Security Roles in SharePoint Architecture: SharePoint Security Matrix

SharePoint has a number of roles that define user capabilities, access levels, permissions, etc. The most common roles in the SharePoint security architecture are the following:

• End users
• Power users
• Site owners
• Site collection admins
• SharePoint farm admins

Each of these roles has a variety of nuances and specifics that are often exclusive to that specific role. In the following paragraphs these SharePoint security roles will be analyzed one by one.

End User

This SharePoint security role is mostly represented by regular users that have the ability to contribute to the process of content creation by working with list items and document libraries. At the same time they aren’t responsible for basic tasks like maintenance and site configurations.

• Content creation that is subsequently stored in a specific site’s libraries and/or lists
• Workflow participation
• Permissions to upload documents to current document libraries
• Creation and editing of tasks, contacts, links, calendar items and other list items
• Interaction with documents using MS Word, Excel, PowerPoint
• A typical example is a participant of the Members group (with Contribute permissions)
• Sometimes have permissions to delete documents of list items
• Minimal or zero responsibility for site management or design questions

Power User

One step higher is the Power user. Power users are essentially End users with permissions and responsibilities for interacting with specific site components, such as web pages, lists, libraries, etc.

• Content creation, including lists, libraries and other components of SharePoint
• Can be put in charge of creating and/or managing custom workflows
• Capable of both creating and managing web pages for the purpose of presenting different kinds of site information, including specific documents
• Sometimes have the capabilities to change other users’ permissions
• Can sometimes have the rights to create and maintain templates for documents and content types
• Some can manage or create custom forms, such as travel data, expense reports and other types of feedback for information gathering purposes
• Capable of approving documents and/or list items, submitted by other users
• Most of the time has Design permissions and may be given access to SharePoint Designer to change both visual and functional parts of the site

Site Owner

Site owners are a part of the SharePoint security architecture that has all of the Power user’s permissions combined with general control over the entire site, including design, permission management, sub-site creation, and more.

• Most of the time a member of Site Owner group with Full Control permissions
• Can have permissions to create custom templates for site in general and for lists and libraries, as well
• Site content type management and the ability to add and customize web parts
• Capable of managing various site features such as group work lists, metadata navigation, publishing, etc.
• Can create and modify permissions for other groups on this site’s level
• Content approval, check out and check in, as well as versioning capabilities
• Possible to create sub-sites and manage access to SharePoint components such as libraries, lists, etc.
• Full capabilities of SharePoint Designer at their disposal for any visual or functional site customization

Site Collection Administrator

Site collection administrator is another level higher in our list of SharePoint security levels. This role is capable of controlling multiple sites within a site collection, and not just a single site. Generally, a site collection admin is considered to be a unit on its own, with specific features, permission levels and users.

• Responsibility for a number of related sites – a site collection
• Full Control permissions over the entire site collection, even capable of managing site owners
• All of the previous creation capabilities with additional site creation ability, also can grant ownership to single sites
• Capable of removing users from any site in the collection
• Can manage different site collection components, as well, including templates, web parts, permissions, content, etc.
• A position with an excessive amount of power, should be granted with caution and proper training.

Careful management of positions with excessive amounts of power is one of our SharePoint best practices, you can learn about other ones in this article.

SharePoint Farm Administrator

This is the top of our SharePoint security roles list, the one in charge of the entire SharePoint system, including a number of other site collections, web apps, maintenance and storage.

• Capable of creating web apps and site collections, and has all of the previously mentioned permissions;
• Responsible for content and configuration backup and restore processes, if necessary;
• Manages search services, as well as other SharePoint services, including Excel Services, InfoPath Services, and more;
• Creates and manages mail services – both incoming and outgoing;
• Does storage space management, as well, per the needs of web apps and site collections.

SharePoint Security Matrix:

the architecture of SharePoint data security

Since all of these roles are within one SharePoint system, it is possible to combine some of them in a SharePoint security matrix that represents the capabilities of each of the security levels in a more convenient way.

This SharePoint Security Matrix represents the general security architecture as well as the differences between different SharePoint roles. It shows the varying levels of responsibility that apply to higher-level groups and the amount of control an individual with SharePoint Farm Administrator rights can possess.