Forum Discussion

Josef Kučera's avatar
Josef Kučera
Copper Contributor
Nov 30, 2018

How to stop inheritance and remove Group permissions on List or Document library using PnP cmdlets

Hi,   I need to break inheritance and remove permissions on a List using PnP cmdlets.   I am now using following code to break inheritance and remove External group:   $web = Get-PnPWeb $spoLi...
powershell
SharePoint Online
Pavithra-bk_2019's avatar
Pavithra-bk_2019
Copper Contributor
Feb 05, 2019

Hi Josef,

 

Not sure if you found the answer to this yet.. But have you tried this -Setting the parameters in BreakRoleInheritance to false-

 

$spoList.BreakRoleInheritance($false, $false)

 

  • Josef Kučera's avatar
    Josef Kučera
    Copper Contributor
    Feb 05, 2019
    Hi Pavithra,

    no, I haven't found answer yet, actualy I resolved it by enabling site collection feature called "Limited-access user permission lockdown mode". It helped.
    Not sure if this is proper way.

    But I will give it a try to your suggestion.

    Thanks a lot.
    Josef
    • arychagov's avatar
      arychagov
      Copper Contributor
      Apr 23, 2019

      Josef Kučera 

      Hi Josef, if you need completely remove user/group permissions from the list, then you can call DeleteObject() method on the RoleAssignmen object associated with that user/group.
      Here is full snippet for your convenience and anyone else who stumbled on this post.
      (I use on-prem version of Sharepoint PnP Powershell module)

       

      Import-Module SharePointPnPPowerShell2016 -DisableNameChecking

      $webUrl = 'https://sharepoint.domain.com/sites/mySite'
      $groupName = 'External Group'
      $listTitle = 'Documents'

      Connect-PnPOnline -Url $webUrl -CurrentCredentials

      $grp = Get-PnPGroup -Identity $groupName

      if ($grp)
      {
      ### Make sure Documents library has unique Role Assignments
      $list = Get-PnPList -Identity $listTitle -Includes HasUniqueRoleAssignments
      if (-not $list.HasUniqueRoleAssignments)
      {
      # Break role inheritance (copyRoleAssignments, clearSubscopes)
      $list.BreakRoleInheritance($true, $true)
      $list.Update()
      $list.Context.Load($list)
      $list.Context.ExecuteQuery()
      }

      ### Make sure the Group has no access to Documents library

      # Get list role assignments
      Get-PnPProperty -ClientObject $list -Property RoleAssignments | Out-Null

      # Remove Role Assignment with specified PrincipalId (if exists)
      $ra = $list.RoleAssignments.GetByPrincipalId($grp.Id)
      $list.Context.Load($ra)
      try { $list.Context.ExecuteQuery() }
      catch { Write-verbose ("Couldn't retrieve RoleAssignment on '{0}' with PrincipalId '{1}'. Exception: '{2}'" -f $list.Title, $grp.Id, $PSItem.Exception.InnerException.Message) -Verbose}

      if ($ra.PrincipalId -eq $grp.Id)
      {
      $ra.DeleteObject()
      $list.Update()
      $list.Context.ExecuteQuery()
      }
      }

       

Resources