Break Permission Inheritance and Add-Remove Users to SharePoint List using PowerShell

By default, SharePoint Lists and Libraries inherit permissions from their parent site when created. There are times when you may want to implement unique permissions on a SharePoint list level. E.g., if there are users who should access only a specific list in a SharePoint site but not any other object. So, to set up unique permission on a SharePoint site, list, library, folder, or item, we should break the permission inheritance first. Just follow these steps:

  • Navigate to your target SharePoint List or Library
  • Click on List Settings >> and then Permissions for this list.
  • From the ribbon, Click on “Stop Inhering Permissions” icon as in the below image. Breaking permission inheritance does not remove all existing permissions immediately! A copy of the parent’s permissions is applied to the child object (such as List/item) before permissions are broken.
    sharepoint 2013 powershell break permission inheritance
  • Remove the Users or Groups who does need to have access to this list.
  • Grant permissions to additional users and groups who needs to have access to this list. 
Make sure you have broken the permission inheritance before adding or removing users to SharePoint list. Otherwise, you’ll get “This operation is not allowed on an object that inherits permissions” Exception!

SharePoint PowerShell to break permission inheritance:

To break permission inheritance on a SharePoint site or list, use this PowerShell script.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Parameters
$WebURL="https://intranet.crescent.com"
$ListName="Contacts"
$CopyParentPermissions = $True

#Get the List
$Web = Get-SPWeb $WebURL
$List = $web.Lists.TryGetList($ListName)

If ($List -ne $null)
{
    if ($List.HasUniqueRoleAssignments -eq $False)
    {
        $List.BreakRoleInheritance($CopyParentPermissions)
        Write-host "Stopped Inheriting Permissions from the parent." -f Green
    }
    else
    {
        write-host "List is already using Unique Permissions!" -f Red
    }
}

To Remove all permissions already inherited to the list, Set the variable $CopyParentPermissions to $False.

Add permission to SharePoint list using PowerShell:

Once the permissions are broken from their parent, we can add or remove users to the list using PowerShell. Use this PowerShell in SharePoint to add permission to a list.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Parameters
$WebURL="https://intranet.crescent.com"
$ListName="Contacts"

#Get the List
$Web = Get-SPWeb $WebURL
$List = $web.Lists.TryGetList($ListName)

If ($List -ne $null)
{
    #Grant contribute Permission to a User account
    $UserAccount="Crescent\Omar"
    $User = $web.EnsureUser($UserAccount)
    $RoleDefinition = $Web.RoleDefinitions["Contribute"]
    $RoleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($User)
    $RoleAssignment.RoleDefinitionBindings.Add($RoleDefinition)
    $List.RoleAssignments.Add($RoleAssignment)
    $List.Update()
    Write-host "Permissions Granted to User Account: $UserAccount" -f Green     

    #Grant Read access to the Members SharePoint Group
    $GroupName="Crescent Intranet Members"
    $Group = $Web.SiteGroups[$GroupName]
    $RoleDefinition = $Web.RoleDefinitions["Read"]
    $RoleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($Group)
    $RoleAssignment.RoleDefinitionBindings.Add($RoleDefinition);  
    $List.RoleAssignments.Add($RoleAssignment)  
    $List.Update() 
    Write-host "Permissions Granted to SharePoint Group: $GroupName" -f Green
} 

How about removing permissions from SharePoint List using PowerShell?

Make sure you already broke the permission inheritance prior to running this script.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Parameters
$WebURL="https://intranet.crescent.com"
$ListName="Contacts"

#Get the List
$Web = Get-SPWeb $WebURL
$List = $web.Lists.TryGetList($ListName)

If ($List -ne $null)
{
    #Remove User Permissions from the List
    $UserAccount="Crescent\Omar"
    $User = $web.EnsureUser($UserAccount)
    $List.RoleAssignments.Remove($User)
    $List.Update()
    Write-host "Permissions Removed from the User Account: $UserAccount" -f Green     

    #Revoke permission from a SharePoint Group
    $GroupName="Crescent Intranet Members"
    $Group = $Web.SiteGroups[$GroupName]
    $List.RoleAssignments.Remove($Group)  
    $List.Update() 
    Write-host "Permissions Revoked from SharePoint Group: $GroupName" -f Green
}

PowerShell to Remove all Permissions from a List:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Parameters
$WebURL="https://intranet.crescent.com"
$ListName="Contacts"

#Get the List
$Web = Get-SPWeb $WebURL
$List = $web.Lists.TryGetList($ListName)

If ($List -ne $null)
{
    #Get All permissions applied to List
    $RoleAssignmentCount = $List.RoleAssignments.Count

    #Remove All Permissions from the List
    For ($i= $RoleAssignmentCount-1; $i -ge 0; $i--)
    {
        Write-host "Removing Permission from:"$List.RoleAssignments[$i].Member.name
        $List.RoleAssignments.Remove($i)
    }
}

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

Leave a Reply

Your email address will not be published. Required fields are marked *