SharePoint Online ships with seven default permission levels. The table below summarises their key capabilities at a glance; detailed descriptions follow.
| Permission Level | Typical Assignment | Create/Delete Libraries | Add & Edit Items | Delete Items | Approve Content | Change Permissions | Download Files |
|---|---|---|---|---|---|---|---|
| Full Control | Site collection admins | Yes | Yes | Yes | Yes | Yes | Yes |
| Design | Page editors, intranet teams | Yes | Yes | Yes | Yes | No | Yes |
| Edit | Team site members (default) | Yes | Yes | Yes | No | No | Yes |
| Contribute | External contributors, reviewers | No | Yes | Yes | No | No | Yes |
| Read | Visitors, general staff | No | No | No | No | No | Yes |
| View Only | Sensitive document reviewers | No | No | No | No | No | No |
| Limited Access | Auto-assigned only | No | No | No | No | No | Partial |
What Each SharePoint Permission Level Allows
Full Control
Full Control grants every individual permission SharePoint exposes, including the ability to change permissions, manage site settings, create and delete subsites, approve content, and access all administrative functions. Site collection administrators always hold Full Control over their site collection regardless of group membership.
Assign Full Control only to users who are responsible for the site's administration and governance. Granting it broadly leads to permission audit findings that are difficult to justify and hard to unwind later.
Design
Design is primarily a legacy level carried over from classic SharePoint. It adds page customisation rights on top of the Edit capability set: specifically, the ability to edit .aspx pages directly, apply style sheets, and apply themes and borders. It also includes Approve Items, which Edit does not. In modern SharePoint Online, the direct .aspx page editing permission has limited practical effect since most configuration is done through templates and admin settings rather than raw page markup.
Use Design for intranet teams or communications site editors who also need to approve content workflows. For general collaboration without content approval, Edit is cleaner and exposes less surface area.
Edit
Edit is the default for the Members group in modern SharePoint team sites. It includes the Manage Lists permission, which means users can create new document libraries and lists, delete existing ones, and modify library settings including versioning policy, column definitions, and content type assignments. This is more powerful than the name suggests.
If you want team members to contribute documents but not reorganise the library structure, assign Contribute instead of Edit, and grant Manage Lists separately to the specific users who need that control.
Contribute
Contribute is the narrower counterpart to Edit. Users can add, edit, and delete items within existing libraries and lists, but cannot create new libraries, delete existing ones, or change library settings. It is the safer choice for external collaborators, contractors working on a fixed scope, or internal users who submit content into a managed structure rather than owning the structure itself.
Read
Read allows users to view pages, list items, and documents, and to download files. No additions, edits, or deletions are possible. This is the default for the Visitors group on most SharePoint sites and is appropriate for staff who need access to reference content without contributing to it.
View Only
View Only is similar to Read but excludes the Open Items permission, which is what controls whether users can download files to their local machine. In practice, Office documents open in the browser viewer but cannot be saved locally. Some file types that lack a browser preview are effectively inaccessible to View Only users.
Use View Only for libraries holding sensitive documents (contracts, HR records, financial models) where you want to prevent local copies from being created. It is a friction barrier rather than an absolute security control: screen capture and browser developer tools can still be used to extract content, and files accessible through the browser viewer can still be read in full.
Limited Access
Limited Access is not assignable directly. SharePoint creates it automatically when a specific item inside a library (a single file or list item) is shared with a user or group that does not already have access to the parent library or site. SharePoint also grants Limited Access at the library and site levels so that navigation to the item functions correctly. The user cannot see any other items in the library.
If a permissions report shows Limited Access for a user at a site, it means they have direct access to at least one specific item within that site. The SharePoint permissions audit guide covers how to locate and review these individual item grants efficiently.
Custom Permission Levels and When to Use Them
The seven default levels cover most scenarios, but SharePoint allows site collection administrators to define custom permission levels by selecting from the approximately 37 individual permissions SharePoint exposes. Common custom level use cases:
| Custom Level Name | Permissions to Include | Typical Use |
|---|---|---|
| No-Delete Contributor | Add Items, Edit Items, View Items, Open Items (no Delete Items) | Users who submit content but must not be able to remove it once submitted |
| Approver Only | View Items, Approve Items, View Versions, Open Items | A designated approver role in a content approval workflow who should not edit the items they approve |
| Restricted Contributor | Add Items, View Items, Open Items, Create Alerts | External users who can submit new items but cannot view or edit existing submissions from others |
Custom permission levels are defined per site collection. They do not replicate to other site collections automatically. If you need a consistent custom level across many sites, you will need to create it in each site individually, or use a PowerShell provisioning script or a SharePoint site template that includes the permission level definition.
The Microsoft 365 admin centre does not surface permission level configuration. You access it through Site Settings > Users and Permissions > Permission Levels within the specific SharePoint site.
Frequently Asked Questions
What is the difference between Edit and Contribute in SharePoint?
Edit includes the Manage Lists permission, letting users create new libraries and lists, delete existing ones, and change library settings. Contribute does not include Manage Lists, so users can only work within existing lists and libraries. Edit is the default for Members in a modern SharePoint team site; Contribute is more restrictive and better suited for users who should contribute content without controlling library structure.
What is Limited Access in SharePoint and how is it assigned?
Limited Access is automatically assigned by SharePoint when a user is granted direct access to a specific item inside a library, without having broader library or site access. SharePoint grants Limited Access at the parent containers so navigation works. You cannot assign it manually. It appears in permissions reports whenever item-level sharing is in use.
Can you create custom permission levels in SharePoint Online?
Yes. Site collection administrators can create custom permission levels in Site Settings by combining any of the individual permissions SharePoint exposes. Custom levels apply only to the site collection where they are created and must be replicated manually to other site collections if needed.
Does View Only prevent users from downloading files in SharePoint?
View Only excludes the Open Items permission, so users cannot download files to their local machine. Office documents open in the browser viewer instead. View Only is a friction barrier against casual copying but is not an absolute security control, since browser-based viewing and screen capture remain possible.