Break Inheritance and Add-Remove Item Level Permission with PowerShell

Requirement: Break the permission inheritance of a SharePoint list item and grant permission only to a specific user and group.

How to Break Permission Inheritance in SharePoint?

You can change a document or item’s permissions by stop inheriting its permissions from its parent and add remove permissions to the item directly. To break permission inheritance of a document on a document in a library, do the following:

  1. Navigate to the document library where the document that requires unique permissions
  2. Select the document and then select the Shared With the option on the Files tab of the ribbon tab.
  3. In the Shared With Page, select the Advanced option.
  4. On the Permissions page, stop inheriting permissions by clicking “Stop Inheriting Permissions” button from the Permissions tab of the ribbon. Confirm the prompt. sharepoint Break Inheritance Add Remove Item Level Permission PowerShell

Once the permission inheritance is broken, you can add/remove users to the document. Here is how:

Change Document Permissions
To edit the permissions of a document, do the following:

  1. Navigate to the library and select the document that requires permissions to be changed.
  2. Select the Shared With option on the Files tab of the ribbon, In the Shared With page, Click on Advanced option.
  3. On the Permissions page, You can add permissions new users by clicking “Grant Permissions” option from the Permissions ribbon tab.
  4. Also, You can edit permissions of existing uses by selecting and clicking the Edit User Permissions button from the Permissions ribbon tab.

PowerShell Script to Add Item Level Permissions in SharePoint:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration parameters
$SiteURL = "https://portal.crescent.com/"
$ListName="Profiles"
$ItemID="12"

#Get the web and Item
$Web = Get-SPWeb $SiteURL
$List = $web.Lists[$ListName]
$Item = $List.GetItemById($ItemID)

#Break Inheritance - Remove all permissions
$Item.BreakRoleInheritance($False)

#Grant Contribute Permission to User
$user = $web.EnsureUser("Crescent\Antony")
$PermissionLevel="Contribute"
$RoleDefinition = $web.RoleDefinitions[$PermissionLevel]
$roleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($user)
$roleAssignment.RoleDefinitionBindings.Add($roleDefinition)
$item.RoleAssignments.Add($roleAssignment)
$item.SystemUpdate();  

#Grant Read access to the Visitor Group
$GroupName="Crescent Portal Visitors"
$PermissionLevel="Read"
$Group = $web.SiteGroups[$GroupName]  
$roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($group)  
$roleDefinition = $web.RoleDefinitions[$PermissionLevel]
$roleAssignment.RoleDefinitionBindings.Add($roleDefinition);  
$item.RoleAssignments.Add($roleAssignment)  
$item.SystemUpdate(); 

How to Remove User Permissions from a List Item using PowerShell?

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration parameters
$SiteURL = "https://intranet.crescent.com"
$ListName="Project Tasks"
$ItemID="10"

#Get the web, Item and User Objects
$Web = Get-SPWeb $SiteURL
$List = $web.Lists[$ListName]
$Item = $List.GetItemById($ItemID)
$User = $web.EnsureUser("crescent\Tony")
$Group = $web.SiteGroups["Approvers"]  

#Break Inheritance - Without Copying current permissions
$Item.BreakRoleInheritance($True) #Breaks permission inheritance, if its not already!
$Item.RoleAssignments.Remove($User)
#$Item.RoleAssignments.Remove($Group)

$Item.SystemUpdate()

In an another requirement, we had to Set Item Level permission to a SharePoint Group to all documents in a specific document library with 100+ documents. Earlier, I wrote C# code to set Item level permission on Event Receiver to Set Item Level Permissions . This time let me do it with PowerShell for SharePoint 2007.

Set Item Level Permission to All Items in a List using PowerShell

# For MOSS 2007 compatibility
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")

#Region MOSS2007-CmdLets
Function global:Get-SPSite()
{
  Param( [Parameter(Mandatory=$true)] [string]$SiteCollURL )

   if($SiteCollURL -ne '')
    {
    return new-Object Microsoft.SharePoint.SPSite($SiteCollURL)
   }
}
 
Function global:Get-SPWeb()
{
 Param( [Parameter(Mandatory=$true)] [string]$SiteURL )
  $site = Get-SPSite($SiteURL)
        if($site -ne $null)
            {
               $web=$site.OpenWeb();
            }
    return $web
}
#EndRegion

 Function AddItemLevelPermissionToGroup()
 {  
    #Define Parameters
    Param( [Parameter(Mandatory=$true)] [string]$SiteURL, 
           [Parameter(Mandatory=$true)] [string]$ListName, 
           [Parameter(Mandatory=$true)] [string]$GroupName,
           [Parameter(Mandatory=$true)] [string]$PermissionLevel )
 
 #Get the Web Application
    $Web=Get-SPWeb($SiteURL)
    
    #Get the List
    $list = $web.Lists[$ListName]
    if ($list -ne $null)  
    {  

    #Loop through each Item in the List
     foreach($item in $list.items)
   {
            #Check if Item has Unique Permissions. If not Break inheritence
            if($item.HasUniqueRoleAssignments -eq $False)  
              {  
               $item.BreakRoleInheritance($false)
               #False: Does removes all users & groups from Item's Permissions  
              } 
              
           if ($web.SiteGroups[$GroupName] -ne $null)  
               {
                #Get the Group from GroupName Parameter  
                $group = $web.SiteGroups[$GroupName]  
                $roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($group)  
                #Get Permission Level, such as "Read", "Contribute", etc
                $roleDefinition = $web.RoleDefinitions[$PermissionLevel]
                $roleAssignment.RoleDefinitionBindings.Add($roleDefinition);  
                #Grant Access to specified Group
                $item.RoleAssignments.Add($roleAssignment)  
                #To Remove Access: Call  $item.RoleAssignments.Remove($group) . No Need for objects: roleAssignment, roleDefinition
                $item.SystemUpdate();  
                Write-Host "Successfully added $($PermissionLevel) to $GroupName group in $($Item.Name)" -foregroundcolor Green  
               } 
         }
  $Web.Dispose()          

    }
 }

#Call the Function to Grant Item Level Permission
#Parameters: $SiteURL, $ListName, $GroupName, $PermissionLevel
AddItemLevelPermissionToGroup "https://sharepoint.crescent.com/sites/sales" "Documents" "Approvers" "Read"

How to Break List Permissions and grant access to a user using PowerShell?

Similarly, We can add users at List permissions.

#Get the User
$user = $web.EnsureUser('global\salaudeen')

$roleDefinition = $web.RoleDefinitions[$PermissionLevel]

$roleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($user)
$roleAssignment.RoleDefinitionBindings.Add($roleDefinition)

$List.RoleAssignments.Add($roleAssignment)
$List.SystemUpdate();  
Write-Host "Successfully added $($user) to $($List.Name)" -foregroundcolor Green  

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

5 thoughts on “Break Inheritance and Add-Remove Item Level Permission with PowerShell

  • You are one of the best solution provider. Any code in your blog is simple, straight forward and understandable.

    Reply
  • how can i replace list item permissions for all list items?
    i.e. replacing Owners group from Full control to have READ but for all items in a list or when status is Open?

    please advise?

    Reply
  • Great script!!! Thanks a lot!

    Reply
  • The Script is famous and helps great.But i have a strange Problem i dont know why. I want to filter the list items in the eachfor as follows:
    foreach($item in $list.items | Where $Item[“aktiv”] -eq “Ja”) …. Field AKtiv= Checkbox Ja/Nein. BUT: the filter doesnt work. why?
    Does anybody why? what is wrong in my filter Action?

    Reply
    • Use something like: $list.Items | Where-Object { $_[“Status”] -eq “In Progress”} | foreach { }

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *