Whatever you want to call it, permissions or access, is one of the more fun and complicated pieces about SharePoint Online.
Permission levels we use at work
Because we have publishing turned on at the site collection level, we have (or are using) the following permission levels:
View: can see items, but cannot download them
Read: can see items, and can download them
Contribute: can see items, download them, and can add, change, and delete list or library items
Edit: can do everything contribute can do, and can add, change, and delete lists or libraries
Owner: can do everything edit can do, and can edit permissions, add and delete subsites.
Permissions can be set at various levels
Site collection level: while access can be set at the site collection level, we decided not to use our site collection level site for anything specific other than to house assets (images and files) for use throughout the DSA sites. Therefore, any settings we have here are very specific and somewhat more restrictive.
Site level: mostly used for our departmental and committee team sites, where all members of your department or committee are members of a site. This level of access is the most common, and is also used among sub sites within your unit.
List or library level: we might use this if we have certain files that we want to share with other people, but we don’t want to necessarily grant access to the whole site. We might also use this on a team site where there are some documents that should be private for just one or two people in a department.
Item level: mostly refers to documents, pages, or images. I can do a whole presentation on this one and what the consequences are – we’re living it in some places. Be very careful with this one. Just because you can, doesn’t mean you should.