Create Contributors SharePoint Group for modern Communication sites

Create Contributors SharePoint Group for modern Communication sites


The default Members SharePoint Group that comes with newly created modern Communication site has been granted with 'Edit' rights. This permissions role grants user with rights to create lists and modify the navigation and could be to much delegation for a content author for example. If we want to invite user that should just add or edit pages, list items or document in libraries then we could create Contributors SharePoint group and grant that group with just contributor rights.

SharePoint Communication sites, Members group is for Power Users

Dealing with SharePoint site groups is part of securing a modern Communication site. A new modern Team site is based on Office 365 groups, but the Communication sites are still using the traditional SharePoint security model where SharePoint Site Collection Admin can mange security groups and manage users. A Communication site comes with three default user groups "Owners","Members","Visitors". The more interesting part is the permission levels assigned to the groups. They can be seen here in details Understanding permission levels in SharePoint.

The history of the SharePoint Contributors group

Previously with SharePoint 2010, the Members group was called Contributors group and the permissions role was in-fact Contribute instead of Edit, now with the modern SharePoint sites seems that Microsoft considers the site members as Power Users and grants them with more rights on a site. This is not a bad think and could generate better collaboration because of more stuff that can be done withing a SharePoint site. I think that there is still a room for a SharePoint group with Contribute permissions for non experienced SharePoint users (not a Power User).

SharePoint Contributors group can be good fit for content authors, SharePoint list maintainers

Typical requirement from stakeholders is that they need content authors that just create or maintain content, but should not be able to modify the site navigation links. Here is where the Contributors group can come into play. So that group can be used for users that are not experienced SharePoint users to ensure they would not break a component and once they become experienced enough or Power Users, then they could be moved to the Members group.

Create SharePoint Group with Contribute rights using the PnP Provisioning Schema

In SharePoint Online, we can easy bring back the Contributors group in the same setup we had it for SharePoint 2010 by the help of the PnP Provisioning engine, PnP provisioning schema and one line of PnP PowerShell script so this is how a provisioning schema should look:


<?xml version="1.0"?>
<pnp:Provisioning xmlns:pnp="http://schemas.dev.office.com/PnP/2017/05/ProvisioningSchema">
  <pnp:Preferences Generator="OfficeDevPnP.Core, Version=2.19.1710.2, Culture=neutral, PublicKeyToken=3751622786b357c2" />
  <pnp:Templates ID="CONTAINER-TEMPLATE-C8DB11078C2C4C53BE929D3491297E5E">
    
      ......
      <pnp:Security>

        <pnp:SiteGroups>
          <pnp:SiteGroup
              Title="{sitename} Contributors"
              Description="{sitename} Contributors"
              Owner="{sitename} Owners"
              OnlyAllowMembersViewMembership="false">
            <pnp:Members>
              <pnp:User Name="{siteowner}"></pnp:User>
            </pnp:Members>
          </pnp:SiteGroup>
        </pnp:SiteGroups>

        <pnp:Permissions>
          <pnp:RoleAssignments>
            <pnp:RoleAssignment Principal="{sitename} Contributors" RoleDefinition="Contribute">
            </pnp:RoleAssignment>
          </pnp:RoleAssignments>
        </pnp:Permissions>
      </pnp:Security>
      .....

Once we have the schema is a matter of executing two lines of PnP PowerShell code:


Connect-PnPOnline -Url https://xxx.sharepoint.com/sites/xxx -Credentials xxx

Apply-PnPProvisioningTemplate -Path template.xml

Create SharePoint Group with Contribute rights using the PnP PowerShell

This can also be done with PnP PowerShell code in case XML configurations does not fit to the business scenario. Here is how it can be done with PowerShell only:


Connect-PnPOnline -Url https://xxx.sharepoint.com/sites/xxx -Credentials xxx

$web = Get-PnPWeb
$title = $web.Title

New-PnPGroup -Title  "$title Contributors" -Owner "$title Owners" -DisallowMembersViewMembership

$group = Get-PnPGroup "$title Contributors"

Set-PnPGroupPermissions -Identity $group -AddRole Contribute

The same provisioning exercise can be repeated with C# code as well.

Conclusion

It is up to the Information Architecture who has the correct security rights and what security SharePoint groups has to be provisioned, but my recommendation is that your Members group should be of trained SharePoint Power Users that know how to moderate modern SharePoint site i.e. maintain custom lists, list views, document libraries, add other members, maintain site navigation and more. If a user is not trained yet to become a Power User, but still has to contribute to a list or site page then grant him/her with contribute rights until he/she is skilled and experienced enough then simply move that user to the Members group.

Posted on

Tags: SharePoint Security, Comtributor group, SharePoint permissions, SharePoint group, SharePoint permission levels, SitePage, PnP PowerShell, Team site, Communication site, SharePoint modern sites security, SharePoint Power Users, Line of business users

Comments