Decoding Sharepoint Permission Masks To Understand User Access

ByThe SharePoint FAQs Team

Overview of SharePoint Permission Masks and What the Numbers Mean

A SharePoint permission mask is a numeric value that encodes the set of permissions granted to a user or group. It defines what actions they can perform within SharePoint, such as reading documents, editing pages, or managing configurations.

Permission masks consist of a base-10 numeric value with each digit representing a specific permission. By decoding the mask value, we can interpret what access it grants. Some examples of access encoded by permission masks include:

  • Read/View Only Access
  • Contribute/Edit Access
  • Full Control/Manage Access

Understanding how to decipher SharePoint permission masks is key to analyzing what privileges users have. This allows proper auditing of access controls and troubleshooting issues users face if they lack necessary permissions.

Key Components of a SharePoint Permission Mask

When deciphering a permission mask, we need to understand what key information is encoded in the value:

  • Permission Scope: Permissions can be granted over a site, list, library, item, or other objects within SharePoint. The scope indicates what objects the mask applies permissions for.
  • Rights: Defines what actions the user can perform such as read, write/edit, manage lists, override checkout, etc.
  • Permission Levels: Common preconfigured groupings of permissions such as View Only, Contribute, Design, or Full Control.

By identifying these encoded data points in a permission mask, we can piece together what access it is configured to grant.

Breaking Down the Components of a Permission Mask

When SharePoint calculates an permission mask value, it evaluates multiple components about what access is being granted. Let’s explore these key components in more detail:

Permission Scopes

Scope indicates what part of the SharePoint environment the permissions apply to. This governs what objects or containers the user has access to. Common permission scopes are:

  • Site Collection: All subsites, libraries, lists, and other objects in a site collection.
  • Site: A specific site including its libraries, lists, and other containers.
  • List: Permissions for a list or document library.
  • Folder: Permissions for a folder and its files.
  • Item: Permissions for a specific file or list item.

Permission mask calculations process the numeric values differently based on scope. So identifying scope provides insight into how to interpret the mask value that grants access.

Rights

Rights define what actions the user can perform within the permission scope. SharePoint has over 100 fine-grained rights, with common ones being:

  • Read: View items, documents, and pages.
  • Contribute: Add items, edit documents, update pages, etc.
  • Design: Customize forms, views, styling, site structure, etc.
  • Manage: Administer site settings, configure libraries, delete items.
  • Full Control: Unrestricted access including assigning permissions.

By identifying what abilities are allowed, we gain insight into how the permission mask shapes what the user can do.

Permission Levels

To simplify assigning common access needs, SharePoint has predefined permission levels that group common rights together:

  • View Only: Read-only ability.
  • Contribute: View, add, update access level.
  • Design: Contribute plus styling and customization access.
  • Full Control: Unrestricted access and manage permissions.

Identifying what permission level is granted allows us to instantly understand what category of access the user has – read vs edit vs customize vs administrator.

Common Permission Mask Values and What Access They Grant

Certain permission mask values frequently get used in SharePoint for common access needs. Below are some usual values:

Limited Access Masks

  • 1: View Only rights at the Site level.
  • 15: View Only plus Open rights at the Site level. Lets user navigate site structure and open documents, pages, and items.
  • 31: View Only plus Open rights for all lists and libraries in the Site. User can read all documents.

As we can see, lower permission mask values grant read-only and usage rights to let the user view content without altering anything.

Contribute Access Masks

  • 107: Contribute rights at the Site level – user can add, edit, delete lists, pages, subsites, etc.
  • 275: Contribute plus Create rights for all lists and document libraries in the Site. User can add, edit, delete list items and documents.
  • 605: Contribute plus Create and Approve rights for all lists, libraries, and items within a Site. This allows edit ability with additional moderation rights.

Mid-range mask values equip users with adding and updating abilities on top of just accessing content.

Full Control Access Masks

  • 1021: Full Control rights inherited from the Site Collection level. User can fully manage the specific site.
  • 2047: Max value – Full Control rights plus ability to assign permissions. User has unrestricted access and can govern security.

Higher mask values indicate broad administrative abilities – whether over a site or the entire site collection.

These demonstrate common patterns based on value ranges – Limited masks with lower numbers, Contribute masks for editing ability, and Full Control masks approaching the maximum value.

Setting Custom Permission Masks

In addition to using predefined levels through SharePoint’s UI, we can directly set permission masks to grant explicit access. Below is the process for constructing a custom mask.

Custom Permission Mask Syntax

The syntax for specifying a custom permission mask is:

  [Scope; Rights1, Rights2, Rights3...]

Let’s break this down:

  • [Scope]: Site, Web, List or other scope keywords.
  • Rights: Permission abilities granted from the full rights set.

When specifying multiple rights, they get added together into the numeric mask value shown to users.

Custom Mask Example 1: Read List Items

Grant read-only access to a Documents library:

  List; ReadItems

Breakdown:

  • Scope = List: Permissions apply to list scope – in this case a library.
  • Rights = ReadItems: User can view and open items within the list.

The resulting permission mask value presented in SharePoint would be:

  1

Indicating View Only rights on the list.

Custom Mask Example 2: Edit Documents

Grant ability to add, edit, and delete files in a Documents library:

  List; AddItems, EditItems, DeleteItems

Breakdown:

  • Scope = List: Permissions apply to list scope – in this case a library.
  • Rights:
    • AddItems: Upload and add new documents.
    • EditItems: Change existing documents.
    • DeleteItems: Remove documents.

The resulting permission mask value presented in SharePoint would be:

  275

Which decodes to the Contribute permission level for the list.

This demonstrates how we can build permission masks by specifying rights that get compiled into the numeric values users eventually see.

Best Practices for Assigning SharePoint Permissions

Below are some key best practices to follow when configuring permission masks in SharePoint:

Principle of Least Privilege

Only grant the minimal rights needed. Avoid giving broader access than required for users to perform their required tasks.

Leverage Permission Inheritance

Manage permissions broadly at parent scopes like site collections or sites. Then allow child objects like libraries to inherit rather than manually configure.

Permission Groups Over Individuals

Assign permissions to SharePoint groups rather than individual accounts. This simplifies managing access as members join/leave groups.

Adhering to these practices streamlines managing permissions by reducing complex over-entitlement.

Troubleshooting Issues With SharePoint Permissions

Some common challenges users face because of permission issues include:

  • Access Denied errors trying to view, edit, upload content.
  • Features seeming disabled or grayed out.
  • Being unable to navigate to certain libraries, lists, or sites.

We can troubleshoot permissions issues using the following tactics:

Verifying User Access

Check effective permissions for the user account to confirm their granted rights:

  1. Navigate to Site Settings > Site Permissions.
  2. Click Check Permissions.
  3. Enter the user account to see permission assignments.

This allows verifying the cause behind access issues – such as View Only rights blocking editing abilities.

Checking Inherited Permissions

Access issues may originate from parent objects the user scope inherits from:

  1. Navigate to the list, library, or subsite at issue.
  2. Check the Permissions tab to see inherited scopes.
  3. Trace issues back to broader inherited scopes not granting necessary access.

Handling Access Denied Errors

Access Denied errors that block user actions can be diagnosed by:

  1. Recording the object at issue – such as a document library.
  2. Checking user permissions assignments for that scope.
  3. Verifying the permission mask value allows necessary rights.
  4. Editing the mask to include additional rights if needed.

Troubleshooting permissions relies heavily on decoding the meaning behind assigned permission masks to pinpoint gaps. Targeted adjustments can then expand access to quickly resolve user issues.

Leave a Reply

Your email address will not be published. Required fields are marked *