Summary
This article explains how permission inheritance works in modern SharePoint Online. All content in SharePoint, including sites, libraries, folders, and files, are securable objects with permissions that either inherit from their parent or use unique permissions. Understanding this hierarchy helps ensure that your site remains secure, predictable, and easy to manage.
Content
SharePoint Online uses a flat site architecture, meaning each site is created at the top level rather than underneath another site. Subsites are no longer recommended.
Sites may be associated to a Hub site for the purposes of shared navigation, branding, and search scope, but Hub associations do not by default create shared permissions or security inheritance. Each SharePoint site still functions as its own independent securable object and manages its own permissions.
- Document libraries
- Folders
- Files (documents/items)
- Lists and list items
Each object inherits permissions from the object above it unless inheritance is broken. Site Owners are responsible for managing this structure and ensuring access is appropriate.
Key Concepts in this Article
Modern SharePoint Online uses a clean, flat permission structure based on inheritance:
- Sites → Libraries → Folders → Files
- Inheritance keeps permission management simple and consistent
- Breaking inheritance introduces complexity but can be used when necessary
- Sharing with non-members automatically creates unique permissions
- Best practice is to plan content so that inheritance can be maintained
- For a fuller understanding, review the KB Article SharePoint: Breaking and Managing Permission Inheritance
Understanding these concepts helps you create secure, predictable, and easier-to-maintain SharePoint sites.
Securable Objects in SharePoint Online
From highest to lowest level:
- Site
- Document library
- Folder
- File or list item
Each of these levels can inherit permissions or can be configured to have unique permissions.
Default Permission Inheritance
By default:
- The site defines the primary permissions (usually via its Microsoft 365 Group).
- All document libraries inherit permissions from the site.
- All folders inherit from their library.
- All files inherit from their folder or library.
This structure keeps permissions consistent and easier to manage.
Breaking Permission Inheritance
What it means
Breaking inheritance means that a library, folder, or file stops inheriting permissions from its parent. Instead, the object receives a copy of the parent’s permissions that can then be modified independently.
Effects
- Changes made to the parent no longer flow to the object.
- The object becomes a “unique permission” object.
- Troubleshooting access becomes more complex.
How inheritance is often broken
Inheritance is automatically broken when:
- A library, folder, or file is shared with non-members of the site.
- Someone uses Specific People sharing for individuals outside the existing site permissions.
These actions create unique permissions behind the scenes.
Microsoft 365 Groups and Site Permissions
Most modern SharePoint team sites are connected to a Microsoft 365 Group.
- Group Owners = Site Owners
- Group Members = Site Members
- Changing membership in the Group changes access to the site.
- Sharing individual files/folders with non-members does not change Group membership; it simply breaks inheritance for that object.
- This distinction is important when troubleshooting access issues.
Automatic Permission Breaks When Sharing
When a site member shares:
- a file,
- a folder, or
- a library
with someone who is not already a member of the site, SharePoint automatically:
- Breaks inheritance for that object
- Copies existing site/library permissions
- Adds the new person or sharing link permissions
This creates unique permissions that do not update if the parent site’s permissions later change.
Inheritance Limitations in SharePoint Online
Microsoft enforces limitations to ensure performance:
- You cannot break inheritance on a library or folder containing more than 100,000 items.
- You cannot restore inheritance on a library or folder containing more than 100,000 items.
- You can still break inheritance on individual files inside a large library.
This is particularly relevant for high-volume university sites.
Best Practices for Managing Permissions
Recommended
- Keep permissions inherited whenever possible.
- Create separate libraries for content that needs different access.
- Store sensitive content in its own library or its own site.
- Use the Manage Access panel instead of ad-hoc sharing links.
- Review permissions periodically as part of site hygiene.
Avoid
- Using unique permissions on individual files unless absolutely necessary.
- Mixing sensitive and non-sensitive documents in the same library.
- Sharing via Anyone links for long-term or sensitive data.
- Deep, complex folder structures with inconsistent access.
Example of a Well-Structured Site
Site: <Campus> Finance Team (Group-connected site)
-
Document Library: Shared Resources
-
Document Library: Budget Work
-
Document Library: Payroll
This approach avoids subsites but still separates data by access needs.
Further Readings
SharePoint: Using the Manage Access Option to Manage File/Folder Permissions
SharePoint: Breaking and Managing Permission Inheritance
Microsoft: Permissions inheritance in SharePoint
Microsoft: Customize permissions for a SharePoint list or library
Need additional help?
For assistance concerning site creation, content sharing, file synchronization, or other common SharePoint, OneDrive, Teams, or Office app activities, we recommend our Microsoft 365 Learning sites:
Learn more about the great tools our Microsoft 365 Learning sites offer!
Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request. For password issues you must call or visit the Help Desk in person.