The permissions management system in SharePoint Online allows the administrator to define different levels of access rights for users to SharePoint objects, including sites, lists, folders, and items.
In this article, we’ll look at SharePoint Online’s basic built-in permissions, how to effectively manage permissions in SPO, and how to create and assign custom permission sets.
Administrators and owners can manage permissions through the SharePoint web interface.
- Navigate to your SharePoint site, click on the gear icon, and select Site permissions;
- Click Advanced permissions settings;
- It opens the traditional SharePoint management web interface;
The following security groups are created for each SharePoint site by default:
- Owners – full control over the site and all of its elements.
- Members – users can add and edit the content on the site.
- Visitors – can only read and download documents.
You can assign one of 7 default permission levels to the site. SharePoint Online permission levels define a collection of individual permissions granted to users or groups:
- Full Control – users have full control of the site (item).
- Design – users can view, add, update, delete, approve, and customize items or site pages;
- Edit – users can add, edit and delete lists. They can view, add, update and delete list items and documents.
- Contribute – users can view, add, update, and delete list items and documents.
- Read – users can view pages and list items, and download documents.
- Restricted View – users can view pages, list items, and documents, but cannot download them.
- Limited Access – allows users to access shared resources and specific assets without granting them access to the entire site.
To assign one of these roles to an SPO site:
- Click Grant Permissions;
- Enter the name(s) of the user(s) and/or group(s) you want to grant access to. Select one of the permission levels;
- By default, SharePoint will send an e-mail invitation to the members of these groups. You can disable this option;
- The groups you select with the access level you specify will appear in the Site Permissions list.
In addition to the default permission levels, you can create your own custom permission levels. Click Permissions Levels > Add a permission level.
Give an appropriate name and description to the new custom permission level. You can then select the required permissions in the List permissions, Site permissions, Personal permissions sets.
Click Create. At this point, your custom permission level will appear in the list of available permissions on the SharePoint site and you will be able to assign it to the group or user you want.
SharePoint allows you to view the resulting set of permissions that you assign to a user or group on a site or item.
- Click on the Check Permissions button;
- Type the name of the user or group whose resulting permissions you want to know, and click Check Now;
- You will see a list of the effective levels of permissions granted to this user.
Above we looked at how to manage the default SharePoint site permissions, which allow you to set the security setting at a site level, affecting all document libraries, lists, pages, folders, and items. If site-level permissions are not appropriate for your situation, you can set permissions for the document library, lists, folders, or specific files.
For example, there is a folder called Docs in your SharePoint library. To view the permissions assigned to a folder, select it and click Manage Access. 
Then select Advanced Settings from the top menu.
By default, all nested site objects inherit the permissions of the top-level site object. However, you can disable inheritance and assign custom permissions.
- Click Stop Inheriting Permissions;
- You can now add or remove any of the permissions assigned to the folder.
