“Manage Permissions” Permission Level

This post talks about how to create a new permission level for assigning users the right to manage permissions while maintaining the principal of least privilege. In most scenarios users who can manage permissions are also given owner rights to the site. Of course a user who can manage permissions can give themselves owner rights, but by default I needed to create a SharePoint security group to which I could add users that would then be allowed to manage the permissions at sites they would otherwise have no access to.

Creating a permission level that gives users the ability to manage permissions most likely involves more than providing the ‘Manage Permissions’ base permission. If you want to allows users with this permission level to add users to SharePoint groups (or remove them) then you will also need to add the ‘Add List Items’ and ‘Delete List Items’ along with the ‘View Application Pages’ base permissions.

"Manage Permissions" permission level base permissions.
“Manage Permissions” permission level base permissions.

With all of these base permissions you can expect a user with otherwise no access to a site to be able to manage site, list, and item permissions as well as manage the membership of the SharePoint security groups of which they are a member. This last point assumes that the SharePoint security groups are configured such that “Who can edit the membership of this group?” is set to “Group Members”.

SharePoint group set-up
SharePoint group set-up

Another option is to only provide the “Manage Permissions” base permission and ensure that the security group is the group owner of all the groups which they require the ability to manage membership of. The downside of this is that you must then remove the ‘Owners’ group from this role.

I suspect this is a very rare case I’m describing/solving here, and I’m doubtful this post will ever help anyone. Please let me know if it did!


Thread-level access and discussion boards in SharePoint

Ever wanted to have a single discussion board with threads accessible only to certain audiences?

It was something that we wanted and I was very close to changing the IA model such that a new discussion board is created for each thread just in order to get around a simple permissions issue. I say simple because the solution is simple once you know what it is.


Imagine the scenario where users can see a discussion board but must only be able to contribute to particular threads based on their permission levels. The obvious solution is to give users (groups) contribute access to individual threads. My initial thought was that the ‘limited access’ provided at the list would be enough to allow users to reply to those threads at which they have contribute access. In fact, even if a user has read access on a discussion board, and contribute access to a given thread they will still be denied access when attempting to reply. With a little thought, it’s really quite clear why this doesn’t work. A thread is just a folder and a reply is actually adding a new item to the list.

The key here is the ‘View Application Pages’ base permission. This base permission is provided first with the contribute permission level. In order to make the above scenario a reality you must give users this base permission. This can be achieved by creating a new permission level (e.g. “View Forms”) and binding it with ‘All Authenticated Users’ to the discussion board. I found it most appropriate to perform this action with PowerShell, I can include the script in the post if someone requests it but I think it’s pretty straight-forward.

Good luck!