Add or Remove Item Level Permission in SharePoint using CSOM

In this article I am going to write C# code sample to Add or Remove Item Level Permissions using CSOM (Client Object Model). Sometimes we might have a business requirement to give read permission for some users on certain document item and give write permission to other users on the same list item. To achieve this need, we need to add explicit permission for the particular list item. To add unique permission, first we need to stop inheriting permissions (break the inheritance) of the particular document item.

 

Set Item Level Permission in SharePoint Online

The following CSOM based c# code first removes the inheritance of a list item and grant unique permission.

public static void AddItemLevelPermissions()
{
    string sitrUrl = "https://sptenant.sharepoint.com/sites/contosobeta";
    using (var ctx = new ClientContext(sitrUrl))
    {
        var web = ctx.Web;
        ctx.Load(ctx.Web, a => a.Lists);
        ctx.ExecuteQuery();

        List list = ctx.Web.Lists.GetByTitle("TestDocLibrary");
        string itemName = "TestFile.txt";
        CamlQuery camlQuery = new CamlQuery();
        camlQuery.ViewXml = "" +itemName +
            "";
        var listItems = list.GetItems(camlQuery);
        ctx.Load(listItems, a => a.Include(i => i.HasUniqueRoleAssignments));
        ctx.ExecuteQuery();

        foreach (var listItem in listItems)
        {
            if (!listItem.HasUniqueRoleAssignments)
            {
                listItem.BreakRoleInheritance(false, false);
                ctx.ExecuteQuery();
            }
            var roleAssignments = listItem.RoleAssignments;            
            //var user_group = web.SiteGroups.GetByName("Site Members");
            var user_group = web.SiteUsers.GetByLoginName("i:0#.f|membership|[email protected]");
            var roleDefCol = new RoleDefinitionBindingCollection(ctx);
            // Add Role Definition i.e Full Controls, Contribute or Read rights etc..
            roleDefCol.Add(web.RoleDefinitions.GetByType(RoleType.Contributor));
            roleAssignments.Add(user_group, roleDefCol);
            ctx.Load(roleAssignments);
            listItem.Update();                    
            ctx.ExecuteQuery();
        }
    }
}

Remove/Delete Item Level Permission

You can use the following c# code to remove permission if you no longer need an unique permission on particular list item.

public static void RemoveItemLevelPermission()
{
    string sitrUrl = "https://sptenant.sharepoint.com/sites/contosobeta";
    using (var ctx = new ClientContext(sitrUrl))
    {
        var web = ctx.Web;
        ctx.Load(ctx.Web, a => a.Lists);
        ctx.ExecuteQuery();

        List list = ctx.Web.Lists.GetByTitle("TestDocLibrary");
        string document = "TestFile.txt";
        CamlQuery camlQuery = new CamlQuery();
        camlQuery.ViewXml = "" + document + "";

        var items = list.GetItems(camlQuery);
        ctx.Load(items);
        ctx.ExecuteQuery();
        foreach (var item in items)
        {
            //var user_group = web.SiteGroups.GetByName("Site Members");
            var user_group = web.SiteUsers.GetByLoginName("i:0#.f|membership|[email protected]");
            item.RoleAssignments.GetByPrincipal(user_group).DeleteObject();
            ctx.ExecuteQuery();
        }
    }
}

Delete All Unique Permissions

Sometimes you may want to remove all the explicit permissions from a list item and reset broken inheritance (recover inheritance). In this case, you can use the following csom code to delete all unique permissions and reset broken inheritance.

public static void ResetRoleInheritanceInListItem()
{
    string sitrUrl = "https://sptenant.sharepoint.com/sites/contosobeta";
    using (var ctx = new ClientContext(sitrUrl))
    {
        var web = ctx.Web;
        ctx.Load(ctx.Web, a => a.Lists);
        ctx.ExecuteQuery();                

        List list = ctx.Web.Lists.GetByTitle("TestDocLibrary");
        string document = "TestFile.txt";
        CamlQuery camlQuery = new CamlQuery();
        camlQuery.ViewXml = "" + document + "";

        var items = list.GetItems(camlQuery);
        ctx.Load(items);
        ctx.ExecuteQuery();
        foreach (var item in items)
        {
            item.ResetRoleInheritance();
            ctx.ExecuteQuery();
        }
    }
}

Advertisement

8 thoughts on “Add or Remove Item Level Permission in SharePoint using CSOM”

    • I have tested with Global Administrator account. I think contribute permission might not be enough to modify permissions (especially delete operation), you should have Full Control permission.

      Reply
  1. HI, really nice and help full Article ..
    its possible to get the same concept Using powershell ??
    i want to do it in powershell..any one please help me ?

    Reply
  2. Hola tienes una idea del porque al cuando esta rota la herencia de una carpeta,y esta le eliminas un grupo o usuario se borran los permisos de su contenido, estoy utlizando C_item.BreakRoleInheritance(true, false); para romper herencia

    Reply

Leave a Comment