Automating item-level permissions in SharePoint document libraries and lists


Item-level permissions come in handy for a number of situations. Here are some examples and food for thought:

  • Travel plans are submitted to a list, but only those in people columns (supervisor, director, traveler) are allowed to see or find the plan by search.
  • Allow “content owners” to edit documents, and everyone else to view only.
  • Allow non-admin individuals to set editing permissions for documents or list items by populating a people column

Using a SharePoint Designer 2010 Workflow and an impersonation step, we can:

  • Add list item permissions
  • Inherit list item parent permissions
  • Remove list item permissions
  • Replace list item permissions

This tutorial will use the “replace list item permissions” action. Whenever you’re replacing permissions, you must remember to INCLUDE YOURSELF or admin individuals in the replacement permissions or you won’t be able to access the content or help with troubleshooting. Let’s begin!

  1. Create a new workflow on the list or library for which you wish to alter permissions of its contents
  2. Set the workflow’s “Platform Type” to SharePoint 2010 Workflow
  3. Click above or below the default “Step 1” box so you see an orange line outside the box
  4. Add an impersonation step
  5. Delete Step 1 (right-click gray header bar, click “delete”)
  6. Click inside the impersonation step so you see the orange line
  7. Click Action, then “Replace list item permissions” OR begin typing “replace” and hit enter
  8. Select the hyperlink called “these permissions”
  9. Select “Add”
  10. Select “Full Control” and then “Choose”
  11. Set yourself, and any other admins to this full control level (as well as anyone who, by workflow, should be granted full control of the list item or document)
    • To set a permissions group as full control such as Admin group, double-click “People/Groups from SharePoint site…” and search for the group name
    • To set a specific individual as full control, just search for their name or e-mail address and double-click
    • If the person(s) or group(s) that should have full control are in a people column in the list, do “Workflow Lookup for a User…” then select the relevant column. Leave the “return field as” set to “As String”
  12. Click “OK”
  13. Repeat steps 9-12 for all permission levels you wish to assign.
  14. Click OK until you’re back to the workflow editing screen with just your impersonation step
  15. Click “this list”
  16. Click “OK” to accept “Current item” as the item to be gaining new permissions
  17. Click “back” or the name of the workflow in the breadcrumb to see workflow settings
  18. Check all start options, if suitable. I tend to think it never hurts to make sure your permissions are accurate.
  19. Publish your workflow

The automation piece comes in here:

  • Set up if/then statements in your workflow to do different permissions setups conditionally based on content types, file names, departments, etc. (i.e. If the list item is related to R&D, assign permissions to those directors only)
  • Use people column(s) in your list or library that other people with proper permissions can update, then reference that column or those columns in your workflow to add permissions based on the columns’ contents (i.e. using workflow lookup for a user, add permissions for each column such as traveler, supervisor and director)

That’s it! You won’t need to do permissions manually again for these sorts of things if you can write a thorough and well-planned workflow to handle it for you, in combination with a list with appropriate people columns and settings suitable for your purpose. Feel free to comment any questions specific to your scenario and I’ll be glad to assist.

13 Replies to “Automating item-level permissions in SharePoint document libraries and lists”

  1. No, we didn’t use a group (don’t get me started). When I created my person/group field in my library, I did allow for multiple entries, the second person does get added to the person/group field, but when the workflow runs the second time, the workflow reads “Error occurred”. When you click on, you get the typical “An error has occurred” and the link to the common SharePoint error page.

    Just wondering if you had experienced that. No worries if you haven’t I just wondered if you had experienced that. I might need to go to the Microsoft Tech forum or StackExchange.

    1. Without seeing it firsthand, I can’t think of anything else it could be offhand. Long shot here, but is the workflow author included in permissions on the workflow (particularly if replacing)? If not, the second time you’re running it, the “impersonation step” won’t matter and won’t succeed since the first run took out that person’s permission to make that change.

      1. I’m in the testing phase, so I am the person running the workflow, and I’m a Site Collection Admin.

  2. I like this a lot. I set the library up with a person/group field, and set the workflow to run on change, and gave the following condition: if person/group field not empty replace read on current item. This works great when I have 1 person in the person/group field, but it throws an error when I add a second person. Is that by design?

    1. If you use a group, make sure the settings for the group allow “anyone” to see the group membership. Also make sure under the person/group column settings that you allow multi-select. and people AND groups.

  3. Really enjoyed the post! I’m planning on using this for automating permissions for list items in a Sharepoint Online extranet for partner organizations. Since I have about 100 organizations and limited resources for managing separate sites for each agency, I’m planning on creating a single site and managing permissions for example for list items through workflows. I have a couple possible scenarios that I would appreciate your insights on:

    How would I go about using this for assigning View permissions for the person who creates a new list item AND anyone in that person’s organization?
    If I had a Flow set up to bring on-premises data into a SharePoint list, how could I make sure that the person who is viewing the list will only see the data related to their organization (if we assume that all data for different agencies is on the same list)? The data has an agency code column and I’m planning on using the same code on the extranet user profiles that will be managed via Azure Active Directory.

    Could this permission automation be used for these scenarios or would you recommend some other option?

    Thanks in advance for all the help!

  4. Great blog! Although it’s worth noting though that the workflow author must have permissions on the list or library. If the person who created the workflow leaves the organisation, then the workflow won’t run. Therefore it is best practice to ensure that if you are running an impersonation step, that the workflow author is a system admin or a system account that is set-up to create workflows.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.