SharePoint Online: How to Grant Permissions to a Document?

Permissions are hierarchical in SharePoint Online, from the Top-level Site collection to the file level. When documents are created in the libraries, they inherit the permissions of that library by default. However, This inheritance can be broken and permissions can be applied directly to the files. To set unique permissions on documents, you need to configure permissions on the file level. Here is how:

How to Provide Access to a File in SharePoint Online?

We have a business requirement to give access to a specific file in SharePoint. To set explicit permissions on SharePoint Online files, we need to break the permission inheritance first (stop inheriting permissions) and then add a user or group to the file.

  • Go to your SharePoint Online library where the file is stored >> Select the file to which you want to provide unique permissions. 
  • Right-click on the file that you want to grant permissions to >> Click on “Manage access” from the context menu (You can also use the “Manage Access” from the information panel). grant access to a document in sharepoint online
  • On the Manage access page, click on the “Advanced” link. set permission to folder in sharepoint online
  • On the Permissions tab, in the Inheritance group, click the “Stop Inheriting Permissions” button. Confirm the prompt. set access to a file in sharepoint online
  • Now, from the ribbon, click on the “Grant Permissions.” button.grant access to a file in sharepoint online
  • In the Share popup, enter names or email addresses. Click the Show Options button. In the Select a permission level list box, select the appropriate permission level, such as Edit. grant permission to a document in sharepoint online
  • Click Share.

Having too many Item level permissions often leads to performance issues! So, be careful.

SharePoint Online: Set Document Permissions using PowerShell:

How to grant file-level permission for SharePoint Online? Here is my PowerShell to grant permissions to a document in SharePoint Online.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
    
#Config Variables
$SiteURL = "https://crescent.sharepoint.com/sites/Retail"
$ListName ="Documents"
$FileServerRelativeURL="/sites/Retail/Shared Documents/Classified/Payment Guidelines.pdf"
$UserID="[email protected]"
$GroupName="Retail Members"
$PermissionLevel="Edit"
 
#Get Credentials to connect
$Cred = Get-Credential

Try { 
    #Set up the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl) 
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
  
    #get file from url
    $File = $Ctx.web.GetFileByUrl($FileServerRelativeURL)
    $Ctx.Load($File)
    $Ctx.Load($File.ListItemAllFields)
    $Ctx.ExecuteQuery()

    #Check if the File has unique permissions
    $ListItem = $File.ListItemAllFields
    $ListItem.Retrieve("HasUniqueRoleAssignments")
    $Ctx.ExecuteQuery()
    If(!$ListItem.HasUniqueRoleAssignments)
    {
        $ListItem.BreakRoleInheritance($false, $false) #keep the existing permissions: No -  Clear list items permissions: No
        $ctx.ExecuteQuery()
    }
    
    #Get the User
    $User = $Ctx.Web.EnsureUser($UserID)
    $Ctx.load($User)
    $Ctx.ExecuteQuery()
    
    #Get the Group
    $Group =$Ctx.Web.SiteGroups.GetByName($GroupName)
    $Ctx.load($Group)
    $Ctx.ExecuteQuery()
    
    #Get the role 
    $Role = $Ctx.web.RoleDefinitions.GetByName($PermissionLevel)
    $RoleDB = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
    $RoleDB.Add($Role)
         
    #Assign permissions
    $UserPermissions =  $ListItem.RoleAssignments.Add($User,$RoleDB)
    $GroupPermissions = $ListItem.RoleAssignments.Add($Group,$RoleDB)
    $ListItem.Update()
    $Ctx.ExecuteQuery()
    
    Write-host -f Green "Permission granted to File Successfully!"
}
Catch {
    write-host "Error: $($_.Exception.Message)" -Foregroundcolor Red
}

This script grants permission on the Item level for a given user and group.

PnP PowerShell to Set File Level Permission

To change the permission for files in SharePoint Online using PowerShell, use: Set-PnPListItemPermission cmdlet.

#Config Variables
$SiteURL = "https://crescent.sharepoint.com/sites/Retail"
$ListName ="Documents"
$FileServerRelativeURL="/sites/Retail/Shared Documents/Classified/Payment Guidelines.pdf"
$UserID="[email protected]"
$GroupName="Retail Members"

 Try {
    #Connect to PnP Online
    Connect-PnPOnline -Url $SiteURL -Interactive

    #Get the File as List Item
    $File = Get-PnPFile -Url $FileServerRelativeURL -AsListItem

    #Get the Group
    $Group = Get-PnPGroup | where-Object {$_.Title -eq $GroupName}

    #Grant Edit permission to User - Remove all existing permissions
    Set-PnPListItemPermission -Identity $File.ID -List $ListName -AddRole "Edit" -User $UserID -ClearExisting

    #Grant permission to Group
    Set-PnPListItemPermission -Identity $File.ID -List $ListName -AddRole "Read" -Group $Group
}
Catch {
    write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
}

You can get all available permissions to add or remove using the Get-PnPRoleDefinition cmdlet.  We can grant permission to all list items as in: SharePoint Online: Grant Permission to All Items in a List or Library using PowerShell

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

Leave a Reply

Your email address will not be published.