When you work with SharePoint permissions, you quickly figure out that you want to touch them as little as possible. With a lot of things in SharePoint, permissions inherit top down. So this means that it’s a best practice to always use that inheritance as much as possible.
But invariably there will be times when you have to break that inheritance and set unique permissions. Sooner or later, you might need to change those permissions en masse, but you have 30 libraries, and in each library you have multiple folders and files. All with broken permissions!
We can turn to our good friend PowerShell to make this an easy task. This will apply to on-premise SharePoint, BUT it is possible with SharePoint Online as well, potentially made much easier using the PnP PowerShell commands.
In my case, let’s say for example you have a SharePoint site for tracking your company’s budget process. On this site, you create document libraries for each main department, then in those libraries you create folders for each departmental code. Inside those folders are the actual budget Excel files. It’s critical that each granular department can only edit their own budget files.
Well during the budget process, for a period of time we need to lock down all the permissions to read only while things are being reviewed and submitted.
One option would be to just reset permission inheritance at the site level, then define a limited group of a few users in Finance with access. But that would mean the users couldn’t read, they would lose all access.
Another option is to use a 3rd-party tool to backup the permissions before we make any changes, then use a script to change them, then use this same tool to restore them. One tool is called Quest Site Administrator, which comes with a tool called Security Explorer. This allows us to click the site, and it will backup all the permissions of every object below it. This has saved my bacon more than once.
Per our requirement, I had 2 main goals for our budget site and tons of unique permissions:
Let’s take a look at the script. Click HERE to download it, save as PS1 instead of TXT.
I’ve got 2 helper functions that do the heavy lifting of actually changing permissions. The function FixPerms checks all permissions on whatever object we pass in (library, folder, file, etc.) and removes all permissions for object in permissions, and adds the Read permission. The AddGroup function just adds the SP group called Budgets Lockdown to the permissions with Full Control.
The next thing we do is build an array of library/list names that we want to exclude from our permission changes. So any list or library name in this list will be excluded, and won’t have any changes made. This is basically a list of all system libraries.
Now, we just need to do our foreach checks. We start at the subsite level, then check all libraries, then check all folders in that library, then check all files in those folders. For each object found, change the permission to Read, and add the group with Full Control (by calling our functions).
There are a couple little tricks I want to call out here, for the folders. People think you have to navigate the folder hierarchy (get parent folder, check for child subfolders, check for subfolder in that folder, etc). You don’t! On the library, there’s an object called .folders that will give you a flat list of all subfolders in the library, regardless of hierarchy (line 48). Awesome!
The complementary paper includes over 12 years of research, recent survey results, and CRM turnaround success stories.
This 60-second assessment is designed to evaluate your organization's collaboration readiness.
Learn how you rank compared to organizations typically in years 1 to 5 of implementation - and which areas to focus on to improve.
This is a sandbox solution which can be activated per site collection to allow you to easily collect feedback from users into a custom Feedback list.
Whether you are upgrading to SharePoint Online, 2010, 2013 or the latest 2016, this checklist contains everything you need to know for a successful transition.