Forum Discussion
Custom list - item-level permissions
I have a question about the "item-level permission"-option found in list advanced settings on custom lists. Here you can choose that users can only see or edit items that they themselves have created. How secure is this option? I have noticed that all people that have access to the list are listed on Permissions for the item. Does this work like the [Me]-filter, so it hides the items from people but that this item can be accessed through other ways?
Hi Torill,
the item permission will really secure the content from other users, there's no way to access them, also not via SharePoint search.
However, Administrators and Site Owners with Full Control still have the access and can see all items. This makes sense, because users with Full Control are responsible to maintain the site and therefore should have access to all within this scope.
However, as Tiago already stated, I'd be careful with item level permission. The limit will be reach very fast, when you have a couple of users and items. See this scenario: You have 3 items and 3 users. How many single item permission do you have? Three? No, it's 9 already!
Item 1:
User 1 yes
User 2 no
User 3 no
item 2:
User 1 no
User 2 yes
User 3 no
item 3:
User 1 no
User 2 no
User 3 yes
Hence, I'd only recommend to have this on a small list with only a few users and make sure you have a kind of retention that outdated items (and their permissions) will be deleted automatically.
Summarized, item level permissions really secure each item, but consider above mentioned limitations. If you want to achieve a certain scenario, please let us know and we can maybe recommend best practices. :-)
Happy "SharePointing"
10 Replies
Hi Torill,
the item permission will really secure the content from other users, there's no way to access them, also not via SharePoint search.
However, Administrators and Site Owners with Full Control still have the access and can see all items. This makes sense, because users with Full Control are responsible to maintain the site and therefore should have access to all within this scope.
However, as Tiago already stated, I'd be careful with item level permission. The limit will be reach very fast, when you have a couple of users and items. See this scenario: You have 3 items and 3 users. How many single item permission do you have? Three? No, it's 9 already!
Item 1:
User 1 yes
User 2 no
User 3 no
item 2:
User 1 no
User 2 yes
User 3 no
item 3:
User 1 no
User 2 no
User 3 yes
Hence, I'd only recommend to have this on a small list with only a few users and make sure you have a kind of retention that outdated items (and their permissions) will be deleted automatically.
Summarized, item level permissions really secure each item, but consider above mentioned limitations. If you want to achieve a certain scenario, please let us know and we can maybe recommend best practices. :-)
Happy "SharePointing"
It's not working for me (in SPOnline). My test users only have read and create (add), but they are able to see all of the list items that they did not create. The advanced settings are Read items that were created by the user & Create items and edit items that were created by the user.
Hi Ronald, when you break inheritance, it first copies the existing permissions. Hence, if you really want to limit on item level basis, remove all existing permissions first and the start assigning new permission.
Zoltan Bagyon is also right, there may be some "Limited Permissions" on the root or other higher permissions anywhere else in the "SPO universe", which could still grant you concerning users access. Try his suggested solution to check the resulting permissions on your items.
A view is just a query presenting the data, has no security applied.
Setting can only edit own items is done at permissons level so they can only edit the items they have created as that user
Yes, I know that a view does not apply security, which is why I am wondering if this setting does change the permissions on the item, as the setting suggests ("item-level permissions") or if it is just creating a view. The list item still inherits permissons from the list, so everyone with access to the list are still listed with permissions on the item, even if they are not able to view or change it after this setting has been set.
Is it possible for users with access to the list, and thereby to all items that inherrits from the list) to get access to list items they have not created through e.g. MS Graph, or is this a secure way to keep the access to list items only to the person who created the list item?
I havent got time to test but I would:
- Set as can only view own items
- Create an item with your user account
- Search for that item with another account eg. does it appear, I would say 99% not as the feature would be useless but have not tested
Would also depend on your particular scenario as well & how secure it needs to be, obviously anyone able to edit the list could change the setting on the list & then view all the items if they really wanted to.
