How to Use SharePoint Item-Level Permissions
SharePoint item-level permissions affect the management of lists, folders and documents and the viewing of items and application pages. These permissions can be grouped together to create permission levels, which can be assigned to users and groups directly. These permissions consist of three groups:
- List Permissions — Permissions for managing Items and alerts
- Site Permissions — Permissions for managing subsites
- Personal Permissions — Permissions for managing personal views, profiles and personal web parts
Managing SharePoint Item-Level Permissions
You can define which item permissions are available for a site by using the “User Permissions” menu in the Web Application settings. Don’t be confused because the name of the menu is similar to “User Policy; it is a different thing.
To remove item-level permissions from a site, click on the “User Permissions” menu and uncheck the permissions you don’t want to be available on the site. Then click the “Save” button to apply your changes.
Managing Permissions Levels
To manage the permission levels for a site, navigate to “Site Permissions” in the site settings and click the “Permission Levels” button. Here are the default permission levels:
- Full Control — Full control on the site
- Design — View, add, update, delete, approve and customize
- Edit — Add, edit and delete lists; view, add, update and delete list items and documents
- Contribute — View, add, update, and delete list items and documents
- Read — View pages and list items and download documents
- Limited Access — View specific lists, document libraries, list items, folders, or documents when given permissions
To create a custom permission level, click the “Add a Permission Level” button, specify a name and description, and select a combination of item-level permissions appropriate for this custom permission level. You can use the “Select All” check box to select or clear all permissions. When you click the “Create” button, your new permission level will be added to the list and you can assign it to any group on the site.
To delete a permission level, simply select it and click the “Delete Selected Permission Levels” button. You can delete any custom permission level and any default permission level except Full Control and Limited Access.
In addition to using Permission Levels, you can also define Site Collection Administrators, who have full control permissions on the site by default. To do this, simply click the “Site Collection Administrators” button on the “Site Permissions” menu, choose the accounts that should be able to manage the site, and click “OK”.
Assigning Permissions Directly
Most permissions to objects are obtained from the permissions assigned to SharePoint and Active Directory groups. However, you can also assign permissions to the items stored on a SharePoint site directly, by taking the following steps:
- Click on the item and then click the “Shared With” button on the “Files” tab. Click “Advanced” to see what permissions these users or groups have to the item.
You will see the list of users who have access to the item:
- Break inheritance for the item by clicking the “Stop inheriting permissions” button.
- Click the “Grant Permissions” button and enter the name of the user or group you want to grant permissions to.
- Click “Show Options” and select the permission level you want to grant to the user or group.
- Click “Share” and the group or user will be added to the list and your document will have the specified unique
To remove permissions from a user or a group, select the user or group and click the “Remove User Permissions” button. To edit the permissions of a user or a group, simply select the user or group, click the “Edit User Permissions” button, select the new permissions, and click “OK”.
Note that assigning unique permission to SharePoint items is not recommended by best practices because it breaks permission inheritance. If you want to remove all unique permissions from a document, click the “Delete Unique Permissions” button.
These are all the ways you can manage SharePoint item-level permissions via the SharePoint Central Administration console. You can also manage these permissions using Microsoft PowerShell; that’s a topic for another article, but here is a list of the most useful PowerShell commands for SharePoint. Don’t forget to track and document every change made to permissions in SharePoint to help keep it secure and compliant.