What Does SharePoint role Mean?
On This Page
Quick Definition
A SharePoint role defines what someone can access and do in SharePoint, like read documents, add files, or manage the site. Think of it as a membership level for a club: members have different cards that grant different privileges. It helps administrators control who sees what and who can make changes.
Commonly Confused With
A SharePoint group is a container for users used for managing permissions. A SharePoint role (permission level) is a set of permissions assigned to a group or user. You assign roles to groups, not the other way around. A group on its own has no permissions until a role is assigned to it.
The “Site Members” SharePoint group has the Edit role assigned by default. But the group itself is not a role; it is a collection of users that gets the Edit role.
An Azure AD group can be used to manage SharePoint permissions, but it is a cloud identity object. A SharePoint role is a local permission level within a site collection. When an Azure AD group is added to a SharePoint site, it is treated as a security group, and you assign a SharePoint role to it. The Azure AD group itself does not contain SharePoint permissions.
You create an Azure AD group “Marketing Team” and add it to the SharePoint site as a member. Then you assign the “Contribute” role to that group. The group is from Azure AD, but the role is from SharePoint.
Permission inheritance is a mechanism that automatically propagates roles from a parent object (site) to child objects (lists, libraries, items). It is not a role itself. Breaking inheritance stops the flow of roles. Understanding inheritance is essential to correctly apply roles, but inheritance is the plumbing, not the faucet.
By default, a document library inherits the roles from the site. If you break inheritance, you manage roles directly on the library. The roles themselves are what you assign after breaking inheritance.
Must Know for Exams
In general IT certifications like Microsoft 365 Certified: Fundamentals (MS-900) or Microsoft 365 Certified: Administrator (MS-102), SharePoint roles are a core objective. The exam expects you to understand the default permission levels: Full Control, Edit, Contribute, Read, and Limited Access. You must know that these map to SharePoint groups (Site Owners, Site Members, Site Visitors). A common question asks which role is needed to add a document to a library: the answer is Contribute or higher (Edit or Full Control). Another typical question is about breaking inheritance: what happens when you break permission inheritance on a subsite? The answer is that it stops inheriting permissions from the parent and becomes a unique permission set.
For the Microsoft 365 Certified: Administrator Expert (MS-102), you might get scenario-based questions where you must decide which role to assign to a user who needs to add items but not delete them. This tests your understanding that Contribute allows deletion, so you might need to create a custom role that only includes Add Items and View Items, not Delete Items. The exam also covers sharing: when you share a document externally, SharePoint creates a special role for the external user or a limited access role.
For the Microsoft Certified: SharePoint Administrator (SPO-300) or similar higher-level exams, expect deeper questions about role assignment inheritance, security groups, and Azure AD integration. Questions may ask about the effect of adding a user to a Microsoft 365 group: they automatically get the Site Members role. You also need to know how to use PowerShell or SharePoint Admin Center to manage roles across many sites.
Question types include multiple-choice (pick the correct role), scenario-based (choose the best role or group), and drag-and-drop (match roles to their permissions). Some questions test your ability to troubleshoot: “A user reports they cannot delete a file in a document library. Everyone else can. What could be the issue?” The answer often relates to the user having a role lower than Edit, or the library breaking inheritance and the user not being explicitly assigned the right role. You also need to understand the difference between site-level and list-level roles. The exam may present a scenario where a user has Contribute at site level but Read at library level because of broken inheritance. You must determine the effective permission is Read.
SharePoint roles are a high-yield topic. Almost every Microsoft 365 exam that covers SharePoint will have at least one question on permission levels, groups, or inheritance. Mastery of these concepts is not optional; it is essential for exam success.
Simple Meaning
Imagine you are part of a large digital library called SharePoint. This library contains thousands of books, folders, and special rooms. Not everyone in the library should be able to do everything. Some people can only read books, others can write in them, and a few can even rearrange the shelves or decide who else gets a key. A SharePoint role works exactly like that library card: it is a predefined set of permissions that tells the system exactly what that person can and cannot do.
For instance, a basic role called Visitor only allows reading. Someone with this role can see documents and lists but cannot add, edit, or delete anything. A Member role can read and also add or edit content, like a patron who can borrow and also put new books on the shelf. An Owner role has full control: they can change design, manage permissions, and even delete the entire site. These roles are built into SharePoint by default, but administrators can create custom roles if the default ones do not fit.
Think of it like a house. The Visitor role is like a guest who can enter the living room but cannot open drawers. The Member role is like a roommate who can use the kitchen and leave things around. The Owner role is the homeowner who can paint walls, change locks, and decide who gets a key. In SharePoint, roles are applied to sites, libraries, lists, or even individual documents. This way, a company can store very sensitive financial data side by side with a public recipe collection, and only the right people can see each.
Without roles, either everyone would have the same power, causing chaos, or no one could do anything productive. Roles bring order and security. They are the granular gatekeepers that allow organizations to collaborate efficiently while protecting their data. The system checks a user’s role every time they try to open a file or click a button. If the role does not include the needed permission, the action is blocked. This is why understanding SharePoint roles is essential for anyone managing a SharePoint environment, whether for a small team or a multinational corporation.
Full Technical Definition
In SharePoint, a role is a collection of permissions that are assigned to a user or group for a specific securable object, such as a site collection, site, list, library, folder, or item. SharePoint uses a role-based access control (RBAC) model where permissions are not assigned individually to users, but rather grouped into roles, which are then assigned via role assignments. This model is deeply integrated with SharePoint's claims-based authentication and authorization system.
The default SharePoint installation includes several built-in roles (also called permission levels). For example: Full Control (all permissions), Design (can view, add, update, delete, approve, and customize), Edit (can add, edit, and delete lists and documents), Contribute (can add, edit, and delete items, but cannot change site settings), Read (can view pages and items, and download documents), and Limited Access (allows access to specific resources without seeing the whole site structure). Each permission level is itself a set of 33 individual permissions, such as View Items, Add Items, Edit Items, Delete Items, Manage Lists, Manage Web Site, etc.
When a user attempts an action, SharePoint evaluates the user's effective permissions. This is done by aggregating all role assignments from every group the user is a member of, spanning the site collection hierarchy. Permissions are additive: if a user is in a group with Read permission on a site and also in a group with Contribute permission on the same site, the effective permission is the union of both roles, which in this case would be Contribute (since it includes Read). However, SharePoint does not have a strict deny override except for unique permission inheritance breaks, which remove all inherited roles and apply explicit roles.
Role assignments can be made at any level of the site hierarchy. Breaking permission inheritance is a critical operation: it creates a unique set of permissions for a subsite, list, library, folder, or item, removing all inherited role assignments. This introduces complexity and management overhead, as changes to parent permissions no longer flow down. For performance and manageability, best practices recommend using SharePoint groups (which are themselves securable objects) and assigning roles to these groups rather than directly to users. Common groups include Site Owners, Site Members, and Site Visitors, which map to the Full Control, Edit, and Read roles respectively.
In modern SharePoint, roles also interact with Azure Active Directory (Azure AD) groups, Microsoft 365 groups, and security groups. When a SharePoint site is connected to a Microsoft 365 group, the group's members are automatically added to the Site Members SharePoint group, and group owners become Site Owners. This integration simplifies role management across the Microsoft 365 ecosystem. SharePoint Admin Center allows for site-level permission management, and PowerShell scripts can automate role assignments across multiple sites. Understanding the difference between site-level roles and secondary roles (such as those for SharePoint Server farm administrators or tenant admins) is crucial for IT professionals managing hybrid or on-premises environments.
Real-Life Example
Think about a large apartment building. The building has common areas like the lobby, the gym, the laundry room, and a storage basement. Some people live in the building, some are visitors, and some are staff. Now, imagine that every door in the building is locked, and you only get keys based on your role. A visitor gets a key that only opens the front door. A tenant gets a key that opens the front door, their apartment, the laundry room, and the gym. The building manager gets a master key that opens everything, including the storage basement, the boiler room, and the security office. The building owner has a key that opens absolutely everything, plus they can change locks and decide who gets which keys.
This is exactly what a SharePoint role does. The visitor is the Read role: they can see what is in the lobby (the site) but cannot go into private apartments (restricted libraries). The tenant is the Contribute or Edit role: they can use their own area and some shared spaces (add, edit, delete in specific libraries). The manager is the Design role: they can rearrange furniture and approve changes. The owner is the Full Control role: they can demolish walls and give keys to new people.
Now imagine a special situation: a contractor comes to fix the elevator. They do not need keys to every apartment. They only need the basement and elevator rooms. So you give them a custom key ring that opens just those two doors. That is the custom role in SharePoint. You create a permission level that only has the specific permissions needed for that contractor’s task. This real-life analogy makes it clear that roles are not about trust, but about the least privilege principle. You give only the keys necessary to do the job, no more. This prevents accidents, theft, or chaos. In the digital world, this protects data from accidental deletion, exposure of confidential files, and unauthorized changes.
Why This Term Matters
SharePoint roles matter because they are the primary mechanism for securing content and ensuring compliance in any SharePoint environment. Without proper role assignments, either too many people have access to sensitive data, or people cannot do their jobs efficiently. In a business context, SharePoint often hosts critical documents like financial reports, HR records, project plans, and client contracts. A single misconfigured role could expose private financial data to the entire company, leading to regulatory fines or loss of trust.
From an IT administration perspective, managing roles is a daily task. An admin must decide who can create sites, who can add users, and who can only view. Roles also affect site functionality: if a user does not have the correct role, they may not be able to use web parts, workflows, or apps. For example, a user with Read access cannot start a workflow, which blocks approval processes. This directly impacts business operations.
roles play a part in audit and compliance. SharePoint logs every permission change and access attempt. Auditors often check if users have roles that are too permissive. The principle of least privilege is enforced through roles. If a contractor needs temporary access, you assign them a role that expires or is removed after the project. Roles also integrate with Microsoft 365 compliance tools like Data Loss Prevention (DLP) and retention policies. A document library with sensitive labels might be configured to only allow Edit roles for certain groups.
In the exam context, understanding SharePoint roles helps you answer questions about delegation, security, and inheritance. You need to know the difference between breaking inheritance and assigning roles, how role assignments propagate, and what happens when a user is in multiple groups with conflicting roles. Real-world troubleshooting often involves checking a user’s effective permissions to find out why they cannot access a document. Without a solid grasp of roles, you cannot effectively manage SharePoint nor pass related IT certification exams.
How It Appears in Exam Questions
Exam questions about SharePoint roles appear in several patterns. The first and most common is direct knowledge: “Which SharePoint role allows a user to add, edit, and delete list items, but not create new lists or change site settings?” The correct answer is Contribute or Edit depending on the exact permission set. Another variation: “What is the default permission level for the Site Visitors group?” Answer: Read. These test your recall of default roles and groups.
Scenario-based questions are more complex. For example: “Your organization uses SharePoint Online. A project team needs a user who can add documents to a library, edit their own documents, but not delete others’ documents. Which permission level should you assign?” Here, you might need to recognize that Contribute allows deletion of any item, so you need a custom role. The question might list options: “Create a custom permission level with Add Items and Edit Items only.” Another scenario: “A user is a member of two SharePoint groups: Site Members (Edit) and Site Visitors (Read). What are the user’s effective permissions on the site?” Answer: Edit, because permissions are additive.
Troubleshooting questions: “A user reports they cannot upload a file to a document library. They can see the library and view files. What is the most likely cause?” Options: (A) The library has unique permissions, (B) The user has Read role, (C) The library is checked out, (D) The user has Contribute. The correct answer is B, because Read only allows viewing, not adding. Another troubleshooting pattern: “After breaking permission inheritance on a subsite, users cannot access the subsite. What should you do?” Correct answer: Re-assign roles explicitly to the subsite or restore inheritance.
Configuration questions: “You need to ensure that only HR department members can view the HRDocuments library. What is the best approach?” Options: (A) Break inheritance and assign Read only to the HR group, (B) Share the library individually, (C) Set the library to private. Correct: A. This tests your understanding of breaking inheritance and assigning roles at the library level.
Drag-and-drop questions: You might be asked to drag SharePoint groups to their corresponding default permission levels. Or match actions (like “Approve documents”) to the minimum permission level required (Approve requires Design or Full Control).
Finally, there are questions about external sharing: “When you share a document with a user outside your organization, what role does that external user typically get?” Answer: The user gets a Limited Access role, unless you explicitly change it. This ensures external users cannot browse the entire site.
Understanding these question patterns helps you prepare. Focus on memorizing the default roles, their permission sets, the concept of inheritance, and the additive nature of permissions. Practice with scenario questions to improve your ability to apply these concepts.
Practise SharePoint role Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are the IT support specialist for a mid-sized company called GreenLeaf Marketing. The company uses SharePoint Online for collaboration. The Marketing team has a site called “Q3 Campaign” where they store brochures, images, and budget spreadsheets. There are four team members: Alice (the team lead), Bob (a copywriter), Carol (a graphic designer), and Dave (an intern). The company policy says:
- Alice needs to manage permissions, add new members, and delete old content. - Bob needs to upload new copy documents and edit existing ones. - Carol needs to add, edit, and delete image files, but should not touch budget spreadsheets. - Dave should only be able to view documents, not change anything.
You decide to use SharePoint roles to implement this. First, you add all four users to the Site Visitors group (Read role) for the entire site, so everyone can view the site. Then you break inheritance on the “Documents” library to apply custom permissions. For the “Copy” folder within the library, you give Bob the Contribute role (which allows add, edit, delete). For the “Images” folder, you give Carol the Contribute role. For the “Budget” folder, you only give Alice Full Control, and remove inheritance for that folder, leaving Bob and Carol with only Read access inherited from the site level. Dave remains with Read everywhere.
Now, when Bob tries to delete the budget spreadsheet, he cannot, because his role is Contribute on the Copy folder only, and Read at the site level is overridden by the explicit permissions on the Budget folder. Dave attempts to edit a copy document, but the system blocks it. Everything works as intended. This scenario demonstrates how roles allow granular control: you can assign different roles for different parts of the same library. It also shows the importance of breaking inheritance when needed. In an exam, a scenario like this might ask: “What is the minimum role needed for Bob to upload a copy document?” The answer is Contribute. Or: “Why can’t Carol delete the budget file?” Because her effective permission on the Budget folder is Read, not Contribute.
Common Mistakes
Assigning Full Control to all site members
Full Control grants permissions to change site settings, manage permissions, and delete content. This is too permissive for regular users and violates the principle of least privilege. It can lead to accidental data loss or security breaches.
Use the Edit or Contribute role for most users who need to create and modify content. Reserve Full Control only for site owners and administrators.
Confusing Contribute and Edit roles
Contribute allows adding, editing, and deleting items, but does not allow managing lists or views. Edit allows adding, editing, deleting, and also managing lists and personal views. Learners often think Contribute is less than Edit, but they are both common mistake areas when matching to exam questions.
Remember: Edit = Contribute + manage lists and views. If the question mentions managing lists or creating new views, the answer is Edit. If only adding and editing items, use Contribute.
Thinking breaking inheritance removes all permissions
Breaking inheritance only stops the flow of permissions from the parent. It does not automatically grant any permissions. The object becomes unique with no inherited roles. Users will lose access unless you explicitly assign roles. Many learners forget to assign new roles after breaking inheritance.
After breaking inheritance, immediately assign at least one role (e.g., Read) to the same user or group that had access before. Otherwise, users get an access denied error.
Not knowing that SharePoint groups do not have permissions by themselves
SharePoint groups like Site Members are containers; they only carry permissions when a role is assigned to them. Some think adding a user to a group automatically gives certain permissions. Actually, the role is assigned to the group, not inherent to the group name.
Remember: the default SharePoint groups (Site Owners, Site Members, Site Visitors) have default role assignments (Full Control, Edit, Read). If you create a custom SharePoint group, you must explicitly assign a role to it; otherwise, membership in that group gives no permissions.
Assigning roles directly to users instead of groups
Direct assignment makes permission management difficult. When you need to change a role for multiple users, you must update each user individually. It also makes auditing harder. Best practice is to assign roles to Azure AD or SharePoint groups and manage group membership.
Always create a SharePoint group or use an Azure AD group, assign the role to the group, and then add users to the group. This simplifies maintenance and improves clarity.
Exam Trap — Don't Get Fooled
{"trap":"A question asks: “A user has Contribute permission on a site. The user is a member of a SharePoint group that has Read permission on a document library within that site. What are the user’s effective permissions on the library?
”","why_learners_choose_it":"Learners often think that the site-level Contribute is higher than the library-level Read, so they assume Contribute applies. They forget that when permissions are broken at the library level, site-level permissions do not automatically apply. Actually, if the library has unique permissions, the site-level Contribute does not give any access to the library, but the group Read does.
So effective permission is Read, not Contribute.","how_to_avoid_it":"Always check whether permission inheritance is broken. When inheritance is broken, only explicit role assignments at that level (or its children) count.
Site-level roles are ignored. If the library has unique permissions and the user is only in a group with Read on that library, the effective permission is Read, regardless of any higher-level roles. The key is to identify inheritance status first."
Step-by-Step Breakdown
Identify the securable object
First, determine what you want to control access to. It could be a site collection, site, list, library, folder, or even a single item. The role you assign will apply only to that object and its children unless inheritance is broken. This step matters because the scope of the role assignment affects all sub-items.
Decide the required permission level
Based on what users need to do, choose the appropriate built-in role or create a custom one. For example, if users only need to read, use Read. If they need to add and edit items, use Contribute or Edit. Do not assign Full Control unless necessary. Custom roles allow you to combine individual permissions (like View Items + Add Items) to match specific needs.
Create or use an existing SharePoint group
Best practice is to assign roles to groups rather than individuals. Use existing default groups (Site Owners, Site Members, Site Visitors) or create a new group. For example, create a “Project Contributors” group. This centralizes management and simplifies auditing. Avoid direct user assignments.
Assign the role to the group at the correct scope
Navigate to the object (site, library, etc.), go to Permissions, and add the group. Then select the role from the dropdown. This creates a role assignment. The group now has that role on that object. If the object inherits permissions, you must break inheritance first if you want a different role than the parent.
Add users to the group
Once the group has a role assignment, add users or other groups (including Azure AD groups) to this SharePoint group. The users will inherit the role assignment via the group. This step is where you actually grant access. You can add users individually or import from Azure AD.
Verify effective permissions
After configuration, use the “Check Permissions” tool in SharePoint to view a user’s effective permissions on a specific object. This shows the result of all role assignments, including from multiple groups. This step catches mistakes like accidental duplicate assignments or inheritance issues.
Document and audit
Record the role assignments, groups, and the business reason. Regular audits help ensure compliance. Use SharePoint Admin Center or PowerShell reports to list all role assignments. This is critical for security compliance and troubleshooting future access issues.
Practical Mini-Lesson
Let’s dive into how SharePoint roles work in practice for an IT professional. When you first create a modern team site in SharePoint Online, it automatically creates three SharePoint groups: Site Owners, Site Members, and Site Visitors. These groups are assigned roles for the entire site. Site Owners get Full Control, Site Members get Edit, and Site Visitors get Read. But this is just the starting point. In real environments, you seldom want everyone in the company to have Edit on all sites. You need to customize.
To customize, you might break inheritance on sensitive libraries. For example, the HR library should only be accessed by HR staff. You go to the library settings, click “Permissions for this document library,” and then click “Stop Inheriting Permissions.” Now you see the permissions from the site are removed. You then click “Grant Permissions” and add the “HR Team” Azure AD group, assigning the Read role. If HR staff need to upload documents, you assign Contribute instead. This is a common configuration: give Read at site level so users can find the library, then break inheritance on the library and assign a higher role only to the authorized group.
What about custom roles? Let’s say you need a role that allows adding items but not editing existing ones. SharePoint’s built-in Contribute includes Add, Edit, and Delete. You cannot remove Edit from Contribute. Instead, you create a new permission level: go to Site Settings > Site Permissions > Permission Levels, click “Add a Permission Level,” name it “Add Only,” and select only “View Items,” “View Pages,” and “Add Items.” Save, then assign that role to the group. This gives users the ability to upload but not modify existing files. This is a real-world need for auditors or external partners who submit documents.
Now, what can go wrong? The biggest issue is permission creep: over time, users accumulate role assignments from multiple groups, giving them more access than intended. For example, a user is in the “All Employees” group that has Read at the root site, and also in the “Project Team” group that has Edit on a subsite. That’s fine. But if they also get added to the “Site Owners” group by accident, they now have Full Control. Regular audits and using the Check Permissions tool prevent this.
Another problem is orphaned role assignments: when a user leaves, their group memberships are often deleted, but the role assignments persist if they were assigned directly to the user. Best practice is to only assign roles to groups, never to individual users. This makes removal simple: remove the user from the group.
Finally, remember that SharePoint Online roles are subject to Azure AD conditions like conditional access policies. For example, if a user has Edit role but is accessing from an untrusted IP, conditional access might block the action. This is handled by Azure AD, not SharePoint itself. For exam purposes, know that SharePoint roles define what is allowed, and Azure AD policies define where and when access is permitted.
Memory Tip
Remember default roles with the acronym “FEC R”: Full Control, Edit, Contribute, Read. The order moves from most to least power.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Can I assign multiple roles to the same user?
Yes, a user can be a member of multiple SharePoint groups, each with different roles. The effective permission is the union of all roles: the user gets the highest permissions from any group.
What is the difference between Edit and Contribute?
Edit includes all permissions of Contribute plus the ability to manage lists and personal views. Contribute allows adding, editing, and deleting items but not creating or modifying lists or views.
How do I remove all permissions from a user?
Remove the user from all SharePoint groups that have role assignments on the site. Also delete any direct role assignments. Use the Check Permissions tool to verify the user has only “Limited Access” or none.
What happens if I break inheritance but do not assign new roles?
Users lose all access to that object because the inherited permissions are removed. You must explicitly assign at least one role (e.g., Read) to a group or user to restore access.
Can I create a custom role in SharePoint Online?
Yes, you can create custom permission levels at the site collection level. Go to Site Settings > Permission Levels > Add a Permission Level, select individual permissions, and save.
Do SharePoint roles apply to external users?
Yes, external users can be given roles via sharing invitations. Typically, they get Limited Access, but you can assign a different role like Read or Edit if needed.
What is Limited Access role?
Limited Access is a special role that gives users access to only specific resources they have been granted access to, without revealing the rest of the site structure. It is often used for external sharing.
Summary
A SharePoint role is a fundamental building block of access control in SharePoint environments. It is a set of permissions grouped into a named level, which can be assigned to users or groups at various scopes, from site collections down to individual items. The default roles are Full Control, Edit, Contribute, Read, and Limited Access, each providing a specific level of capability. Roles are assigned to SharePoint groups, which act as containers for users, simplifying management and ensuring the principle of least privilege.
Understanding SharePoint roles is critical for IT professionals because they directly impact security, compliance, and user productivity. Misconfigured roles can lead to data breaches or operational bottlenecks. In exams, roles appear in multiple-choice, scenario-based, and troubleshooting questions. Common topics include the additive nature of permissions, the effect of breaking inheritance, and the difference between default roles. The ability to create custom roles and use groups effectively is also tested.
For exam success, memorize the default roles and their permission sets, understand inheritance, and practice applying roles to realistic scenarios. Use the acronym “FEC R” to recall the order of default roles. Always assign roles to groups rather than individuals, and always check effective permissions after configuration. With these concepts solidly grasped, you will be well-prepared for any SharePoint-related certification exam.