SharePoint Roles & Permissions | OpsBlu Docs

SharePoint Roles & Permissions

SharePoint Online permission levels -- site collection admin, permission groups, and sharing settings for analytics integration.

SharePoint uses a hierarchical permission model with site collections, sites, libraries, and items. Permissions are managed through SharePoint groups and permission levels integrated with Microsoft 365/Azure AD.

Permission Levels

Level Full Control Design Edit Contribute Read View Only
Manage lists/libraries Yes Yes No No No No
Edit pages Yes Yes Yes No No No
Add/edit list items Yes Yes Yes Yes No No
View pages and items Yes Yes Yes Yes Yes Yes
Manage permissions Yes No No No No No
Manage site settings Yes No No No No No
Add web parts/scripts Yes Yes No No No No

Default SharePoint Groups

Group Default Permission Level Typical Use
Site Owners Full Control Site administrators
Site Members Edit Content contributors
Site Visitors Read Read-only access

Analytics-Relevant Permissions

To add custom scripts (analytics) to SharePoint, you need one of:

  1. Site Collection Admin -- Can enable custom scripts site-wide
  2. Full Control with custom scripts enabled -- Can add Script Editor or Embed web parts
# Enable custom scripts on a SharePoint site (requires admin)
# SharePoint Admin Center > Sites > Active Sites > [Site] > Settings
# Or via PowerShell:
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/analytics" `
  -DenyAddAndCustomizePages $false

# This allows adding Script Editor web parts with GA4 tracking

Adding Analytics via SPFx Extension

For a managed approach, use a SharePoint Framework (SPFx) application customizer:

// src/extensions/analyticsExtension/AnalyticsExtension.ts
import { BaseApplicationCustomizer } from '@microsoft/sp-application-base';

export default class AnalyticsExtension extends BaseApplicationCustomizer<{}> {
  public onInit(): Promise<void> {
    const script = document.createElement('script');
    script.async = true;
    script.src = 'https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX';
    document.head.appendChild(script);

    const config = document.createElement('script');
    config.text = `window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}gtag('js',new Date());gtag('config','G-XXXXXXXXXX');`;
    document.head.appendChild(config);
    return Promise.resolve();
  }
}

Azure AD Integration

SharePoint permissions sync with Azure AD groups:

# Add an Azure AD group to a SharePoint group
Add-SPOUser -Site "https://contoso.sharepoint.com/sites/analytics" `
  -Group "Site Members" `
  -LoginName "analytics-team@contoso.onmicrosoft.com"

Best Practices

  1. Use SPFx application customizers for analytics rather than Script Editor web parts
  2. Restrict Full Control to site owners -- use Edit level for content contributors
  3. Leverage Azure AD groups for centralized user management
  4. Custom scripts are disabled by default on modern SharePoint -- enable only when needed
  5. Use the SharePoint Admin Center to audit permissions across site collections
Nach oben