This post talks about how to create a new permission level for assigning users the right to manage permissions while maintaining the principal of least privilege. In most scenarios users who can manage permissions are also given owner rights to the site. Of course a user who can manage permissions can give themselves owner rights, but by default I needed to create a SharePoint security group to which I could add users that would then be allowed to manage the permissions at sites they would otherwise have no access to.
Creating a permission level that gives users the ability to manage permissions most likely involves more than providing the ‘Manage Permissions’ base permission. If you want to allows users with this permission level to add users to SharePoint groups (or remove them) then you will also need to add the ‘Add List Items’ and ‘Delete List Items’ along with the ‘View Application Pages’ base permissions.
With all of these base permissions you can expect a user with otherwise no access to a site to be able to manage site, list, and item permissions as well as manage the membership of the SharePoint security groups of which they are a member. This last point assumes that the SharePoint security groups are configured such that “Who can edit the membership of this group?” is set to “Group Members”.
Another option is to only provide the “Manage Permissions” base permission and ensure that the security group is the group owner of all the groups which they require the ability to manage membership of. The downside of this is that you must then remove the ‘Owners’ group from this role.
I suspect this is a very rare case I’m describing/solving here, and I’m doubtful this post will ever help anyone. Please let me know if it did!
Hi,
Actually in systems with a distributed membership handling this is a common problem since in all robust set ups, each site Owners group should have at least two Group owners, never one.
The obscure part is in the SharePoint group setup. This solution should be used when only owners should add users.
1 In both the Visistors, Members, Owners change the default Group owner from an individual to the Owners Group.
2 Keep the deafult setting only Owners may change membership.
3. Change so “everyone” can view membership (that is shown in a web part in the site so a visistor can see who has admin rights or are members; to know who to contact).