What PowerShell can detect if an item's permissions are the same as its parent? (SharePoint Online Document Library).

Question

Hi there

What PowerShell can detect if an item's permissions are the same as its parent? (SharePoint Online Document Library).

Thanks.

Answer 1

Hi @frob ,
I'm glad to hear you solve the problem ,if you have any issue about SharePoint, you are welcome to raise a ticket in this forum.
By the way, since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others.". and according to the scenario introduced here: Answering your own questions on Microsoft Q&A, I would make a brief summary of this thread:
[SharePoint online: Sharepoint and MS Excel Refreshable Reports - Chrome affects wrapping text]

Issue Symptom:
What PowerShell can detect if an item's permissions are the same as its parent? (SharePoint Online Document Library).

Current status:
We have thousands of files with Unique permissions, and their parent folders have the same permissions. We need the script to clean up. The script needs explicitly match if item permissions are the same as those of the parent. This script to be useful.
243190-checkpermission.txt
You could click the "Accept Answer" button for this summary to close this thread, and this can make it easier for other community member's to see the useful information when reading this thread. Thanks for your understanding!

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi @frob ，
Detecting whether an item has the same permissions as its parent can be done by judging whether the item has a unique permission. Having unique permission means that it has the different permission as its parent and outputs the ID.
Please run the following PnP powershell code:
237778-checkuniquepermission.txt
The running result is shown in the following figure:

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hello there,

You can check for unique permission . If that is the case then the permission is not inherited.

I found this script online where we can search for unique permissions in the SharePoint Online list or library with PnP PowerShell .

Set Variables

$SiteURL = "Your site URL"
$ListName = "Projects"

Connect to PnP Online

Connect-PnPOnline -Url $SiteURL -Interactive

Get all list items in batches

$ListItems = Get-PnPListItem -List $ListName -PageSize 2000

Iterate through each list item

ForEach($ListItem in $ListItems)
{
#Check if the Item has unique permissions
$HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
If($HasUniquePermissions)
{
Write-Host -f Green "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' has Unique Permissions"
}
Else
{
Write-Host -f Yellow "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' is inhering Permissions from its Parent"
}
}

---

--If the reply is helpful, please Upvote and Accept it as an answer--

Answer 4

Hi there,
If someone else needs this, I found this script to be useful.
Thanks.

#Function to Get Permissions on a particular on List, Folder or List Item  
 Function Get-PnPPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object)  
 {  
     $ParentUrl = ""  
     $Id = ""  
     #Determine the type of the object       
     Switch($Object.TypedObject.ToString())  
     {  
         "Microsoft.SharePoint.Client.ListItem"  
         {  
             If($Object.FileSystemObjectType -eq "Folder")  
             {  
                 $ObjectType = "Folder"  
                 $Id = $Object.Id  
                 #Get the URL of the Folder  
                 $Folder = Get-PnPProperty -ClientObject $Object -Property Folder  
                 $ObjectTitle = $Object.Folder.Name  
                 $ObjectURL = $Object.Folder.ServerRelativeUrl  
                 $ParentUrl = (Split-Path $ObjectURL -Parent).Replace("\","/")  
             }  
             Else #File or List Item  
             {  
                 #Get the URL of the Object  
                 Get-PnPProperty -ClientObject $Object -Property File, ParentList  
                 If($Object.File.Name -ne $Null)  
                 {  
                     $ObjectType = "File"  
                     $Id = $Object.Id  
                     $ObjectTitle = $Object.File.Name  
                     $ObjectURL = $Object.File.ServerRelativeUrl  
                     $ParentUrl = (Split-Path $ObjectURL -Parent).Replace("\","/")  
                 }  
                 else  
                 {  
                     $ObjectType = "List Item"  
                     $Id = $Object.Id  
                     $ObjectTitle = $Object["Title"]  
                     #Get the URL of the List Item  
                     $DefaultDisplayFormUrl = Get-PnPProperty -ClientObject $Object.ParentList -Property DefaultDisplayFormUrl                      
                     $ObjectURL = $("{0}?ID={1}" -f $DefaultDisplayFormUrl,$Object.ID)  
                 }  
             }  
         }  
         Default  
         {  
             $ObjectType = "List or Library"  
             $ObjectTitle = $Object.Title  
             $Id = $Object.Id  
             #Get the URL of the List or Library  
             $RootFolder = Get-PnPProperty -ClientObject $Object -Property RootFolder      
             $ObjectURL = $RootFolder.ServerRelativeUrl  
         }  
     }  
          
     #Get permissions assigned to the object  
     Get-PnPProperty -ClientObject $Object -Property HasUniqueRoleAssignments, RoleAssignments  
        
     #Check if Object has unique permissions  
     $HasUniquePermissions = $Object.HasUniqueRoleAssignments  
            
     #Loop through each permission assigned and extract details  
     $PermissionCollection = @()  
     Foreach($RoleAssignment in $Object.RoleAssignments)  
     {  
         #Get the Permission Levels assigned and Member  
         Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member  
        
         #Get the Principal Type: User, SP Group, AD Group  
         $PermissionType = $RoleAssignment.Member.PrincipalType  
           
         #Get the Permission Levels assigned  
         $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name  
        
         #Remove Limited Access  
         $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","  
        
         #Leave Principals with no Permissions  
         If($PermissionLevels.Length -eq 0) {Continue}  
        
         #Get SharePoint group members  
         If($PermissionType -eq "SharePointGroup")  
         {  
             #Get Group Members  
             $GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName  
                        
             #Leave Empty Groups  
             If($GroupMembers.count -eq 0){Continue}  
             $GroupUsers = ($GroupMembers | Select -ExpandProperty Title) -join "; "  
        
             #Add the Data to Object  
             $Permissions = New-Object PSObject  
             $Permissions | Add-Member NoteProperty ObjectId($Id)   
             $Permissions | Add-Member NoteProperty Object($ObjectType)              
             $Permissions | Add-Member NoteProperty Title($ObjectTitle)  
             $Permissions | Add-Member NoteProperty URL($ObjectURL)  
             $Permissions | Add-Member NoteProperty ParentURL($ParentURL)  
             $Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions)  
             $Permissions | Add-Member NoteProperty Users($GroupUsers)  
             $Permissions | Add-Member NoteProperty Type($PermissionType)  
             $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)  
             $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")  
             $PermissionCollection += $Permissions  
         }  
         Else  
         {  
             #Add the Data to Object  
             $Permissions = New-Object PSObject  
             $Permissions | Add-Member NoteProperty ObjectId($Id)  
             $Permissions | Add-Member NoteProperty Object($ObjectType)               
             $Permissions | Add-Member NoteProperty Title($ObjectTitle)  
             $Permissions | Add-Member NoteProperty URL($ObjectURL)  
             $Permissions | Add-Member NoteProperty ParentURL($ParentURL)  
             $Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions)  
             $Permissions | Add-Member NoteProperty Users($RoleAssignment.Member.Title)  
             $Permissions | Add-Member NoteProperty Type($PermissionType)  
             $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)  
             $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")  
             $PermissionCollection += $Permissions  
         }  
     }  
     return $PermissionCollection  
 }  
  
  
  
  
function Check-Permission  
{  
  param(  
     $DocumentLib,  
     $FolderName  
  )  
  $folderPermission = @()  
  #Get the Context  
  $Context = Get-PnPContext  
  $List = Get-PnpList -Identity $DocumentLib -Includes RoleAssignments  
  
  $folderPermission += Get-PnPPermissions $List  
  
  if($FolderName -eq "")  
  {  
    $ListItems = Get-PnPListItem -List $List -PageSize 500   
  }  
  else  
  {  
    $ParentItem = Get-PnpListItem -List "Shared Documents" | Where-Object {$_.FieldValues.FileRef -eq "/$($DocumentLib)/$FolderName"}  
    $folderPermission += Get-PnPPermissions -Object $ParentItem  
    $ListItems = Get-PnPListItem -List $List -PageSize 500 -FolderServerRelativeUrl "/$($DocumentLib)/$FolderName"  
  }  
  
  ForEach($ListItem in $ListItems)  
  {  
      $folderPermission += Get-PnPPermissions -Object $ListItem  
  }      
  $FilesOrFolderWithUP = $folderPermission | Where-Object {$_.HasUniquePermissions -eq $true}  
  
  $GroupedObject = $FilesOrFolderWithUP | Group-Object -Property "URL"  
  
  foreach($GroupObj in $GroupedObject)  
  {  
   if($GroupObj.Group[0].ParentUrl -ne $null -and $GroupObj.Group[0].ParentUrl -ne "")  
   {  
    $ParentObject = $folderPermission | Where-Object {$_.URL -eq $GroupObj.Group[0].ParentUrl} | Group-Object -Property "URL"  
    $Result = Compare-Object -ReferenceObject $ParentObject.Group -DifferenceObject $GroupObj.Group  
    if($Result -eq $null)  
    {  
      $GroupObj.Group[0].Url         
      #Set-PnPListItemPermission -List $GroupObj.Group[0].Url -Identity $GroupObj.Group[0].Url -InheritPermissions  
      $Item = Get-PnPListItem -List "Shared Documents" | Where-Object {$_.FieldValues.FileRef -eq "$($GroupObj.Group[0].Url)"}  
      #sharepoint online delete unique permissions powershell  
      $Item.ResetRoleInheritance()  
      $Item.Update()  
      $Context.ExecuteQuery()  
      Write-Host "The $($GroupObj.Group[0].Url) unique permission has been stopped" -ForegroundColor Green   
    }  
   }  
  }  
}  
  
$SiteURL = "https://domain.sharepoint.com"  
  
$DocumentLibrary = "Document Name"  
  
$FolderName = "Test"  
  
#Connect to SharePoint Online  
Connect-PnPOnline $SiteURL -UseWebLogin  
  
Check-Permission -DocumentLib "$($DocumentLibrary)" -FolderName $($FolderName)