Creating Unique Permissions for a Subsite

When you create a subsite, you can choose whether to inherit the permissions from the parent Web site or to create unique permissions for your subsite. Depending on your choice, you get different results:

• If you choose unique permissions, the default site groups are created (Guest, Reader, Contributor, Web Designer), but are not populated. The Administrator site group is also created, and the subsite creator is assigned to this site group. You can add users to the subsite and assign them to site groups, and they will have permissions only on your subsite, not on the parent Web site.
• If you choose to inherit permissions, all of the security from the parent Web site is used for the subsite, with the exception of per-list permissions. If you add a user to a list, the user is added to the parent Web site.

Switching to a Different Permissions Model

If you set up your subsite with unique permissions, but find that you need to share permissions with your parent Web site instead, you can switch to inherited permissions. There are some drawbacks to making this switch, however, such as:

• Switching from unique to inherited permissions is not reversible. The users and site groups from your subsite are deleted when you switch to inherited, and your subsite reverts to the permissions set for the parent Web site.
• Items that have per-list permissions set lose those permissions. All lists revert to the site-wide permissions.

You can also switch from using inherited permissions to using unique permissions. In this case, the transition is simpler. The current permissions are duplicated when you switch, and the link to the parent Web site's permissions structure is broken. From that point on any changes you make to the permissions affect only the subsite. When you switch from inherited to unique permissions, per-list permission settings remain intact.

Switching between permissions models can create some strange scenarios. For example, any user who has the Create Sub sites right can create a subsite. By default this right is included only in the Administrator site group, but if you assign it to another site group, members of that group can create sub sites with unique permissions and become administrators of the new sub sites. If such a user then chooses to switch to using the parent Web site's permissions, the user will no longer be an administrator of the subsite.

You use the Site Administration page for your subsite to switch to a different permissions model.

Set unique permissions by using HTML Administration pages

1. On the subsite, click Site Settings.
2. Under Administration, click Go to Site Administration.
3. On the Site Administration page, under Users and Permissions, click Manage permission inheritance.
4. In the Permissions section, select Use unique permissions.
5. Click OK.

If you want to return to using the same permissions as the parent Web site, you can also change back by using HTML Administration pages.

Return to the parent Web site's permissions

1. On the subsite, click Site Settings.
2. UnderAdministration, click Go to Site Administration.
3. On the Site Administration page, under Users and Permissions, click Manage permission inheritance.
4. In the Permissions section, select Use the same permissions as the parent site.
5. Click OK.
6. Click OK to verify the change of permissions.

Want to acquire industry skills and gain complete knowledge of SharePoint? Enroll in Instructor-Led live SharePoint Training to become Job Ready!

Managing Site Creation Rights

By default, when Self-Service Site Creation is enabled, all members of the Reader, Contributor, Web Designer, and Administrator site groups have the Use Self-Service Site Creation right. They can use this right to create a top-level Web site on a virtual server from the Create Web Site page. Another right, the Create Subsites right, is available to members of the Administrator site group by default. This right allows the user to create a subsite or a Workspace site from the Create page or the Manage Sites and Workspaces page. You control which users have the Use Self-Service Site Creation right by changing the rights in a site group. You can control which users have the ability to create sites and Workspace sites by changing which site groups have the Create Sub sites right, or by using the Configure Site and Workspace Creation page in Site Settings. You must be a member of the Administrator site group for a site to control these rights.

Specify which users can create sub-sites

1. On a site, click Site Settings.
2. On the Site Settings page, click Configure site and workspace creation.
3. On the Configure Site and Workspace Creation page, select the check boxes next to the site groups you want to be able to create sub-sites.
4. Click OK.

 SharePoint 2010 Permissions for Site Owners – Part 1: Creating a Team Site When creating a team site, you have two options: create the site with unique or inherited permissions.    

If you create a site with unique permissions, the link between this site and the site it was created under (the parent site) is broken.  You can have different permissions on both sites.   If you create a site with same permissions as parent site, it means it is inherited permissions.  That means that whatever happens on the site above it affects this site as well.  And vice versa.  If this example below was a collection of team sites, changing permissions in any of the green blocks affects all the green blocks up and down the structure.

   

Creating sites with inherited permissions is fine for intranet sites – sites that are open to everyone in the organization.  It’s a different story on team sites – sites that are ring-fenced to a specific department / team.  Only very advanced users can successfully manage team sites using inherited permissions.  The normal business user who has a day job will battle to manage a structure comprised of inherited permissions.  Make sure you plan your sites carefully so as to know which options to choose when.   When selecting unique permissions for a new team site, you will be prompted to create the new groups for the site.  The default groups are Members, Owners and Visitors.  Note what happens to the Visitors group.  It automatically inherits the Visitors group from the site above it even though we have specified unique permissions.  SharePoint is thinking on your behalf and assuming you want all the visitors from another site to see this site.  No!  Make sure you click on Create a New Group first!  (If you’ve slipped up and already created the site, and the site is still empty, it’s easier to just delete the site and start again).

When you click Create a New Group, the three group names will all have the same naming convention which matches the name of the site.  You don’t add people to the site now!  What are you adding them to?  You create and build your site first, and add users last – keeping in mind how permissions works so you can structure your site correctly.

 

With your site created, go back to Site Actions – Site Permissions to view the settings.

 

SharePoint 2010 Permissions for Site Owners – Part 2: Members, Owners and Visitors The three default user groups created with each team site created with unique permissions are Site Members, Site Owners, Site Visitors.  (This is also valid for SharePoint 2007, the ribbon and site actions options are applicable to SharePoint 2010 though).

 

• Members have the right to edit, upload and delete content.
• Owners have full rights to change the look and feel, add and remove users, create or delete content.
• Visitors have the right to open and read content.

 You don’t need to add people to all three groups.  If they are Owners, they will already be able to edit and view content.  If they are Members, they will already be able to view content. But what can the people in these groups see?  The actions they have no rights to are grayed out on the ribbons.  The Site Actions menu is security trimmed so that they will only see actions they do have rights to.  Site Members -- Site Actions

Library tab in the Ribbon

Site Owners -- Site Actions

 

Library tab in the ribbon

Site Visitors -- Site Actions

 

Library tab on the ribbon