kwizcom banner advertisement

SharePoint Online: How to Break Permission Inheritance using PowerShell?

Requirement: Grant permissions at list or library level to users and groups in SharePoint online. The particular user group has read access at site level and the requirement is to provide Edit access rights on specified lists and libraries.

Break permission inheritance in SharePoint Online:
When you provide permissions at the site collection, any securable object under the hierarchy, such as sub-sites, lists and libraries, folders, documents & items inherit their permissions from their parent. However, there are situations where you want to provide granular permission to any of these securable objects by assigning unique permissions.

Providing unique permissions at list or item level consists of two steps: As a first step stop inheriting permissions from the parent and then add permissions to users and/or groups. Here is how to break permission inheritance in sharepoint online:
  • Navigate to the SharePoint library where your documents are stored
  • Select the document >> Click on "Shared With" under Manage group in the ribbon
  • In the permissions page, if the list is inheriting permissions from parent, we have to break the permission inheritance by clicking "Stop inheriting Permissions" button. Confirm the prompt once.
    sharepoint online stop inheriting permissions using PowerShell
Now, you can add or remove users to the particular list or list item permissions by clicking Grant Permissions button from Grant group.

Once you stop inheriting permissions - All users & groups are copied from the parent object to the child object. From this point, Any future permission changes made to the parent object no longer affects the child!

PowerShell to Break Permission Inheritance for a List Item: 
Here is the PowerShell for SharePoint online to stop inheriting permissions from the parent.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Config Parameters
$SiteURL= "https://crescent.sharepoint.com/sites/projects/"
$ListName="Projects"
$ItemID=1

#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Cred
  
#Get the List and Item
$List=$Ctx.web.Lists.GetByTitle($ListName)
$Item=$List.GetItemByID($ItemID)

#Break permission inheritance
$Item.BreakRoleInheritance($True, $True)
$ctx.ExecuteQuery()
Lets add some error handling to this script and break permission inheritance of a list.

SharePoint online: stop inheriting permissions using PowerShell
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Config Parameters
$SiteURL= "https://crescent.sharepoint.com/sites/Marketing/"
$ListName="Documents"

#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

Try {

    #Helper function to get nongeneric properties of the Object in CSOM   
    Function Invoke-LoadMethod() {
    param( [Microsoft.SharePoint.Client.ClientObject]$Object, [string]$PropertyName ) 
       $ctx = $Object.Context
       $load = [Microsoft.SharePoint.Client.ClientContext].GetMethod("Load") 
       $type = $Object.GetType()
       $clientLoad = $load.MakeGenericMethod($type)

       $Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
       $Expression = [System.Linq.Expressions.Expression]::Lambda(
                [System.Linq.Expressions.Expression]::Convert([System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),
                [System.Object] ), $($Parameter))

       $ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
       $ExpressionArray.SetValue($Expression, 0)
       $clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
    }
  
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Cred
  
    #Get the List
    $List=$Ctx.web.Lists.GetByTitle($ListName)
    $Ctx.load($List)
    Invoke-LoadMethod -Object $List -PropertyName "HasUniqueRoleAssignments"
    $Ctx.ExecuteQuery()

    #Check if list is inheriting permissions
    if($List.HasUniqueRoleAssignments -eq $False)
    {
        #Break permissions of the list, if its inherited
        $List.BreakRoleInheritance($True,$True) #keep existing list permissions & Item level permissions
        $Ctx.ExecuteQuery()
        Write-host -f Green "Permission inheritance broken successfully!"
    }
    else
    {
        Write-Host -f Yellow "List is already using Unique permissions!"
    }
}
Catch {
    write-host -f Red "Error Granting Permissions!" $_.Exception.Message
}   
SharePoint Online: How to Break Permission Inheritance using PowerShell? SharePoint Online: How to Break Permission Inheritance using PowerShell? Reviewed by Salaudeen Rajack on May 01, 2016 Rating: 5

No comments:

Please Login and comment to get your questions answered!

Powered by Blogger.