Forum Discussion

Josef Kučera's avatar
Josef Kučera
Copper Contributor
Nov 30, 2018

How to stop inheritance and remove Group permissions on List or Document library using PnP cmdlets

Hi,

 

I need to break inheritance and remove permissions on a List using PnP cmdlets.

 

I am now using following code to break inheritance and remove External group:

 

$web = Get-PnPWeb
$spoList= Get-PnPList "MyList" -Web $web
$spoList.BreakRoleInheritance($true, $true)
$spoList.Update()

$spoList.Context.Load($spoList)
$spoList.Context.ExecuteQuery()

Set-PnPGroupPermissions -Identity "External group" -List "MyList" -RemoveRole @("Read")

 

those code will remove "External group" from the list, but it won't remove "External users" with role "

Limited Access"

What I need is that it removes that group completely, because "External users" still can access this list via navigation menu though with limited acccess...

I can manually remove this group via UI but that is not what I want.

 

Thanks in advance.

 

Regards,

Josef

powershell
SharePoint Online

3 Replies

Sort By
  • Pavithra-bk_2019's avatar
    Pavithra-bk_2019
    Copper Contributor
    Feb 05, 2019

    Hi Josef,

     

    Not sure if you found the answer to this yet.. But have you tried this -Setting the parameters in BreakRoleInheritance to false-

     

    $spoList.BreakRoleInheritance($false, $false)

     

    • Josef Kučera's avatar
      Josef Kučera
      Copper Contributor
      Feb 05, 2019
      Hi Pavithra,

      no, I haven't found answer yet, actualy I resolved it by enabling site collection feature called "Limited-access user permission lockdown mode". It helped.
      Not sure if this is proper way.

      But I will give it a try to your suggestion.

      Thanks a lot.
      Josef
      • arychagov's avatar
        arychagov
        Copper Contributor
        Apr 23, 2019

        Josef Kučera 

        Hi Josef, if you need completely remove user/group permissions from the list, then you can call DeleteObject() method on the RoleAssignmen object associated with that user/group.
        Here is full snippet for your convenience and anyone else who stumbled on this post.
        (I use on-prem version of Sharepoint PnP Powershell module)

         

        Import-Module SharePointPnPPowerShell2016 -DisableNameChecking

        $webUrl = 'https://sharepoint.domain.com/sites/mySite'
        $groupName = 'External Group'
        $listTitle = 'Documents'

        Connect-PnPOnline -Url $webUrl -CurrentCredentials

        $grp = Get-PnPGroup -Identity $groupName

        if ($grp)
        {
        ### Make sure Documents library has unique Role Assignments
        $list = Get-PnPList -Identity $listTitle -Includes HasUniqueRoleAssignments
        if (-not $list.HasUniqueRoleAssignments)
        {
        # Break role inheritance (copyRoleAssignments, clearSubscopes)
        $list.BreakRoleInheritance($true, $true)
        $list.Update()
        $list.Context.Load($list)
        $list.Context.ExecuteQuery()
        }

        ### Make sure the Group has no access to Documents library

        # Get list role assignments
        Get-PnPProperty -ClientObject $list -Property RoleAssignments | Out-Null

        # Remove Role Assignment with specified PrincipalId (if exists)
        $ra = $list.RoleAssignments.GetByPrincipalId($grp.Id)
        $list.Context.Load($ra)
        try { $list.Context.ExecuteQuery() }
        catch { Write-verbose ("Couldn't retrieve RoleAssignment on '{0}' with PrincipalId '{1}'. Exception: '{2}'" -f $list.Title, $grp.Id, $PSItem.Exception.InnerException.Message) -Verbose}

        if ($ra.PrincipalId -eq $grp.Id)
        {
        $ra.DeleteObject()
        $list.Update()
        $list.Context.ExecuteQuery()
        }
        }

         

Resources