How to Manage SharePoint Permission Groups

Understanding SharePoint groups

Microsoft SharePoint groups enable you to manage sets of users instead of individual users. A group can include individual SharePoint users, as well as users or groups from any identity management or domain services system, such as Active Directory Domain Services (AD DS), LDAPv3-based directories, application-specific databases and identity models such as Windows Live ID.

You can organize your users into any number of groups, depending on the size and complexity of your organization or site. However, SharePoint groups cannot contain other SharePoint groups (that is, they cannot be nested).

There are two ways of assigning permissions to a SharePoint site via groups: The first one is to add a user to a SharePoint group, and the second one is to give an AD security group access directly to the site or put it in a SharePoint group that has permissions on the site.

Built-in SharePoint groups

SharePoint includes multiple built-in groups. They exist at the site level in SharePoint and can have permissions assigned to them within they site collection they belong to. The set of predefined groups depends on the site template you are using. For example, here are the predefined groups for a team site and their default permissions to the SharePoint site:

  • Visitors — Have Read permissions
  • Members — Have Edit permissions
  • Owners — Have Full Control permissions
  • Viewers — Have View Only permissions

And here are the predefined groups for the newsfeed site template and their default permissions:

  • Enterprise Readers — Have read permissions and can view pages and documents and also download documents
  • Enterprise Members — Have contribute permissions and can view, open, add, update, and delete list items and documents
  • Designers — Can view, add, update, delete, approve and customize the layout of site pages using a browser or SharePoint Designer
  • Editors — Can add, edit and delete lists, and can view, add, update and delete SharePoint list items and documents
  • Enterprise Owners — Have Full Control permission on the site

Note that all these built-in groups can be changed by assigning different permission levels.

Best practices

A best practice for managing permissions is to add regular users who only need to read information to the Visitors group, and to add users who need to create or edit documents to the Members group. This is because users in the Members group can add, change or remove items or documents, but they cannot change the site structure, settings or appearance. Similarly, users in the Visitors group can see pages, documents and items but cannot perform add or remove operations.

Creating a SharePoint group

To create a SharePoint group, go to Site Permissions in Site Settings and click the “Create Group” button. Enter a name and description for the group. Then specify the group owner; the users who can view and edit the group’s membership; whether to allow users to request membership or request to leave the group; and the group’s permissions for the site. Then click “Create” to create the group.

Creating a SharePoint Group

Deleting a SharePoint group

To delete a group, use the “People and Groups” menu in Site Settings. Choose the group, click the “Edit” button and then click the “Delete” button.

Changing group membership

To add members to a SharePoint group, from the “People and Groups” menu, click the name of the group in the left pane and then click “New” and “Add Users”, as shown below. Enter one or more usernames you want to add to the group, and then click “Share”.

Changing a SharePoint Group Membership

To remove a user from a group, select the user you want to delete, click “Actions”, and then click “Remove Users from Group”.


Using SharePoint groups is a much easier and more secure method for controlling access than assigning unique, item-level permissions to user accounts. By setting up your groups properly and tracking all changes to permissions and group membership, you can help keep your data secure.

Jeff is a Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.
Free eBook SharePoint Permissions Best Practices