Saturday, December 26, 2015

Break Permission Inheritance and Add-Remove Users to SharePoint List using PowerShell

By default SharePoint Lists and Libraries are inheriting permissions from its parent site when created. There are times where you may want to implements unique permissions on a SharePoint list level. Say for e.g. if there are users who should access only a specific list in a SharePoint site but not any other object. So, to setup a unique permission on SharePoint site, list, library, folder, or item we should break the permission inheritance first. Just follow these steps:

  • Navigate to your target SharePoint List or Library
  • Click on List Settings >> and then Permissions for this list.
  • From the ribbon, Click on "Stop Inhering Permissions" icon as in the below image
    sharepoint 2013 powershell break permission inheritance
  • Remove the Users or Groups who does need to have access to this list.
  • Grant permissions to additional users and groups who needs to have access to this list. 
Make sure you have broken the permission inheritance before adding or removing users to SharePoint list. Otherwise, you'll get "This operation is not allowed on an object that inherits permissions" Exception!

SharePoint 2013 - PowerShell to break permission inheritance:
To break permission inheritance on a SharePoint site or list, use this PowerShell script.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Parameters
$WebURL="http://intranet.crescent.com"
$ListName="Contacts"
$CopyParentPermissions = $True

#Get the List
$Web = Get-SPWeb $WebURL
$List = $web.Lists.TryGetList($ListName)

If ($List -ne $null)
{
    if ($List.HasUniqueRoleAssignments -eq $False)
    {
        $List.BreakRoleInheritance($CopyParentPermissions)
        Write-host "Stopped Inheriting Permissions from the parent." -f Green
    }
    else
    {
        write-host "List is already using Unique Permissions!" -f Red
    }
}
To Remove all permissions already inherited to the list, Set the variable $CopyParentPermissions to $False.

Add permission to SharePoint list using PowerShell:
Once the permissions are broken from its parent, we can add or remove users to the list using PowerShell. Use this PowerShell in SharePoint to add permission to a list.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Parameters
$WebURL="http://intranet.crescent.com"
$ListName="Contacts"

#Get the List
$Web = Get-SPWeb $WebURL
$List = $web.Lists.TryGetList($ListName)

If ($List -ne $null)
{
    #Grant contribute Permission to a User account
    $UserAccount="Crescent\Omar"
    $User = $web.EnsureUser($UserAccount)
    $RoleDefinition = $Web.RoleDefinitions["Contribute"]
    $RoleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($User)
    $RoleAssignment.RoleDefinitionBindings.Add($RoleDefinition)
    $List.RoleAssignments.Add($RoleAssignment)
    $List.Update()
    Write-host "Permissions Granted to User Account: $UserAccount" -f Green     

    #Grant Read access to the Members SharePoint Group
    $GroupName="Crescent Intranet Members"
    $Group = $Web.SiteGroups[$GroupName]
    $RoleDefinition = $Web.RoleDefinitions["Read"]
    $RoleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($Group)
    $RoleAssignment.RoleDefinitionBindings.Add($RoleDefinition);  
    $List.RoleAssignments.Add($RoleAssignment)  
    $List.Update() 
    Write-host "Permissions Granted to SharePoint Group: $GroupName" -f Green
} 

How about Removing permissions from SharePoint List using PowerShell:
Make sure you already broke the permission inheritance prior running this script.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Parameters
$WebURL="http://intranet.crescent.com"
$ListName="Contacts"

#Get the List
$Web = Get-SPWeb $WebURL
$List = $web.Lists.TryGetList($ListName)

If ($List -ne $null)
{
    #Remove User Permissions from the List
    $UserAccount="Crescent\Omar"
    $User = $web.EnsureUser($UserAccount)
    $List.RoleAssignments.Remove($User)
    $List.Update()
    Write-host "Permissions Removed from the User Account: $UserAccount" -f Green     

    #Revoke permission from a SharePoint Group
    $GroupName="Crescent Intranet Members"
    $Group = $Web.SiteGroups[$GroupName]
    $List.RoleAssignments.Remove($Group)  
    $List.Update() 
    Write-host "Permissions Revoked from SharePoint Group: $GroupName" -f Green
}

PowerShell to Remove all Permissions from a List:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Parameters
$WebURL="http://intranet.crescent.com"
$ListName="Contacts"

#Get the List
$Web = Get-SPWeb $WebURL
$List = $web.Lists.TryGetList($ListName)

If ($List -ne $null)
{
    #Get All permissions applied to List
    $RoleAssignmentCount = $List.RoleAssignments.Count

    #Remove All Permissions from the List
    For ($i= $RoleAssignmentCount-1; $i –ge 0; $i--)
    {
        Write-host "Removing Permission from:"$List.RoleAssignments[$i].Member.name
        $List.RoleAssignments.Remove($i)
    }
}



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.
*Sponsored


Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!


You might also like:

Related Posts Plugin for WordPress, Blogger...