Item-level permissions

Posted on by

There are 2 explanations related to item-level permissions:

  • The related SharePoint list setting.
    • A document library does not have this setting.
  • The rights set on an record (list) or file (document library).

The related SharePoint list setting

This list setting is used to configure the actual read and create/edit rights on records in the list because the actual rights is a combination of this list settings and the given permissions.

The default values of the list setting apply If an user has been granted with the permission “Override List Behaviors”. This permission is part of the default permission levels:

  • Design
  • Full control

The following “Item-level Permissions” settings are possible:

Read access

  • Read all items
    • This is the default value
  • Read items that were created by the user

Create/Edit access

  • Create and edit all items
    • This is the default value
  • Create items and edit items that were created by the user
  • None

It is not explicit mentioned but create/edit does also mean delete. One must have this permission via a permission level to actually to be able to delete a record.

When list item permissions is set to “Read items that were created by the user”, setting unique values on a column is not possible and vice-versa.

The rights set on an record (list) or file (document library)

On a record or file, specific rights can be set. If this is done, inheritance is broken between the list/document library and the item (record/file).

I do not recommend using this kind of item-level rights because:

  • it has a negative impact on trust:
    • Users will not be sure if they see all the items they expect.
    • Different users can see different results.
      • Because most list and document libraries do not have specific rights on items, most users will not actively realize that this can be the case.
  • it is not easy to see which rights are set on an item.
  • it increases complexity.
  • It increases the chance for unallowed data access.
    • Setting the rights on an item must be done after it has been added. If the user has read access on list level, (s)he can read the record when setting the rights fails.

Having temporary rights on a record or file is sometimes the only option to comply to the least privilege security setup.

Feedback

Please enable JavaScript in your browser to complete this form.

You can use the form below to submit feedback if you think that content on this page:

  • is wrong. Please then also provide what is wrong and why.
  • could be more comprehensive. Please then also provide which content should be added/updated.

Thank you!