How to properly make use of Item-level Permissions in SharePoint

It’s always a struggle whenever you’re configuring something in SharePoint where a user puts in information that is privacy sensitive. Should you fix this by using custom permissions (by using a custom Flow of Workflow), using differerent lists/libraries for each sensitive data type, use item-level permissions or use views with a [Me] filter in it?

My answer is: use item-level permissions!

You would say: but when I use item-level permissions, you have to have a minimum permission level of Design to view all items and I don’t want the responsible person that needs to view all items to have that permission level…

What if I told you that that user doesn’t have to have a high permission level to view all items?

Item-level permissions

With Item-level permissions, you can define who can and who can’t read/edit items that are in any list/library. This setting can be configured within list/library settings – Advanced settings.
You can set this permissions for both Read and Create/Edit access.

Read access

Within this section, you can configure who can view items

Read all items

Everyone with access to the list, can view all items

Read items that were created by the user

Someone who created an item, can only see its own item. Other items will not be shown

Create and Edit access

Within this section, you can configure who can create and edit items

Create and edit all items

Everyone with access to the list, can create items and edit all items (if the permission level allows them to)

Create items and edit items that were created by the user

Everyone with access to the list, can create items. Someone who created the item, can only edit its own item

None

Nobody can create/edit items, except if you have Design permissions or higher.

Design permissions or higher

Like I said before: If you have enabled Item-level Permissions, only people with Design permissions or higher (Full Control or Site Collection Administrator) will still see everything. That’s not always something you want to grant your ‘controlling’ user, because you will provide them with the option to alter the list and its settings.

I jumped into the item-level permissions to see what makes a ‘Designer’ to override the Item-level permissions and found the following interesting piece of description at the item-level permissions section:

It seemed like something that could help me out, so I went into the Design permission level and searched for the ‘Cancel Checkout’ permission. Strangely the search did not give me any result:

I thought by myself: don’t tell me they depricated this permission?! I couldn’t find any information using my favorite Search Engine (which isn’t Bing by the way 🙄
), so I jumped a bit deeper into the List Permissions and found the following interesting permission:

The description of this permission contained something that the note of the Item-level Permissions setting was explaining about and it did say it overrides the read/edit settings. When I looked into the Contribute Permission Level, I saw that this permission wasn’t checked. When unchecking this permission on the Design permission level, I couldn’t see any items other then my own, so this was definitely the permission I was looking for.

Custom permission level

To make sure my ‘controlling’ user could see all items but wasn’t allowed to alter lists and its settings, I had to create a new permission level which I called ‘Contribute (with Item-level Permissions)‘.

To save me some time, I duplicated the Contribute permission level. You can do this by opening the permission level on <siteurl>/_layouts/15/role.aspx and scroll all the way down. There is a button called ‘Copy Permission Level’.

If you click that, all List Permissions from Contribute will be enabled. All you have to do now is to enable ‘Override List Behaviors’, click ‘Submit’ and assign the permission level to your ‘controlling’ user! If you assign any other user with the Contribute permission level, these users can only read/edit their own items (according to the Item-level permission configuration you used) and the ‘controlling’ user will always see every item.

Please note that this solution only works when the user fills in its own information. With this method, you cannot let another user fill in the information because the user itself won’t be able to see its own information then.

15 Replies to “How to properly make use of Item-level Permissions in SharePoint”

  1. Setting item-level permissions doesn’t seem available in SharePoint Document libraries. Anyone has any suggestion how to achieve that? Thanks!

    1
    0
  2. For a list this is working as described.

    My findings is that this is not working as described for a document library:

    -for a document library you have to set the Item Level permissions through powershell (readSecurity = 2, writeSecurity = 2); this setting is not available in the Advanced list settings.
    – a user with contribute permissions on the document library, only sees his own documents in a view, so that’s correct.
    – with a deep link (not a sharing link) to a document in the document library, a user with contribute permissions can open all documents that are available in the document library.

    Am I overlooking something?

    0
    0
    1. It’s true that thr setting is only available for lists in the GUI, not on document libraries. I’m guessing the behaviour you’re describing is because It’s not really supported on document libraries, hence the missing setting. I don’t know for sure though since I never used it on a document library

      0
      0
  3. It worked for me. Amazing!

    Next I’ll be tweaking the Contribute permissions of my M365 Approval Groups with even less rights.

    I use MS Flow with multiple Approval Groups.
    Only Flow needs higher rights; not the Approval Groups.

    Easily done since these groups are all members of a single SP group. Only need to re-permission there with the new Permission Level.

    Thank you so much!

    0
    0
  4. It worked for me. Amazing!

    Next I’ll be tweaking the Contribute permissions of my M365 Approval Groups with even less rights.

    I use MS Flow with multiple Approval Groups.
    Only Flow needs higher rights; not the Approval Groups.

    Easily done since these groups are all members of a single SP group. Only need to re-permission there with the revised Permission Level.

    Thank you so much!

    1
    0
  5. Q: I have a custom list that has “Read items that were created by the user” and “Create items and edit items that were created by the user” Set. If I share that item with a group and when someone goes and visw the list, will that item show up in the list?

    My intention is to have a Microsoft flow fire off when an item is created that will share the item with a selected group based on selections being made.

    0
    0
    1. If the users you are sharing the item with have the custom permission level as described in the blog post, they should be able to see it; but they will see every item. Not only the one for which you triggered the flow.
      If you only want a set of items to be visible, you should use the Grant access to an item or a folder action

      0
      0
    2. Thank you for the tip. From memory (I will need to check next week – on holiday this week and just came across this post while looking for something else) I have given general users Contribute access permissions, very few people have full access and the rest is case by case (It’s a complaint and incident register).

      The person (in general) who put in the complaint/incident of course should be able to see their own items only and thats it.

      0
      0
    3. With full control, you can see every item. With contribute, you can only see your own items.
      Looks like you can proceed with item level permissions (no need for setting individual permissions per item). If you have any questions, don’t hesitate to contact me!

      0
      0
    1. Are you sure? I haven’t heard anything about deprecating this feature, but I could’ve missed it. Do you have a source?.
      It is also still available in my tenant.

      0
      0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This site uses Akismet to reduce spam. Learn how your comment data is processed.