How to grant limited "manage permissions" permission in Sharepoint?

Question

I have a Sharepoint library that is too large for a central administrator to manage permissions on all items, so I want to designate a few other people who are able to allow or disallow read/write access for arbitrary items in the library to users or groups. However, I don't want to give those few people total "manage permissions" ability because I don't want them granting themselves or others full control or design permissions, etc.

Is there a way to grant "manage only read/write permission"? Or is there a better way of accomplishing what I'm trying to do?

Thanks!

Answer 1

I don't think there is a specific permission that meets your needs for one site. I think your best option may be to split into sites or libraries you can allow others to manage for your central administrator.

Here's a related excerpt from the TechNet article, [Plan Permissions][1], that may help you more:

Users or groups are assigned a permission level for a specific securable object: site, list, library, folder, document, or item. By default, permissions for a list, library, folder, document, or item are inherited from the parent site or parent list or library. However, anyone assigned a permission level for a particular securable object that includes the Manage Permissions permission can change the permissions for that securable object. By default, permissions are initially controlled at the site level, with all lists and libraries inheriting the site permissions. Use list-level, folder-level, and item-level permissions to further control which users can view or interact with the site content. You can return to inheriting permissions from a parent list, the site as a whole, or a parent site, at any time.

Answer 2

This question pops up all the time, and I haven't been able to find an answer that immediately makes the asker happy.

I usually suggest that you stay away from item-level permissions, and instead create libraries pretty much mapping to groups. make a library for your Company X accountants, make a "Accountants at Company X" group, give them rights to that library. You should be able to trust them enough that they get to manage their own document library. If not, keeping the permissions on a per-library basis will make the workload much less, and the site administrator(s) can most likely handle the permissions on these libraries. If you want to make it easier for them, just create a formal workflow where a user can apply for access and an administrator grant it.

There are other ways, of course, but you're pointing at one of the major reasons you should stay away from item-level security. It's just a can of worms that you need to avoid opening if at all possible.