SharePoint uses a hierarchical permission model with site collections, sites, libraries, and items. Permissions are managed through SharePoint groups and permission levels integrated with Microsoft 365/Azure AD.
Permission Levels
| Level | Full Control | Design | Edit | Contribute | Read | View Only |
|---|---|---|---|---|---|---|
| Manage lists/libraries | Yes | Yes | No | No | No | No |
| Edit pages | Yes | Yes | Yes | No | No | No |
| Add/edit list items | Yes | Yes | Yes | Yes | No | No |
| View pages and items | Yes | Yes | Yes | Yes | Yes | Yes |
| Manage permissions | Yes | No | No | No | No | No |
| Manage site settings | Yes | No | No | No | No | No |
| Add web parts/scripts | Yes | Yes | No | No | No | No |
Default SharePoint Groups
| Group | Default Permission Level | Typical Use |
|---|---|---|
| Site Owners | Full Control | Site administrators |
| Site Members | Edit | Content contributors |
| Site Visitors | Read | Read-only access |
Analytics-Relevant Permissions
To add custom scripts (analytics) to SharePoint, you need one of:
- Site Collection Admin -- Can enable custom scripts site-wide
- Full Control with custom scripts enabled -- Can add Script Editor or Embed web parts
# Enable custom scripts on a SharePoint site (requires admin)
# SharePoint Admin Center > Sites > Active Sites > [Site] > Settings
# Or via PowerShell:
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/analytics" `
-DenyAddAndCustomizePages $false
# This allows adding Script Editor web parts with GA4 tracking
Adding Analytics via SPFx Extension
For a managed approach, use a SharePoint Framework (SPFx) application customizer:
// src/extensions/analyticsExtension/AnalyticsExtension.ts
import { BaseApplicationCustomizer } from '@microsoft/sp-application-base';
export default class AnalyticsExtension extends BaseApplicationCustomizer<{}> {
public onInit(): Promise<void> {
const script = document.createElement('script');
script.async = true;
script.src = 'https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX';
document.head.appendChild(script);
const config = document.createElement('script');
config.text = `window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}gtag('js',new Date());gtag('config','G-XXXXXXXXXX');`;
document.head.appendChild(config);
return Promise.resolve();
}
}
Azure AD Integration
SharePoint permissions sync with Azure AD groups:
# Add an Azure AD group to a SharePoint group
Add-SPOUser -Site "https://contoso.sharepoint.com/sites/analytics" `
-Group "Site Members" `
-LoginName "analytics-team@contoso.onmicrosoft.com"
Best Practices
- Use SPFx application customizers for analytics rather than Script Editor web parts
- Restrict Full Control to site owners -- use Edit level for content contributors
- Leverage Azure AD groups for centralized user management
- Custom scripts are disabled by default on modern SharePoint -- enable only when needed
- Use the SharePoint Admin Center to audit permissions across site collections