Browse all topics
All guidesGlossary
SharePoint & OneDrive

SharePoint permissions explained

SharePoint permissions look complex but follow a few simple rules. Here's the model.

SharePoint permissions can feel arcane, but they follow a small set of rules. Understanding those rules turns most permissions problems into easy diagnoses.

The core model

Every securable object (site, library, folder, file, list, item) has an access control list mapping principals (users or groups) to permission levels (Full Control, Edit, Read, etc.). Permissions inherit down the hierarchy unless the inheritance is broken.

By default:

  • A site has three SharePoint groups: Owners (Full Control), Members (Edit), Visitors (Read).
  • Libraries, lists, folders, and items inherit the site's permissions.

That's it. Everything else is a layering on top.

Microsoft 365 Group-connected sites

Team sites connected to a Microsoft 365 Group behave slightly differently. They have Site Owners and Site Members that mirror the underlying group's owners and members; the Site Visitors group is empty by default. Adding someone to the Microsoft 365 Group adds them to the site too.

The other major path to access is sharing links — "Anyone with the link," "People in your organisation," "Specific people." Sharing links create permissions behind the scenes, often at the item or folder level, breaking inheritance. This is where most "why can this person see that file" mysteries originate.

Breaking inheritance

You can break inheritance on a library, folder, or item to give different permissions to different scopes. SharePoint warns when you do this because broken inheritance is hard to audit at scale. As a rule of thumb:

  • Group at the site level whenever possible.
  • Break inheritance on a library or folder only when there's a clear, durable reason.
  • Avoid breaking inheritance on individual files — it's almost always a sign you should restructure.

Where to investigate

When a user has the wrong access, check in this order:

  1. Site Owners/Members/Visitors groups.
  2. Microsoft 365 Group membership (for group-connected sites).
  3. Sharing links on the specific item.
  4. Broken inheritance up the parent chain.

The Site permissions pane and the per-item Manage access panel surface this. For tenant-wide visibility, SharePoint Advanced Management (now part of Copilot prerequisites) generates oversharing reports that point at high-risk sites and over-permissioned items.

Good permissions hygiene is the difference between a Copilot deployment that helps users and one that surfaces everything everyone has ever overshared.