When you think about user permissions in SharePoint, you typically think of the four main out-of-the-box permissions levels: Full Control, Design, Contributor, and Read. These, and other permissions levels, exist at every level of a SharePoint site collection. They are established on the top-level site, and are available for all subsites, list, libraries, and items. There is another type of permission that overrides even Full Control: The SharePoint Site Collection Administrator.
How is the SharePoint Site Collection Administrator Different from Full Control?
First, what can an Owner do?
When a site collection is first created, SharePoint automatically creates three user groups. The name of the groups includes the name of the site by default. If I create a site collection called Acme Supplies Intranet, the three groups will be Acme Supplies Intranet Owners, Acme Supplies Intranet Members, and Acme Supplies Intranet Visitors. The Owners group is assigned Full Control permissions, the Members have Contribute, and the Visitors have Read. Of course the names and permissions can be changed, and additional groups and permission levels can be created as needed. These are the starter set, however.
At Acme, the user WECoyote is in the Owners group. Because he has Full Control permission, he has complete control over the site. Not only can he create and configure lists and libraries, he can create subsites. He can also perform some higher administrative functions for the site collection such as setting permissions of other users, view site analytics logs, and the like.
TIP: For a spreadsheet with the out-of-the-box groups and permission levels in SharePoint 2010, see Sharepoint Server 2010 Groups and Permissions Reference Chart.
OK, so how is the SharePoint Site Collection Administrator different?
The SharePoint Site Collection Administrator has an additional set of tools to manage the site. The SharePoint Site Collection Administrator can be thought of as a Super Owner. They have ultimate control over everything in the site collection that can be managed in the web interface. Site Collection Admins can manage the functionality of features such as Search, the Recycle Bin, Document ID, and more. They can view the Audit Log Reports, work with site collection policies, manage the site collection caching, and activate or deactivate Site Collection features. The Site Collection Admin can also add other Site Collection Admins. In short, the SharePoint Site Collection Administrator can do anything in the site collection that a system administrator can do.
It’s important to understand that the Site Collection Admin is not a full system administrator role. This role does not manage the SharePoint farm or server software, and is not a network or server administrator. In the Acme Supplies Intranet, RRunner is the Site Collection Admin. Mr. Runner cannot work in other site collections or Central Administration unless those permissions have been granted separately.
Is that the only distinction for the SharePoint Site Collection Administrator?
Beyond the features in Site Collection Settings that the Site Collection Admin can manage, there is one other permissions issue to be aware of. The SharePoint Site Collection Administrator cannot be locked out of any subsite, list, library, item, or page on the site. The permissions inheritance for any of these elements can be broken at any time, and permissions changed so that even users with Full Control rights have lesser permissions or even no permissions at all. In all cases the SharePoint Site Collection Administrator will always have full access to all of the elements and all of the data. This is especially handy when a site Owner accidentally deletes their own user account or group when creating custom permissions!
Who should be a SharePoint Site Collection Administrator?
The answer to this question will depend a great deal on your organization’s SharePoint structure and culture. In some organizations there may be only one site collection, and the SharePoint Site Collection Administrator is someone who is also a system administrator or other IT staff. If, however, there are multiple site collections, a more beneficial use of resources would be to assign a trained power user to be the SharePoint Site Collection Administrator. If the Acme Supplies SharePoint system grows to include, for example, a Records Center site collection, then the company Records Manager BBunny could be made the Site Collection Administrator. The overall system administrator CJones still retains control over the overarching platform, but does not have to be involved in the day-to-day running of the site collections.
In recent blog post (5 Signs You Have a Bad SharePoint Implementation) I described the downside of having power users that have no power. SharePoint was meant to be a collaborative system where out-of-the-box features could be managed by non-technical staff. It’s true there’s a learning curve associated with using, developing, and managing SharePoint, but by properly selecting and training the right process owner or support staff, you can allow areas of your organization to take control of their own collaborative needs. This allows truly specialized staff in IT to do what they do best, while allowing end-user tools to be managed by end-users. Turning over the role of SharePoint Site Collection Administrator to information workers is a step in that direction.
Do you or your users need to learn more about SharePoint? PremierPoint Solutions offers both SharePoint 2010 training and SharePoint 2013 training, from intensive introductory courses to intermediate and advanced courses in SharePoint document management, InfoPath, SharePoint Designer Workflow, and SharePoint self-serve business intelligence. If you need more help in getting started, we also offer SharePoint consulting services.