Share via

SharePoint List permissions - read only for all items - can anyone clever suggest a fix?

Sam Hegarty 1 Reputation point
2021-04-30T06:08:21.773+00:00

I have created a Modern SharePoint list that allows an AD group called 'all-staff' to create items and edit their own. I have done this by setting the item level permissions correctly and having that group set to 'contribute' under the permissions. That part works fine.

I'm having trouble with the next step however, because of the settings above. I want to grant read access to the list to certain people. To do this, I copied the 'read' permission level and selected 'override list behaviours' so it would not apply the item level permissions to allow them to see all records. However, because they are part of the 'all-staff' list who have the 'contribute' setting applied, it's letting this group edit the records. If I unselect 'edit items' under contribute, the problem goes away but causes issues to all staff who need to edit.

I thought this would be straight forward but not so much! Other than removing them from all-staff (which I technically can't do anyway), does anyone have a light-bulb suggestion to apply read access to this limited group of staff?

Microsoft 365 and Office | SharePoint | For business | Windows
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JoyZ 18,111 Reputation points
    2021-05-03T06:08:36.617+00:00

    @Sam Hegarty ,

    From your description, you grant contribute permission to "all staff" group on this list, set the item-level permissions to make restriction on items, then grant read permission append with "override list behaviours" to part of group users, then the part of users can also edit items.
    93245-image.png
    This is the expected behavior, since part of group users have both read and contribute permissions in this list.

    We recommend you use users out of "all-staff" group, then grant read permission append with override list behaviours to make them read all items in this list.

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Sam Hegarty 1 Reputation point
    2021-05-05T05:34:43.457+00:00

    Hi Julie

    While this might be expected behavior, in reality it makes things really difficult to manage. The all-staff list has 7000 staff on it, so excluding users out of that group is tricky. Besides, they should still be able to contribute anyway.

    Having started with PowerApps and have such great control over access, SharePoint lists seem to be really lagging in terms of granular permissions. There isn't an obvious answer out there for a very common scenario which is:

    1. To point users to a PowerApp to request something that will go through multiple approvers. If they happen to come across the SharePoint list, they should only see their own (but ideally they wouldn't have access to the data via any other means that PowerApps)
    2. For a manager to see and update their approval, but not requests for staff they don't manage
    3. For a director to see all the approvals in their department, but no others
    4. For IT to see all approvals and create their own if they wish, but not be able to edit their requests

    From everything I've seen online, there are various hacks that address step 1 (in terms of not seeing the SharePoint list), but the rest seem to read and write your own items, or read and write everything.

    Please correct me if I'm wrong and point me to where I can meet the scenarios above, but I'm yet to discover it. The closest thing I've found is sharing then granting access to an individual item, however the item-level permissions seem to override it which rules that out.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.