Jun 13
SharePoint 2013 default permission levels may shock you

To save time, SharePoint pre-defines different combinations of permissions. These pre-defined permission levels are known as the "default permission levels".

SharePoint 2010 provided a default SharePoint Group called "Members" which was assigned the "Contribute" permission level. This is the group would would assign most users to who would be creating and editing documents in predefined libraries.

This level includes all permissions in Read , plus:

  • View, add, update and delete Items
  • Delete Versions
  • Browse Directories
  • Edit Personal User Information
  • Manage Personal Views
  • Add/Remove Personal Web Parts
  • Update Personal Web Parts

In 2013 the "Members Group" permission level has change to "Edit".

This level includes all permissions in Read, plus:

  • View, add, update and delete Items
  • Add, Edit and Delete Lists
  • Delete Versions
  • Browse Directories
  • Edit Personal User Information
  • Manage Personal Views
  • Add, Update, or Remove Personal Web Parts

So now the users who we intended to just manage files in predefined libraries can also delete and create new libraries! In a well-controlled SharePoint environment where libraries have been created with default metadata based on a taxonomy, the ability to create new "rogue" libraries is undesirable.

Comments

I looked at both my Office ...

I looked at both my Office 365 SharePoint instance and my on-prem instance and the permission level "Contribute" didn't have the Manage Lists (the one that allows for adding, editing, and deleting lists/libraries) permission checked. Can you give a few more details concerning your environment, version, etc. to help us know if we are in danger?
 on 6/24/2014 12:47 PM