Unique permissions in SharePoint offer control but can also cause complexity and potential confusion among your users. This article explores how unique permissions arise, their impact, and, most importantly, best practices for you as an Admin to manage them effectively.
What Are Unique Permissions on A SharePoint Site?
By default, SharePoint files and folders inherit permissions from the Site they belong to. This means that all users that are members of a Site with add/edit/delete permissions, can add/edit/delete any file or folder within that Site.
Unique permissions are custom permissions: Changing security for a specific file or folder creates unique permissions. Let’s say you hide that file or folder from all team members and just allow some: you have given it unique permissions. But that is not the only way for unique permissions to appear.
How Can a File End Up with Unique Permissions?
There are a few reasons why you may end up with unique permissions on your SharePoint site.
- Unique Permissions Set Manually
This is the most common case and the one we mentioned earlier. If you decide to alter security for a given file or folder using the Manage access option, you are setting unique permissions for that file or folder.
If you want to know everything about manually setting permissions for SharePoint libraries, folders, and files, here is a tutorial.
- Unique permissions set by sharing content
When your team members need to share files with someone outside the team, you don’t want them emailing giant attachments – that's so 2010! You want them to share those files using sharing links. Depending on how you create these sharing links, you might be granting unique permissions. This is the case when you use the Specific people option.
- Unique permissions set automatically
If you use third-party solutions that touch SharePoint permissions, like CB Dynamics 365 to SharePoint Permissions Replicator by Connecting Software, you will have unique permissions that are set automatically by the tool.
What’s Wrong with Having Unique Permissions in SharePoint?
In general, there is nothing wrong with unique permissions. You just need to be aware of two things:
- When you create unique permissions manually, for example, when removing the Team Members group from a folder, the folder becomes an independent entity with its own security and permissions. From that point onward, any site-level permission changes (e.g., adding new members to the site) will no longer apply to that folder and will require manual alteration. This can potentially become a lot of work and is also a point of failure in terms of security.
- Microsoft limits the number of unique permissions. You should be aware of this if you manually set permissions in many files and folders or if you set permissions automatically. The good news is that there are tools to work around these limitations, as discussed in the article Solutions and workarounds for SharePoint permission limits.
How Can I List Unique Permissions on a SharePoint Site?
To view all the unique permissions you have at Site level, follow these steps:
- Gear Icon > Site Permissions
- Click on Advanced permissions settings
- This will open the site-level permissions list. Just above the list of users and their permissions, look for the message: “Some content on this site has different permissions from what you see here.” Click on the Show these items Please note that if you don’t see the message, you don’t have any unique permissions yet.
- You will see all the lists or libraries on your site with unique permissions. In this case, we have some unique permissions for files and folders within a Documents Click on the view exceptions link.
- You will now see all the files and folders with unique permissions in that library. To find out what the permissions are, click the corresponding manage permissions link.
- Finally, you will see what the unique permissions are for that file or folder.
How Can I Delete Unique Permissions for Files and Folders?
To remove unique permissions and restore inheritance for files or folders, follow these steps:
- Click Delete unique permissionsin the ribbon.
- Click OK when you get a warning pop-up message "You are about to inherit permissions from the parent folder or document library. Any custom permissions will be lost.".
- Click OK when you get a warning pop-up message "You are about to inherit permissions from the parent folder or document library. Any custom permissions will be lost.".
SharePoint Permissions Best Practices
#1 Minimize Manually Breaking Inheritance
- Avoid Unnecessary Subsites: Each subsite has the potential to diverge from its parent site’s permissions. Minimize the creation of subsites with unique permissions unless necessary.
- Limit Unique Permissions to Lower Hierarchy Levels: If unique permissions are necessary, aim to apply them at lower levels of the hierarchy (such as libraries, lists, or even items) rather than at the site level.
#2 Regular Permissions Audit and Clean-up
- Conduct Regular Reviews: Periodically review and audit permissions across your SharePoint environment. Identify and eliminate unnecessary unique permissions.
- Utilize PowerShell Scripts: Use PowerShell scripting to automate the identification of unique permissions and streamline the audit process.
You can write scripts to:
- Enumerate all sites, lists, and items/libraries with unique permissions (see example below).
- Identify all users and groups with access to specific SharePoint resources.
- Break inheritance and set custom permissions as per your governance policy.
- Remove unique permissions where not needed, reverting to inherited permissions to simplify management.
Let’s have a look at an example. In the following PowerShell script, you identify items within a SharePoint list with unique permissions. I will place a code breakdown right after the script.
# Example: Get a list of all items in a list with unique permissions
$siteURL = "https://yoursite.sharepoint.com/sites/yoursitecollection"
$listName = "Your List"
Connect-PnPOnline -Url $siteURL -UseWebLogin
$listItems = Get-PnPListItem -List $listName -PageSize 500
foreach ($item in $listItems) {
$hasUniquePermissions = Get-PnPListItemPermission -List $listName -ListItemId $item.Id -Includes HasUniqueRoleAssignments
if ($hasUniquePermissions.HasUniqueRoleAssignments -eq $true) {
Write-Host "Item with ID $($item.Id) has unique permissions."
}
}
Here is we did in this PowerShell script:
-
Set Variables:
- $siteURL: Stores the URL of your SharePoint site (what is highlighted in yellow should be replaced with your actual URL).
- $listName: Stores the name of the specific list you want to check (replace with your actual list name).
- Connected to SharePoint:
- Connect-PnPOnline: Establishes a connection to your SharePoint site using your web login credentials.
- Retrieved List Items:
- Get-PnPListItem: This command retrieves a maximum of 500 items from the specified list ($listName).
- Looped Through Items:
- foreach ($item in $listItems): This loop iterates through each item retrieved from the list.
- Checked for Unique Permissions:
- Get-PnPListItemPermission: This command checks the permissions assigned to the current list item ($item.Id). The -Includes HasUniqueRoleAssignments parameter specifically looks for unique permissions.
- Identified Unique Permissions:
- if ($hasUniquePermissions.HasUniqueRoleAssignments -eq $true): This conditional statement checks if the HasUniqueRoleAssignments property returned by the previous command is true.
- If it is, it means the current item has unique permissions assigned to it.
- Output:
- Write-Host "Item with ID $($item.Id) has unique permissions.": If the item has unique permissions, this line writes a message to the console indicating the item's ID.
#3 Provide Adequate Training and Guidelines
- User Training: Train users on the impact of unique permissions and teach them how to share and request access appropriately.
- Publish Permissions Policies: Develop and disseminate clear permissions policies and procedures.
Conclusion
Understanding unique permissions as an Admin empowers you to manage SharePoint security with greater precision. By following the steps outlined in this article, you can efficiently identify, manage, and even remove unique permissions as needed.
It's crucial to bear in mind, particularly when using permission replication tools or employing automation, that Microsoft enforces limits on the number of unique permissions. Use the right strategies and tools to ensure your SharePoint environment remains secure and manageable despite these limits.
Do you have questions about managing unique permissions in SharePoint? Let us know in the comments below!
About the Author
By Ana Neto, technical advisor at Connecting Software.
“I have been a software engineer since 1997, with a more recent love for writing and public speaking. Do you have any questions or comments about this article? I would love to have your feedback, leave a comment below!"