Site Collection Administrators vs Site Owners

In discussing our governance plan someone pointed out that we were incorrectly using the term site owner and site collection administrator somewhat interchangeably. In short a Site Collection Administrator is the more "powerful" user.

When a Site Collection is created in SharePoint 2010, at least one user must be designated as the "Site Collection Administrator". A root Site is created in the Site Collection - and SharePoint security groups for this Site (not Site Collection) are created. One of these groups (at least for the "Team Site" template) is the Site Owners group and has full control permissions to the Site. The Site Collection Administrator is made a member of this group by default as well.

If we add a different user to the Site Owners group then compare the Site Settings screen for a Site Collection Administrator vs a Site Owner we see that only the Site Collection Administrator has the options shown in green.


Now, how about subsites? By default, subsites inherit the permissions from the parent site - including all of the SharePoint groups created for that site; however, we can decide not to inherit permissions when the subsite is created - or change our mind on inheritance later on from the Site Settings Permissions page. There really aren't any surprises here if you are used to other inheritance permission schemes. Generally "administrator" users cannot be blocked; whereas lesser users (our owners in this case) can be. SharePoint follows this standard scheme.

So where does this bring us from a governance standpoint? In regard to "team" and "project" sites, the evil IT overlord side of me wonders if we (the IT SharePoint team) should retain the Site Collection Admin permission and put the real owners of the site collection in the lesser site owners group. I see a few problems with this right off. First, SharePoint doesn't allow assignment of a group to site collection administrators. This would create problems if the IT user assigned as Site Collection admin to our 1000 or so site collections "moves on". Another minor problem is SharePoint sends "site use confirmation" e-mails to the site collection administrators. It isn't going to do any good for an IT user to get these notices. Finally, one of our guiding principles for our SharePoint installation is to enable "the business" to accomplish what they need to without involving IT. In the case of a team or project site perhaps it makes sense for the main person who owns the content to have Site Collection Admin permissions - possibly after some required amount of training.