Serving Vancouver, Washington and remote U.S. businesses

Microsoft 365 and SharePoint

SharePoint Permissions Explained for Small Businesses

A detailed guide to SharePoint owners, members, visitors, groups, inheritance, direct access, Teams membership, and external sharing.

SharePoint permissions control who can view, edit, share, and manage business information. A clear permission structure protects sensitive files and makes access easier to review.

Why SharePoint Permissions Matter

SharePoint often holds policies, contracts, financial records, project files, client information, and operational documentation. When access is unclear, employees may receive more permission than their role requires, external guests may remain active too long, and administrators may not be able to explain who can see a document.

The goal is not to make SharePoint difficult to use. The goal is to provide enough access for people to complete their work while keeping the environment understandable, supportable, and secure.

Core principle

Grant access through well-defined groups whenever possible. Avoid building a permission structure from individual exceptions.

Owners, Members, and Visitors

Site owners

Owners have the highest level of control. They can normally manage site settings, membership, permissions, pages, libraries, and lists. Owner access should be limited to trained people who are responsible for the site.

Site members

Members usually have edit access. They can upload, modify, move, and delete content according to the site's configuration. Member access is appropriate for active collaborators.

Site visitors

Visitors usually have read-only access. They can view documents and pages without changing them. This is useful for employees who need information but do not maintain it.

SharePoint Groups and Microsoft 365 Groups

A SharePoint site can use SharePoint groups, Microsoft 365 group membership, or both. Team sites connected to Microsoft 365 groups often receive membership through that group. Adding someone to the connected Team may also provide access to the SharePoint site.

Administrators should understand which system controls membership before changing permissions. Removing someone from one SharePoint group may not remove access received through Teams, a Microsoft 365 group, direct permission, or a sharing link.

Use Groups Instead of Direct Permissions

Group-based access is easier to review and maintain than access assigned directly to individual users. When an employee changes roles or leaves, administrators can remove the person from a group rather than search across many files and folders.

  • Access reviews are easier to complete.
  • Onboarding and offboarding are more consistent.
  • Role changes are easier to manage.
  • Hidden permission exceptions are reduced.
  • Business owners can understand access more easily.

Direct access creates long-term cleanup work

A one-time file or folder share may solve an immediate need, but repeated exceptions can create a structure that is difficult to audit.

Permission Inheritance

Permissions normally flow from a site to its libraries, folders, and files. This is inheritance. Breaking inheritance allows a location to maintain a separate access list.

Unique permissions may be appropriate for restricted financial records, leadership documents, or a controlled external collaboration area. They become a problem when they are used at many folder and file levels without documentation.

Direct Access and Sharing Links

Direct access means a person or group has been explicitly granted permission to a site, library, folder, or file. Sharing links grant access according to the selected link type and settings.

Because these access routes may overlap, removing one permission does not guarantee that all access is removed. A complete review should examine group membership, Teams membership, direct access, guest accounts, and active sharing links.

How Teams Affects SharePoint Access

Files in standard Teams channels are stored in the connected SharePoint site. Private and shared channels use separate SharePoint sites with membership tied to those channels. A permission review should therefore include connected Teams and channel sites.

External Users and Guests

External access can support work with vendors, consultants, contractors, clients, and board members. Each guest should have a clear business purpose, internal owner, limited scope, and review date.

  • Confirm who requested the access.
  • Document the business reason.
  • Limit access to the required site or library.
  • Use the most controlled link type that meets the need.
  • Remove access when the work ends.

Least Privilege

Least privilege means giving each person only the access needed to perform assigned work. A practical design may allow broad read access to general policies while limiting edit access to designated staff and restricting finance or human resources records to approved groups.

Safe and Unsafe Examples

Safer structure

  • Two trained site owners
  • Department members assigned through one group
  • Read-only visitors for company-wide information
  • One restricted library for confidential records
  • Quarterly review of guests and sharing links

Riskier structure

  • Many employees assigned as owners
  • Direct access granted to individual folders
  • External guests with no review date
  • Anyone links used for sensitive files
  • No documented site owner

How to Review Permissions

  1. Confirm the site's purpose and business owner.
  2. List current owners, members, and visitors.
  3. Review Microsoft 365 group and Teams membership.
  4. Identify libraries and folders with unique permissions.
  5. Review direct access and active sharing links.
  6. Identify guests, former employees, and inactive accounts.
  7. Approve and document required changes.
  8. Schedule the next review.

Permission Review Checklist

  • Confirm the site's purpose and owner.
  • Verify each owner still requires full control.
  • Review members and visitors against current roles.
  • Check Microsoft 365 group and Teams membership.
  • Identify direct user permissions.
  • Locate unique permissions.
  • Review guests and sharing links.
  • Remove expired access.
  • Record changes and the next review date.

Frequently Asked Questions

Why can someone still access a file after removal from a SharePoint group?

The person may still receive access through a Microsoft 365 group, Team, direct permission, guest membership, or sharing link.

Should every manager be a site owner?

No. Owner access should be limited to people who need to manage the site and understand the impact of permission changes.

Are unique permissions always bad?

No. They can be appropriate when there is a clear business need, but they should be limited, documented, and reviewed.

When Professional Support Helps

A structured review can help when the organization cannot confidently identify who has access or when permissions have accumulated over several years.

Need help applying this?

Turn this SharePoint guidance into action.

J3 Systems Group LLC can review your SharePoint setup, identify gaps, and create a practical improvement plan.

Book a Free Consultation