SharePoint Online: Update Permission Level using PowerShell
Requirement: Update a Permission Level in SharePoint Online.
SharePoint Online: How to Edit a Permission Level?
Permission levels play a crucial role in defining what actions users can perform within SharePoint. In this article, we will explore how to edit permission levels in SharePoint Online. We have had a permission level “Contribute without delete”, which allows users to add/edit items but not delete. Now, we got a new requirement to exclude edit also from the permission level so that it prevents users from editing list items, even their own! So, how to change the permission level in SharePoint?
To edit an existing permission level in SharePoint Online, follow these steps:
- Navigate to the SharePoint Online Site collection, where you want the permission level to be edited.
- Click on Settings gear >> Select Site Settings from the Settings menu.
- On the Site Settings page, click on the “Site Permissions” link under the Users and Permissions section.
- On the Permissions page, click on the “Permission Levels” button from the Permissions tab of the ribbon.
- On the Permission Levels page, click on the permission level you want to edit.
- Uncheck the tick boxes next to the permission to remove it from the permission level. E.g., I’ve removed “Edit Items” from the permission level. Similarly, you can add any permission to include it.
- Scroll down and click on the “Submit” button to save your changes.
This updates the permission level with selected permissions in SharePoint Online!
PowerShell to Remove Permission from Permission Level in SharePoint Online
Let’s remove the “Delete Items” permission from an existing permission level.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$PermissionLevelName = "Contribute Without Delete"
#Get Credentials to connect
$Cred = Get-Credential
Try {
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
#Get the role definition by name
$RoleDefinition = $Ctx.web.RoleDefinitions.GetByName($PermissionLevelName)
$Ctx.Load($RoleDefinition)
$Ctx.ExecuteQuery()
#Remove "Delete Items" Permission from the Permission Level
$BasePermissions = New-Object Microsoft.SharePoint.Client.BasePermissions
$BasePermissions = $RoleDefinition.BasePermissions
$BasePermissions.Clear([Microsoft.SharePoint.Client.PermissionKind]::DeleteListItems)
$RoleDefinition.BasePermissions = $BasePermissions
$RoleDefinition.Update()
$Ctx.ExecuteQuery()
Write-host -f Green "Permission Level has been Updated!"
}
catch {
write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
}
SharePoint Online: Add Permission to Permission Level using PowerShell
Similarly, You can add permission to the permission level with the below PowerShell script.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$PermissionLevelName = "Contribute Without Delete"
#Get Credentials to connect
$Cred = Get-Credential
Try {
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
#Get the role definition by name
$RoleDefinition = $Ctx.web.RoleDefinitions.GetByName($PermissionLevelName)
$Ctx.Load($RoleDefinition)
$Ctx.ExecuteQuery()
#Add "Delete Items" Permission to the Permission Level
$BasePermissions = New-Object Microsoft.SharePoint.Client.BasePermissions
$BasePermissions = $RoleDefinition.BasePermissions
$BasePermissions.Set([Microsoft.SharePoint.Client.PermissionKind]::DeleteListItems)
$RoleDefinition.BasePermissions = $BasePermissions
$RoleDefinition.Update()
$Ctx.ExecuteQuery()
Write-host -f Green "Permission Level has been Updated!"
}
catch {
write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
}
To get all base permissions, refer: https://docs.microsoft.com/en-us/previous-versions/office/sharepoint-csom/ee536458(v%3Doffice.15)
Wrapping up
In conclusion, the ability to edit permission levels in SharePoint Online provides administrators with the flexibility to quickly and easily manage user access to the site. Editing permission levels in SharePoint Online is a straightforward process that can be accomplished in a few simple steps. By modifying the existing permission levels, administrators can control what users can do within site, ensuring that sensitive information is kept secure and only accessible by authorized users.
Here are my other posts on permission levels:
Hello, Is there an REST APIs to update permission level in SPO?
I saw the code above and was wondering if there is a way to update permission level permissions for SharePoint on-premises using PowerShell? I’ve spent a lot of time searching on how to do this, but I only get results relating to SharePoint Online. Please add to the page or create a new one if anyone knows a way to update permission level permissions for SharePoint server
Here you go: How to Update a permission level in SharePoint using PowerShell?