Client Side Object Model (CSOM) Permission PowerShell SharePoint SharePoint Online SharePoint Server 

SharePoint Online: Update Permission Level using PowerShell

Salaudeen Rajack 2 Comments ,

Requirement: Update Permission Level in SharePoint Online

SharePoint Online: How to Edit a Permission Level?

We have had a permission level “Contribute without delete” which allows users to add/edit items but not delete. Now, we got a new requirement to exclude edit also from the permission level so that it prevents users from editing list items, even their own! So how to change the permission level in SharePoint?

To edit an existing permission level in SharePoint Online, follow these steps:

  1. Navigate to SharePoint Online Site collection where you want the
    permission level to be edited.
  2. Click on Settings gear >> Select Site Settings from the Settings menu.
  3. On the Site Settings page, click on the “Site Permissions” link under the Users and Permissions section.
  4. On the Permissions page, click on the “Permission Levels” button from the Permissions tab of the ribbon. 
  5. On the Permission Levels page, click on the permission level you want to edit. 
    sharepoint online edit permission level
  6. Uncheck the tick boxes next to the permission to remove it from the permission level. E.g. I’ve removed “Edit Items” from the permission level. Similarly, you can add any permission to include it.
    sharepoint online change permission level
  7. Scroll down and click on “Submit” button to save your changes. 

This updates the permission level with selected permissions in SharePoint Online!

PowerShell to Remove Permission from Permission Level in SharePoint Online

Let’s remove “Delete Items” permission from an existing permission level.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$PermissionLevelName = "Contribute Without Delete"

#Get Credentials to connect
$Cred = Get-Credential

Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

    #Get the role definition by name
    $RoleDefinition = $Ctx.web.RoleDefinitions.GetByName($PermissionLevelName)
    $Ctx.Load($RoleDefinition)
    $Ctx.ExecuteQuery()
    
    #Remove "Delete Items" Permission from the Permission Level
    $BasePermissions = New-Object Microsoft.SharePoint.Client.BasePermissions
    $BasePermissions = $RoleDefinition.BasePermissions
    $BasePermissions.Clear([Microsoft.SharePoint.Client.PermissionKind]::DeleteListItems)
    $RoleDefinition.BasePermissions =  $BasePermissions
    $RoleDefinition.Update()
    $Ctx.ExecuteQuery()   
    
    Write-host -f Green "Permission Level has been Updated!"
}
catch {
    write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
}

SharePoint Online: Add Permission to Permission Level using PowerShell

Similarly, You can add a permission to permission level with below PowerShell script.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$PermissionLevelName = "Contribute Without Delete"

#Get Credentials to connect
$Cred = Get-Credential

Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

    #Get the role definition by name
    $RoleDefinition = $Ctx.web.RoleDefinitions.GetByName($PermissionLevelName)
    $Ctx.Load($RoleDefinition)
    $Ctx.ExecuteQuery()
    
    #Add "Delete Items" Permission to the Permission Level
    $BasePermissions = New-Object Microsoft.SharePoint.Client.BasePermissions
    $BasePermissions = $RoleDefinition.BasePermissions
    $BasePermissions.Set([Microsoft.SharePoint.Client.PermissionKind]::DeleteListItems)
    $RoleDefinition.BasePermissions =  $BasePermissions
    $RoleDefinition.Update()
    $Ctx.ExecuteQuery()   
    
    Write-host -f Green "Permission Level has been Updated!"
}
catch {
    write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
}

To get all base permissions, refer: https://docs.microsoft.com/en-us/previous-versions/office/sharepoint-csom/ee536458(v%3Doffice.15)

Here is my other posts on permission levels:

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

2 thoughts on “SharePoint Online: Update Permission Level using PowerShell

  • June 15, 2020 at 6:49 PM

    I saw the code above and was wondering if there is a way to update permission level permissions for SharePoint on-premises using PowerShell? I’ve spent a lot of time searching on how to do this, but I only get results relating to SharePoint Online. Please add to the page or create a new one if anyone knows a way to update permission level permissions for SharePoint server

    Reply

Leave a Reply