SharePoint Permission Levels Explained: Owner, Member, and Visitor

Every SharePoint site comes with a set of built-in permission levels that control what users can and cannot do. Understanding these levels is the foundation of any access management strategy -- yet many small businesses never look past the defaults, and others over-customize until no one can explain who has access to what. This article breaks down every standard permission level, explains the groups that use them, and offers guidance on when custom levels make sense.

The Built-In Permission Levels

SharePoint ships with seven permission levels out of the box. Each one is a bundle of individual permissions (there are over 30 granular permissions in SharePoint) grouped into a named set. Here is what each level allows.

Full Control

Full Control grants complete authority over a site, its content, and its settings. Users with Full Control can manage permissions, create and delete subsites, modify site structure, and change any content. This level is reserved for site administrators and should be assigned sparingly. In most small businesses, only one or two people per site need Full Control.

Design

Design allows users to create lists and document libraries, edit pages, and apply themes or style sheets. It includes everything in Edit plus the ability to modify the site's layout and appearance. This level is relevant for organizations that maintain branded SharePoint pages or intranets. For businesses that primarily use SharePoint as a document store, Design goes largely unused.

Edit

Edit lets users add, modify, and delete items in lists and libraries. Users with Edit permission can also create new lists and document libraries within a site. This is the default level assigned to the Members group and is appropriate for employees who need to contribute content and organize it into new containers.

Contribute

Contribute allows users to add, edit, and delete items within existing lists and libraries, but it does not allow them to create new lists or libraries. Users with Contribute can modify content inside the containers that already exist, but they cannot create new containers.

Read

Read provides view-only access to pages, documents, and list items. Users can open and download files, but they cannot make changes. This is the default level for the Visitors group and is appropriate for stakeholders who need to review content without altering it.

Limited Access

Limited Access is not assigned directly. SharePoint generates it automatically when a user is given permission to a specific item or subfolder within a site but does not have access to the site itself. It grants just enough access to reach the shared item. Limited Access cannot be removed manually -- it disappears when the specific item-level sharing is revoked.

View Only

View Only allows users to see pages, documents, and list items, but not download them. Documents open in the browser only. This level is useful when content needs to be visible for reference but should not leave the SharePoint environment -- for example, internal policy documents or sensitive reference materials that need to stay within the organization's boundary.

Contribute vs. Edit: The Key Difference

This is the most common point of confusion. Both levels let users add, edit, and delete content. The difference comes down to one thing: Edit allows users to create new lists and document libraries; Contribute does not.

In practice, this distinction matters more than it appears. A user with Edit can spin up a new document library, name it whatever they choose, and start storing files in it. Over time, this leads to structural sprawl -- dozens of libraries with inconsistent naming and no clear ownership. A user with Contribute can work freely within the structure that administrators have set up, but cannot change that structure.

For small businesses that want to maintain a clean, organized SharePoint environment, assigning Contribute instead of Edit to most users is often the better choice. Reserve Edit for team leads or project managers who need the flexibility to create new containers.

Owner, Member, and Visitor Groups

Every SharePoint site comes with three default groups. Each group is mapped to a permission level.

| Group | Default Permission Level | Typical Use | |-------|--------------------------|-------------| | Owners | Full Control | Site administrators who manage structure, permissions, and settings | | Members | Edit | Employees who create and modify content regularly | | Visitors | Read | Stakeholders, executives, or external partners who need view-only access |

These groups are starting points, not fixed rules. It is possible to change the permission level assigned to any group or create additional groups mapped to different levels. For example, a business might create a "Contributors" group mapped to the Contribute level for employees who should work within existing libraries but not create new ones.

The important principle is to assign permissions through groups rather than to individual users. Individual permissions quickly become unmanageable, especially when employees change roles or leave the organization. Groups make it possible to update access for an entire team in one step. This also matters for compliance workflows -- when responding to data access requests, knowing which groups a person belonged to is far simpler than tracing individual file-level permissions. For more on how access rights intersect with data subject requests, see this guide on DSAR exemptions.

Mapping Business Needs to Permission Levels

The table below maps common business scenarios to the appropriate permission level.

| Business Need | Recommended Level | Reason | |---------------|-------------------|--------| | IT admin managing the entire site | Full Control | Needs access to site settings, permissions, and structure | | Marketing manager building intranet pages | Design | Needs to edit page layouts and apply branding | | Project lead organizing team documents | Edit | Needs to create new libraries and lists for projects | | Employee adding and updating files | Contribute | Works within existing structure without altering it | | Executive reviewing quarterly reports | Read | Needs to view content without making changes | | External auditor reviewing policies | View Only | Should see documents in-browser but not download them |

Custom Permission Levels: When and Why

SharePoint allows administrators to create custom permission levels by selecting individual permissions from the full list. This is useful in specific scenarios:

• Contribute without delete. Some businesses need users to add and edit content but not delete it. A custom level based on Contribute with the delete permission removed solves this.
• Read plus add. A team might need external partners to upload files to a shared library but not modify existing content. A custom level combining Read with the "Add Items" permission handles this.
• Restricted design. An organization might want certain users to edit pages but not create new lists. A trimmed-down version of Design achieves this.

Custom levels come with a warning, though. Every custom level adds complexity to the permission model. When an administrator leaves and a new one takes over, they need to understand not only the standard levels but also every custom variant that was created. Documentation is essential -- at minimum, each custom level should have a clear name and a written explanation of what it includes and why it exists.

A good rule of thumb: if a custom permission level cannot be explained in one sentence, it is probably too complex. Stick to the built-in levels wherever possible and only create custom ones when there is a clear business requirement that none of the defaults satisfy.

Keeping Permission Levels Manageable

Permission levels are only useful if they remain understandable over time. A few practices help:

• Audit quarterly. Review which groups exist, what levels they use, and whether membership is still accurate.
• Document custom levels. Maintain a simple spreadsheet or SharePoint list that records every custom permission level, its purpose, and who approved it.
• Default to least privilege. When unsure which level to assign, start with the more restrictive option. It is always easier to grant additional access than to revoke access that was too broad.
• Avoid item-level permissions. Assigning unique permissions to individual files or folders breaks inheritance and creates a management burden. Use libraries and groups to manage access at scale instead.

Permission levels are the building blocks of SharePoint security. Getting them right from the start means fewer access problems, cleaner audits, and a SharePoint environment that stays organized as the business grows.