Determine permission levels and groups to use (Office SharePoint Server)

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.


Topic Last Modified: 2016-11-14

In this article:

  • Review available default groups

  • Review available permission levels

  • Determine whether you need additional permission levels or groups

  • Worksheet

The most important decision about your site and content security in Microsoft Office SharePoint Server 2007 is to decide how to categorize your users and what permission levels to assign.

There are several default SharePoint groups that are intended to help you categorize your users based on the types of actions they need to perform, but you might have unique requirements or other ways of looking at sets of users. Likewise, there are default permission levels, but they might not always align exactly with the tasks that your groups need to perform.

In this article, you review the default groups and permission levels and decide whether to use them as they are, customize them, or create different groups and permission levels.

Review available default groups

With SharePoint groups, you manage sets of users rather than individual users. SharePoint groups can be composed of many individual users, can hold a single Windows security group, or can be some combination of the two. SharePoint groups confer no specific rights to the site; they are merely a means to contain a set of users. Depending on the size and complexity of your organization or Web site, you can organize your users into several groups, or just a few.

The default SharePoint groups that are created for sites in Office SharePoint Server 2007 are listed in the following table.

Group name Default permission level

Restricted Readers

Restricted Read to the site (plus Limited Access to specific lists)

Style Resource Readers

Read to the Master Page Gallery and Restricted Read to the Style Library.


View Only

Home Visitors


Home Members


Quick Deploy Users

Contribute to the Quick Deploy Items library (plus Limited Access to the rest of the site)


Approve (plus Limited Access)



Hierarchy Managers

Manage Hierarchy (plus Limited Access)

Home Owners

Full Control


The Limited Access permission level is used to give groups access to a specific list, document library, item, or document, without giving them access to the entire site. Do not remove this permission level from the groups listed above. If this permission level is removed, the groups might not be able to navigate through the site to get to specific items with which they need to interact.

In addition, the following special users and groups are available for higher-level administration tasks:

  • Site collection administrators   You can designate one or more users as primary and secondary site collection administrators. These users are recorded in the database as the contacts for the site collection, have full control of all sites within the site collection, can audit all site content, and receive any administrative alerts (such as verifying whether the site is still in use). Generally, you designate site collection administrators when you create the site, but you can change them as needed by using the Central Administration site or Site Settings pages.

  • **Farm administrators   **Controls which users can manage server and server farm settings. The Farm Administrators group replaces the need for adding users to the Administrators group for the server, or to the SharePoint Administrators group that was used in Windows SharePoint Services version 2.0. Farm administrators have no access to site content by default; they must take ownership of the site to view any content. They do this by adding themselves as site collection administrators, which action is recorded in the audit logs. The Farm Administrators group is used in Central Administration only, and is not available for any sites.

  • **Administrators   **Members of the Administrators group on the local server can perform all farm administrator actions and more, including:

    • Installing new products or applications.

    • Deploying Web Parts and new features to the global assembly cache.

    • Creating new Web applications and new IIS Web sites.

    • Starting services.

    Like the Farm Administrators group, members of the Administrators group on the local server have no access to site content, by default.

After you identify the groups you need, determine the permission levels to assign to each group on your site.

Worksheet action

Use the Custom permission levels and groups worksheet ( to record any groups you need to create.

Review available permission levels

The ability to view, change, or manage a particular site is determined by the permission level that you assign to a user or group. This permission level controls all permissions for the site and for any subsites, lists, document libraries, folders, and items or documents that inherit the site's permissions. Without the appropriate permission levels, your users might not be able to perform their tasks, or they might be able to perform tasks that you did not intend them to perform.

By default, the following permission levels are available:

  • **Limited Access   **Includes permissions that allow users to view specific lists, document libraries, list items, folders, or documents when given permissions.

  • **Read   **Includes permissions that allow users to view items on the site pages.

  • **Contribute   **Includes permissions that allow users to add or change items on the site pages or in lists and document libraries.

  • **Design   **Includes permissions that allow users to change the layout of site pages by using the browser or Microsoft Office SharePoint Designer 2007.

  • **Approve   **Includes permissions to edit and approve pages, list items, and documents.

  • **Manage Hierarchy   **Includes permissions to sites and edit pages, list items, and documents.

  • **Restricted Read   **Includes permissions to view pages and documents, but not historical versions or user rights information.

  • **Full Control   **Includes all permissions.

For more information about permissions that are included in the default permission levels, see User permissions and permission levels.

Determine whether you need additional permission levels or groups

The default groups and permission levels are designed to provide a general framework for permissions, covering a wide range of organization types and roles within those organizations. However, they might not map exactly to how your users are organized or to the variety of tasks that your users perform on your sites. If the default groups and permission levels do not suit your organization, you can create custom groups, change the permissions included in specific permission levels, or create custom permission levels.

Do you need custom groups?

The decision to create custom groups is fairly straightforward and has little impact on your site's security. Essentially, you should create custom groups instead of using the default groups if any of the following applies:

  • You have more (or fewer) user roles within your organization than are apparent in the default groups. For example, if in addition to Approvers, Designers, and Hierarchy Managers, you have a set of people who are tasked with publishing content to the site, you might want to create a Publishers group.

  • There are well-known names for unique roles within your organization that perform very different tasks in the sites. For example, if you are creating a public site to sell your organization's products, you might want to create a Customers group that replaces Visitors or Viewers.

  • You want to preserve a one-to-one relationship between Windows security groups and the SharePoint groups. (For example, your organization has a security group for Web Site Managers, and you want to use that name as a group name for easy identification when managing the site).

  • You prefer other group names.

Do you need custom permission levels?

The decision to customize permission levels is less straightforward than the decision to customize SharePoint groups. If you customize the permissions assigned to a particular permission level, you must keep track of that change, verify that it works for all groups and sites affected by that change, and ensure that the change does not negatively affect your security or your server capacity or performance.

For example, regarding security, if you customize the Contribute permission level to include the Create Subsites permission that is typically part of the Full Control permission level, members of the Contributors group can create and own subsites, and can potentially invite malicious users to their subsites or post unapproved content. Or, regarding capacity, if you customize the Read permission level to include the Create Alerts permission that is typically part of the Contribute permission level, all members of the Home Visitors group can create alerts, which might overload your servers.

You should customize the default permission levels if either of the following applies:

  • A default permission level includes all permissions except one that your users need to do their jobs, and you want to add that permission.

  • A default permission level includes a permission that your users do not need.


    You should not customize the default permission levels if your organization has security or other concerns about a particular permission and wants to make that permission unavailable for all users assigned to the permission level or levels that include that permission. In this case, you should turn off this permission for all Web applications in your server farm, rather than change all of the permission levels. To manage permissions for a Web application, in Central Administration, on the Application Management page, in the Application Security section, click User permissions for Web application.

If you need to make several changes to a particular permission level, it is better to create a custom permission level that includes all of the permissions you need.

You might want to create additional permission levels if any of the following applies:

  • You want to exclude several permissions from a particular permission level.

  • You want to define a unique set of permissions for a new permission level.

To create a permission level, you can copy an existing permission level and then make changes, or you can create a permission level and then select the permissions that you want to include.


Some permissions are dependent on other permissions. If you clear a permission that another permission depends on, the other permission is also cleared.

Worksheet action

Use the Custom permission levels and groups worksheet ( to record any permission levels you want to customize or create.


Use the following worksheet to determine permission levels and groups to use:

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for Office SharePoint Server 2007.