When do I set permissions at site level vs list or library level?

Common mistake: tweaking permissions per file or per folder. Works for a while, but over time nobody knows who has access to what. Rule of thumb: as high in the hierarchy as possible, and through groups as much as possible.

Try this first

1. 1By default everything on a SharePoint site inherits site permissions: members can edit, visitors can read, owners manage. For most SMB cases that's enough.
2. 2Only break inheritance when there's a real business reason. For example an HR library with personnel files inside a broader HR site. Then you break inheritance on that library and grant access only to HR members.
3. 3Don't break inheritance at folder level, and definitely not at file level. That creates 'broken inheritance' you'll never find again later. Better a separate library, or even a separate site, than ten broken folders.
4. 4Work with Microsoft 365 groups or Entra security groups, not individuals. Removing or adding a colleague then becomes one action in Entra, not visiting 12 sites.
5. 5Audit site permissions quarterly via Site Settings > Site permissions or PowerShell (Get-SPOSiteGroup, Get-PnPGroupPermissions). A list of who has access where avoids unpleasant surprises.
6. 6For exceptions: if one person temporarily needs more, use 'Share' on a file or folder with an expiration date. That's a share link with expiry, not a permission change.

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.