Permission Levels  205 PERMISSION LEVELS Permission levels are the sets of permissions that administrators use to grant users access to site content. Depending upon the access a user or group of users require, an administrator can use the out-of-the-box permission levels or create one that will fulfi ll the user access requirements. Unlike permissions, permission levels are manageable from the site where they are being used. From the Site Permissions page, you can access the current permission levels available for your site. It is here you can create your own permission levels, delete existing permission levels, and modify existing permission levels. There are a few “best practices” when it comes to managing permission levels: It is not a good idea to modify a default permission level. If a default  permission level is not confi gured the way you like, you can create a new permission level. When you create a new permission level, you are often only changing one  or more permissions assigned to a default permission level. To ensure that you keep all the desired permissions, make a copy of the default permission level and then edit the permissions for the copied permission level. It is not recommended to delete a default permission level. If you don’t  think you need it, there is no harm in keeping it. If you need it down the road, you won’t have to create it from scratch and risk not confi guring it the same way it was originally. By default, a set of permission levels is available when a new site is created. This set of permis- sions will depend upon the site template that was used to create the site. For team sites there are six default permission levels: Full Control  — Users and groups with this permission level will have access to everything on the site and can perform any site administrative tasks. This shouldn’t be confused with site collection administrators. Users and groups with Full Control permissions cannot perform site collection administrative tasks. Design  — Can view, add, update, delete, approve, and customize. A step up from Contribute, this permission also allows users to customize the site and its pages. Additionally, this group can approve items that are in containers with Content Approval enabled. For the most part, users and groups with this permission level can do anything on the securable object except for administrative tasks. Contribute  — Can view, add, update, and delete list items and documents. This is the stan- dard permission level used to grant users access to content and containers when they need to add, edit, and delete content. 206  CHAPTER 8 secUriNg aNd maNagiNg site coNteNt Read  — Can view pages and list items and download documents. This is the standard per- mission level for users and groups you want to access content, but not have the permissions to add, edit, or delete content. Limited Access  — Can view specific lists, document libraries, list items, folders, or documents when given permissions. This permission level cannot be assigned. Instead, it is the result of customizing permissions for a securable object. In essence, when you see this permission level for a user or group, the users have access to a securable object in the current container, but not to all the securable objects in the container. View Only  — Can view pages, list items, and documents. Document types with server-side file handlers can be viewed in the browser but not downloaded. The key concept here is that users and groups with this permission level can’t download copies of documents with server- side file handlers. Figure 8-5 shows the permission levels for team sites. FIGURE 85 To see all of the default permission levels, you have to create a site based on a Publishing site tem- plate. Only the Publishing site template deploys the total set of permission levels. These include the permission levels available with the team site as well as those in the following list: Restricted Read  — View pages and documents. For Publishing sites only. This permission level is similar to the Read permission level, but it only has four of the eleven Read permis- sion level permissions. Key distinctions are that users with this permission level will not be able to create alerts, browse user information, or use client integration. View Only  — View pages, list items, and documents. If the document has a server-side file handler available, users can only view the document by using that file handler. Again, this Permission Levels  207 permission level is based on the Read permission, but it doesn’t have all the same permissions. A few key distinctions are that users with this permission level will not be able to open list and document library items, browse user information, or use client integration. Approve  — Edit and approve pages, list items, and documents. For Publishing sites only. This permission level is designed to work with the Publishing Approval workflow template. Users and groups with this permission level will be able to edit and approve items submitted, and leverage the Publishing Approval workflow. They will also be able to approve items in lists and document libraries that have Content Approval enabled. Manage Hierarchy  — Create sites; edit pages, list items, and documents. For Publishing sites only. Similar to the Design permission, this permission level allows users to edit the design and components that make up the site. This permission level does not include all the permis- sions that users with the Design permission level have. A key difference is that users with the Manage Hierarchy permission level cannot approve items leveraging the Publishing Approval workflow or Content Approval features. Figure 8-6 shows the default Publishing permission levels when using the Publishing template. FIGURE 86 An important thing to remember when working with these permission levels is that, for the most part, moving down the hierarchy of permission levels, levels will contain all the permissions of the permission levels that precede them. Therefore, Full Control contains all the permissions of all the permission levels combined. The Contribute permission will have all the permissions of Read, Restricted Read, View Only, and Limited Access. 208  CHAPTER 8 secUriNg aNd maNagiNg site coNteNt Creating a New Permission Level Based on an Existing Permission Level Depending on your environment, you might find that the default permission levels aren’t adequate for the user access needs of your organization. One of the most common issues is that the Contribute per- mission level allows users to have Delete Items permission. To remedy this problem, you can create a new Contribute Without Delete permission level and base this new permission level on the default Contribute permission level. Rather than build a new permission from scratch, you can start with the Contribute permissions and then deselect the Delete Items permission and you will be good to go. The following procedure will walk you through this process: 1. Navigate to your top-level site. 2. Click on Site Actions and select Site Permissions (or Site Actions and select Site Settings for the Publishing site options). Under Users and Permissions, click on Site Permissions. 3. In the Ribbon, click on Permission Levels (see Figure 8-7). FIGURE 87 4. Select the permission level that you want to use as a reference for your new permission level. For this example, the Contribute permission level will be selected. 5. Scroll down to the bottom of the page and click Copy Permission Level (see Figure 8-8). 6. You will be prompted to give the copied permission level a name, a description, and the desired permissions. Since all that is needed is to remove the Delete Items permission, simply scroll down to that permission and deselect it. 7. Scroll down to the bottom of the page and click Create. This will create your new permission level. Note that the permissions list in Figure 8-9 now includes Contribute Without Delete. Permission Levels  209 FIGURE 88 FIGURE 89 Creating a Permission Level from Scratch If the default permission levels don’t provide a good starting point for a permission level your envi- ronment requires, you have the option to create a permission level from scratch. You start with a blank slate and select the desired permissions that will be needed. 1. Follow steps 1-3 in the preceding set of instructions to navigate to the Permissions Level page. 2. Click Add a Permission Level. 210  CHAPTER 8 secUriNg aNd maNagiNg site coNteNt 3. Enter a name and description for your new permission level. For this example, the name will be Custom Permission Level 1, with no description. 4. Select the permissions you want to be associated with the permission level and click Create. You should now see your newly created permission level in the Permission Levels page, as shown in Figure 8-10. FIGURE 810 In step 4 of this procedure, you may notice that when you click on a permis- sion, others are automatically selected. Some of the permissions in SharePoint are dependent upon others — selecting one automatically selects the others. For example, several other permissions are dependent on the View Items per- mission. Because many other permissions are related to performing actions on items, it is prudent to fi rst be able to view the item. Therefore, if you select the Edit Items or Delete Items permissions, for example, SharePoint will automati- cally select the View Items permission. Editing an Existing Permission Level As previously mentioned, sometimes the permissions that exist on your sites are not exactly what you are looking for. Fortunately, you can edit these permission levels by selecting and deselecting the individual permissions that make up the permission level. Following Microsoft “Best Practices,” editing default permission levels is not advised. Instead, edit custom permission levels. Security Groups  211 The following procedure will walk you through editing a permission level that exists on a site based on the Team site template: 1. Follow the steps in the earlier instructions to navigate to the Permissions Level page. 2. Click the permission level you want to edit. If you select the Full Control or Limited Access permission levels, you will notice that all of the permissions are grayed out. You will not be able to edit these permission levels. If you select a permission level other than these two, you can deselect current permissions and/or add permissions. 3. When fi nished, click Submit. This will save the changes you have made. Note that this change will affect this entire site collection. Deleting a Permission Level In the event that you no longer wish a permission level to be available, you can remove it from the Permission Levels page: 1. Follow the steps in the earlier instructions to navigate to the Permissions Level page. 2. Select the permission level you want to delete. For this example, the Custom Permission Level 1 will be deleted. Select this permission level and click Delete Selected Permission Levels. As the option states, you can delete more than one permission level at a time if you so choose. 3. Once you click Delete Selected Permission Levels, a pop-up window will appear asking you to confi rm the deletion of the selected per- mission level (see Figure 8-11). Click OK. 4. The selected permission level will be deleted and will no longer be available from the Permission Levels page. When you delete a permission level it will no longer be available. When the permission level is removed, any users or groups that are leveraging this permis- sion level for access will be removed from the Site Permissions page. In order for these users or groups to have access again, you must grant them one of the avail- able permission levels. SECURITY GROUPS So far this chapter has covered the individual permissions that make up permission levels and how these permission levels are used to grant users and groups access to SharePoint content. Now it is time to discuss the users and groups that will be assigned the previously stated permission levels. FIGURE 811 . this group can approve items that are in containers with Content Approval enabled. For the most part, users and groups with this permission level can do anything on the securable object except. 86 An important thing to remember when working with these permission levels is that, for the most part, moving down the hierarchy of permission levels, levels will contain all the permissions of. when you click on a permis- sion, others are automatically selected. Some of the permissions in SharePoint are dependent upon others — selecting one automatically selects the others. For example,