the bottom of the page to apply all your changes.
By carefully configuring these admin-level settings, you create a secure and predictable environment for everyone in your organization.
