Security is important when it comes to SharePoint systems. Some parts of the site may be restricted to HR users, for example, staff contracts should obviously not be seen by an entire organization. What’s great about SharePoint is it supports this kind of granularity, with an extensive security model. It allows you to configure security on many different levels, and assign a wide variety of different permission levels.
While most roles are straight-forward, there are two different roles that sometimes cause confusion: Site owner vs Site collection administrator. These roles are very important, so let’s explain the difference between them.
Site collection versus subsite
SharePoint consists of web applications, each web application contains one or more site collections, and every site collection has one or more subsites. On every level, different permissions can be assigned, giving admins options for a granular permission configuration.
Each security group has a different set of permissions. The group “Site Owner” gives the user the permissions “Full control” to that subsite. It basically gives the group members all available permissions on that specific subsite. It allows them to create and delete lists and libraries, grant other users permissions, activate site features, create new subsites, etc.
A “Site Collection Administrator” on the other hand, is granted the same permissions as the site owner on every site in the site collection. There is no way to override that on subsite level. This is a very powerful role indeed, and one that should be assigned with care.
The Site Collection Admin roles comes in handy when a site owner has removed all permissions from a subsite, leaving the subsite inaccessible to all users; except the Site Collection Administrator. It is a good security ‘catch all’ role.
Besides that, this role will grant access to “Site Collection Administration” features like Site collection features, Audit reports, Content type publishing, and so forth. These are accessed separately to other settings features (and in ‘Central Administration’ for On-Premises users).
The term “Administrator” doesn’t refer to a system administrator role, and shouldn’t be confused with classic “Server Admin” roles. It doesn’t grant permissions to execute tasks on servers, neither does it grant access to other site collections or web applications (SharePoint Online offers less control in these areas than On-Premises in any case).
Who should be assigned which role?
Site owner vs Site Collection administrator: it depends on your organization. Read more