SharePoint 2013 Site Members Can Create and Delete Lists!


Have you noticed that when you create a new site collection or subsite with unique permissions that your team members can:

  • Create new lists and libraries (now called Apps)
  • Customize lists and libraries
  • The Help button on a site also says "With the proper permissions – Full Control, Design, or Edit – you can activate or deactivate specific features for your site", but my testing shows that users with Edit cannot enable/disable features. (Now that would be scary!)

In SharePoint 2007 and 2010 the default members group was assigned the Contribute permission level. Contribute permitted them to add, edit and delete content, but not lists and libraries. In SharePoint 2013 the members group is now assigned the new Edit permission level, which adds the "Manage Lists" permission.



What can you, or should you, do?

If you don't like team members deleting lists then consider one or more of the following:

  • Ask your team members to please not add, edit or delete "Apps" (Lists and Libraries)   :-)
  • In each Site Collection edit the Edit permission level an remove the "Manage Lists" permission
  • Update your governance plan to deal with this interesting little issue
  • Enable Auditing at the site collection level so you at least know who did the damage




Tod B. said...

Mike, thanks for the info! Letting all site members create and delete lists sounds chaotic for site owners and other site members.

Unless there's an easy SP2013 Web Application setting to make the Members group default to another Permission Level like Contribute, I'm inclined to remove "Manage Lists" from the "Edit" Permission Level on each Site Collection, as you suggest.

If we need that capability for a subset of users, we can always apply a separate Manage Lists permission level.

Teddybeardog said...

What is the reason Microsoft is making these changes that can create chaos for site owners?

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.