Understanding SITE vs LIBRARY/LIST vs FOLDER/FILE/ITEM permissions

Occasional Contributor

I created a SharePoint site through MSTeams, for the sake of argument lets say it's called "PLANT_SITE".

 

Within this site, I have a few libraries and lists.

LIB1

> SUB1.2

> SUB1.2

LIB2

> SUB 2.1

> SUB 2.2

LST1

> ITEM 1.1

> ITEM 1.2

LST2

> ITEM 2.1

> ITEM 2.2

 

Within LIB1, I have multiple folders SUB1, SUB2, SUB3 for specific groups of external users. I have set permissions to contribute on specific folders SUB1 (Usergroup1); SUB2 (Usergroup2); SUB3 (Usergroup3).

 

As far as I can tell, users can still ONLY access their allocated SUB-folder, if their permission is ALSO included at the top level (PLANT_SITE; Usergroup1, Usergroup2, Usergroup3 etc).

 

This means I have to grant access at top level, and specifically EXCLUDE them everywhere else that inherits permission from that site. It also means that an automatic notification is sent directing them to the top level site, which I really don't want them accessing, or is it at the LIB/LST level they need access?

 

Surely this cannot be correct, can it? I should be able to add a user to the lower level SUB, without specifying them at the site level at all, yes?

 

Another annoying thing is when I create a NEW SUB folder, it automatically inherits all permissions (for all users) until I go in and remove the unwanted users explicitly from that folder.

 

Can someone shed any light on this please? Is it necessary for usergroups to be specified at levels HIGHER than the specific folders/list items they need to see?

1 Reply

@GuyCarnegie Access rights is inherited "top-down". It is documented here: Understanding permission levels in SharePoint - SharePoint in Microsoft 365 | Microsoft Docs

A user will for example not be able to open a page or a library if she/he does not have access to the "start".  Thus everyone should have access to the top level and you can restrict permissions on libraries and/or files but that will most probably give you a lot of work to manage it afterwards.

Regards, Magnus