We know that there is some confusion about permissions assigned by a Web application policy. Here are answers to several questions we have recently received.
QUESTION: Do primary or secondary site collection administrators have more permissions on a site collection than a user who has been given Full Control at the Web application policy level of the Web application containing that site collection?
ANSWER: No. A user who has been granted Full Control through a Web application policy has the same access as a primary or secondary site collection administrator, because the Full Control permission level includes the site collection administrator permission.
Q: If a user has been granted Full Control by a Web application policy, can primary or secondary site collection administrators limit the user's permissions at an individual site collection level?
A: No. One site collection administrator cannot limit another site collection administrator’s permissions. Furthermore, because the user was granted permissions through a Web application policy, other site collection administrators cannot remove that site collection administrator's access.
Q: Which permissions are part of the Full Control permission level under a Web application policy?
A: The permissions are the same as the Full Control permission level on a site, plus site collection administrator and site collection Auditor permissions.
Many thanks to Kevin Davis (SharePoint PM) and Matt Swann (SharePoint Test) for their help.