Geeks With Blogs
Rob Foster's House of Southern-Fried SharePoint and other ramblings on enterprise technologies


Download the design template here.

In my role, I am lucky enough to get to design lots of very cool software to solve (sometimes difficult) business problems.  Many times, these applications involve design solutions that leverage SharePoint technologies.  In this series, I will be discussing some of the design patterns and documentation patterns that I have encountered in my applications.

Disclaimer: this documentation is given as-is, so please use it and modify it as needed to meet your needs.  This is just something to help you (and me) get jump-started on building and designing better solutions for SharePoint. :-)

One of the production issues that I have encountered revolves around setting up and configuring security groups within SharePoint.  If you give your users too much control, they sometimes go nuts and end up trashing the site’s security.  On the other hand, if you don’t give them enough control, then they might not be able to do what they need to in the site.  There is quite a delicate balance of architectural design and user control that you must manage through processes and documentation. 

As the designer of the system, it is your job to review the application’s requirements and determine what security roles that users will need to accomplish their jobs in the application.  Lucky for us, SharePoint has quite an extensive (if not overwhelming) security model that you can use to either grant or deny a user’s rights in your application.  First, let’s take a look at the different user roles that SharePoint offers:

Permission Level Description

Full Control

Has full control.


Can view, add, update, delete, approve, and customize.

Manage Hierarchy

Can create sites and edit pages, list items, and documents.


Can edit and approve pages, list items, and documents.


Can view, add, update, and delete.


Can view only.

Restricted Read

Can view pages and documents, but cannot view historical versions or review user rights information.

Limited Access

Can view specific lists, document libraries, list items, folders, or documents when given permissions.

View Only

Members of this group can view pages, list items, and documents. If the document has a server-side file handler available, they can only view the document using the server-side file handler.

These user roles are completely out of the box and available to every site that you create in SharePoint.  Many times, you can use these roles in your application as they map to the most common user roles and functions that are typically found in a SharePoint application.  You should start with these to see if they will meet your needs and add users to these groups.

Now what happens if you need more specialized permissions?  Lucky for us, you can also create custom SharePoint roles with very specific permissions.  Below is a list of custom permissions that are available in SharePoint that you can use to create your custom groups.  These permissions are separated into separate categories: List Permissions, Site Permissions, and Personal Permissions.

  • List Permissions
    • Manage Lists - Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
    • Override Check Out - Discard or check in a document which is checked out to another user.
    • Add Items - Add items to lists, add documents to document libraries, and add Web discussion comments.
    • Edit Items - Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.
    • Delete Items - Delete items from a list, documents from a document library, and Web discussion comments in documents.
    • View Items - View items in lists, documents in document libraries, and view Web discussion comments.
    • Approve Items - Approve a minor version of a list item or document.
    • Open Items - View the source of documents with server-side file handlers.
    • View Versions - View past versions of a list item or document.
    • Delete Versions - Delete past versions of a list item or document.
    • Create Alerts - Create e-mail alerts.
    • View Application Pages - View forms, views, and application pages. Enumerate lists.
  • Site Permissions
    • Manage Permissions - Create and change permission levels on the Web site and assign permissions to users and groups.
    • View Usage Data - View reports on Web site usage.
    • Create Sub-sites - Create sub-sites such as team sites, Meeting Workspace sites, and Document Workspace sites.
    • Manage Web Site - Grants the ability to perform all administration tasks for the Web site as well as manage content.
    • Add and Customize Pages - Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services-compatible editor.
    • Apply Themes and Borders - Apply a theme or borders to the entire Web site.
    • Apply Style Sheets - Apply a style sheet (.CSS file) to the Web site.
    • Create Groups - Create a group of users that can be used anywhere within the site collection.
    • Browse Directories - Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces.
    • Use Self-Service Site Creation - Create a Web site using Self-Service Site Creation.
    • View Pages - View pages in a Web site.
    • Enumerate Permissions - Enumerate permissions on the Web site, list, folder, document, or list item.
    • Browse User Information - View information about users of the Web site.
    • Manage Alerts - Manage alerts for all users of the Web site.
    • Use Remote Interfaces - Use SOAP, Web DAV, or SharePoint Designer interfaces to access the Web site.
    • Use Client Integration Features - Use features which launch client applications. Without this permission, users will have to work on documents locally and upload their changes.
    • Open - Allows users to open a Web site, list, or folder in order to access items inside that container.
    • Edit Personal User Information - Allows a user to change his or her own user information, such as adding a picture.
  • Personal Permissions
    • Manage Personal Views - Create, change, and delete personal views of lists.
    • Add/Remove Personal Web Parts - Add or remove personal Web Parts on a Web Part Page.
    • Update Personal Web Parts - Update Web Parts to display personalized information.

Note that I’m not going to dig into the details of creating custom roles and permissions here as there is A LOT of documentation and blogs on the topic.  I would rather focus on documenting the process instead. 

Each of the SharePoint roles (see the first table in this blog posting) are configured with these permissions and it is important for you to understand which role has which permission so you can decide on whether to use the out of the box roles or will need to create custom roles.  I have created a design template (screenshot below) that helps you document the permissions that are assigned to each out of the box role (see figure below) as well as describe any new roles and any assigned Active Directory groups that will be assigned to each role (not this will be different if you are using Forms Based Authentication).


For the new roles that you need to create, you can simply name the role and then document (with an “X”) each permission that is assigned to that role.  This will help you keep a document on file (or as part of your overall architecture documentation) of your site’s security roles and their permissions so that you can easily create (or recreate) the permissions for your site via a documented process.

Again, my point of this blog is not to document the "what and how" of permissions and roles, but rather provide a jumpstart template that you can use in your architectural and operations design documents.  I hope that this is something that you can readily use as well as extend the idea to meet your needs.

UPDATE: I was just informed that there is a similar blog post here by Stephanie Grima that documents permissions similar to what I did in the first part of this blog.  At the time that I wrote this post, I was unware of her blog post and am providing an architectural design template instead of a description of permissions and how to use them.  :-)

Posted on Tuesday, December 16, 2008 9:50 PM Architecture , SharePoint | Back to top

Comments on this post: Documenting Your SharePoint Application Design-Part 1

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...

Great tool - definitely helpful when working to develop how an application should actually be used. From an application development perspective I think that this will help to accelerate solutions designers and developers to properly document what they need to do before they put pencil to the paper...

Left by Dan Usher on Dec 22, 2008 10:39 PM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
The design template link is broken. Can not download the document. I need to get it to plan my portal architecutre. Thanks
Left by Shob on Mar 12, 2009 3:21 PM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
Good and helpful article. Thanks

Note: The design template link is broken.
Left by Wael on Aug 23, 2009 3:29 AM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
Could you please fix the design template link?
Left by BetaWiz on Jan 15, 2010 3:47 PM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
link is broken kindly fix.
Left by govind on Jan 19, 2010 8:43 PM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
Yes, please kindly fix the link. It does not work .
Left by adam on Feb 04, 2011 2:37 PM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
I am prompted for a username/password when I try to download the document. Could you please help me out?
Left by Athulya on Jun 10, 2011 5:15 AM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
Please send me a template
Left by joe on Oct 14, 2011 6:03 AM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
Could you please fix the design template link?
Left by giraudy on Mar 22, 2013 10:51 PM

# re: Documenting Your SharePoint Application Design-Part 1
Requesting Gravatar...
As others have stated - the link is broken....can you please provide? This would save A LOT of time! Thanks!
Left by Mel Hamilton on Sep 25, 2017 2:33 PM

Your comment:
 (will show your gravatar)

Copyright © Rob Foster | Powered by: