Overview

When managing access in SharePoint Online, you will encounter two important concepts: normal (predefined) and granular permissions. Understanding both is key to securely and efficiently controlling who can do what on your SharePoint sites.

What are Normal Permissions?

Normal permissions are predefined roles in SharePoint that group together multiple specific rights (called granular permissions) into easy-to-manage access levels. These default levels cover most common use cases, making permission management simpler and faster.

SharePoint Online provides 7 default permission levels such as:

Full Control: Complete access can manage everything including permissions, site settings, and content, assigned typically to Site Owners.
Design: Provide clients with full control to view, modify, approve, and customize lists and pages within the site.
Edit: Enables adding, editing, and deleting lists, libraries, and list items but excludes managing site structure or permissions.
Contribute: Can add, edit, and delete list items/documents but cannot delete entire lists or libraries.
Read: View content only, No editing rights.
View Only: View pages, list items, and documents, cannot download documents (for example: PDFs open in the browser only)
Limited Access: Automatically assigned by SharePoint to allow access to a specific item without giving access to the whole site or library. Cannot be assigned manually.

These predefined levels bundle multiple granular permissions (individual rights) into a single role, making it easier to assign permissions without managing each right separately.

What are Granular Permissions?

Granular Permissions are the most detailed, specific access rights you can assign in SharePoint. Unlike broad roles, granular permissions let you precisely control the actions a user can perform on particular resources.

Categories of Granular Permissions:

List Permissions: Control actions on lists, libraries, and their items/documents Examples include adding items, deleting items, and approving items.
Site Permissions: Control actions on the site level (e.g., Manage permissions, create subsites, manage web sites)
Personal Permissions: Manage user-specific customizations like personal views and editing personal information.

Common Granular Permissions for Lists:

Permission Name	Description
View Items	View list items and documents.
Add Items	Permits adding new items to lists and documents.
Edit Items	Edit items and documents.
Delete Items	Delete items and documents.
Approve Items	Grants skill to approve modest versions of items.
Open Items	Grants seeing the source of records with server handlers.
View Versions	Permits viewing past versions of items or documents.
Delete Versions	Enables deletion of previous version.
Create Alerts	Create alerts for list items or documents.
View Application Pages	View forms, views, and application pages.
Cancel Checkout	Undo check-out of a document.
Manage Personal Views	Create, change, and delete personal views.
Manage Lists	Create/delete lists, add/remove columns and views.

Common Site Permissions:

Permission Name	Description
Manage Permissions	Create or change acceptance levels on the site.
View Web Analytics Data	View usage data reports.
Create Subsites	Create subsites such as team or project sites.
Manage Web Site	Manage site settings, including themes and page layouts.
Add and Customize Pages	Manage HTML or Web Part pages by adding, updating, or deleting them.
Apply Themes and Borders	Apply visual themes or borders site-wide.
Apply Style Sheets	Apply a style sheet to the site.
Create Groups	Create SharePoint groups.
Browse Directories	Enumerate files and folders via SharePoint Designer and WebDAV interfaces.
Browse User Information	View information about users of the site.
Add/Remove Personal Web Parts	Manage personal Web Parts on pages.
Update Personal Web Parts	Update Web Parts on personal pages.
Use Remote Interfaces	Use features that launch client applications.
Use Client Integration Features	Use features such as opening a document in Word or Excel.
Open	Open a website, list, or folder.
Edit Personal User Information	Allows a user to change their own user information (e.g., profile).

Common Granular Permissions for Personal:

Permission Name	Description
Manage Personal Views	Create and manage personal views of lists.
Add/Remove Personal Web Parts	Modify pages by adding or removing Web Parts as needed.
Update Personal Web Parts	Update Web Parts on your personal pages.

Example use cases:

Full control - Site owners or Admin
Edit – Team Members contributing to content
Read – Visitor or external users.
View Only – When users should view documents but not download them (e.g., secure reading rooms)
Design – Power users who customize pages and branding.

These default roles are built from combinations of granular permissions, and you can also create custom permission levels by mixing specific granular rights. SharePoint has about 33 granular permissions grouped into categories as above.

Why Use Granular Permission?

Granular permissions offer fine-grained control over access, which is essential when:

You want to limit user actions precisely without giving them more access than necessary.
There are advanced security and compliance expectations within your organization.
You need to customize permission levels beyond the default ones.
You want to reduce risk of accidental or malicious changes by restricting sensitive operations
Different resources or tasks require different permission sets.

When and How to use Granular Permissions in SharePoint Online:

When to Use Granular Permission:

If the default permissions don’t suit your organization's access control requirements.
When you need to create a custom permission level with specific rights.
To implement the guideline of least benefit, giving users as it were the permissions they completely require.

How to Create a Custom Granular Permission level:

Go to Site Setting: Press the equip symbol, then click on Site Permissions, at that point press on Advanced permission settings.
Open Permission levels: Click Permission Levels at the top menu.
Add a Permission Level: Click Add a Permission Level.
Select Granular Permissions: Select the exact rights you need to incorporate.
Name & Save it: Provide a meaningful name and description. Click Create.

Assign Your Custom Permission Level:

To assign your new permission level, follow these steps for users or SharePoint groups:

Go to Site Permissions: Select a user or SharePoint group.
Click Edit User Permissions. Assign your custom permission level.
Save your changes: Ensure changes are saved.

Benefits of Using Granular Permissions:

Security: Controls access to sensitive content and high-impact tasks.
Flexibility: Tailors permissions to unique business needs.
Compliance: Helps meet regulatory requirements by controlling who can do what.
Risk Reduction: Minimizes potential damage from errors or insider threats.

Additional Tips for Using Granular Permission Effectively:

Keep it simple: Using default permission levels helps ensure a straightforward and clear configuration.
Use granular permissions only when necessary: Choose granular permissions when you require detailed control.
Break permission inheritance if you need to set distinct permissions for a list, library, folder, or item. (Permissions are automatically inherited from the parent site unless explicitly broken.)
Use SharePoint Groups: Assign permissions to groups rather than individual users for easier and more efficient management.
Regularly review permissions: Perform routine checks to ensure that permissions remain suitable and aligned with current requirements.
Enforce least privilege: Implement granular permissions to ensure users have only the necessary access required for their tasks.
Consider item-level permissions for sensitive documents or list items requiring restricted access.

Mastering SharePoint Online Permissions: A Complete Guide to Normal vs Granular Access Control