SOLVED
Home

Custom list - item-level permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-49386%22%20slang%3D%22en-US%22%3ECustom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49386%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20question%20about%20the%20%22item-level%20permission%22-option%20found%20in%20list%20advanced%20settings%20on%20custom%20lists.%20Here%20you%20can%20choose%20that%20users%20can%20only%20see%20or%20edit%20items%20that%20they%20themselves%20have%20created.%20How%20secure%20is%20this%20option%3F%20I%20have%20noticed%20that%20all%20people%20that%20have%20access%20to%20the%20list%20are%20listed%20on%20Permissions%20for%20the%20item.%20Does%20this%20work%20like%20the%20%5BMe%5D-filter%2C%20so%20it%20hides%20the%20items%20from%20people%20but%20that%20this%20item%20can%20be%20accessed%20through%20other%20ways%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-49386%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELists%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-227124%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-227124%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20share%20an%20individual%20list%20item%20with%20someone%2C%20I%20set%20it%20as%20%22Edit%22.%26nbsp%3B%20However%2C%20when%20the%20users%20go%20to%20edit%20the%20list%20item%2C%20they%20cannot.%26nbsp%3B%20When%20I%20check%20the%20unique%20permissions%2C%20it%20reads%20Contribute.%26nbsp%3B%20I%20have%20to%20grant%20edit%20permissions%20manually.%26nbsp%3B%20Why%20would%20it%20give%20me%20the%20option%20to%26nbsp%3Bedit%20when%20the%20user%20only%20receives%20contribute%20permissions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-168269%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-168269%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ronald%2C%20when%20you%20break%20inheritance%2C%20it%20first%20copies%20the%20existing%20permissions.%20Hence%2C%20if%20you%20really%20want%20to%20limit%20on%20item%20level%20basis%2C%20remove%20all%20existing%20permissions%20first%20and%20the%20start%20assigning%20new%20permission.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2368%22%20target%3D%22_blank%22%3E%40Zoltan%20Bagyon%3C%2FA%3E%20is%20also%20right%2C%20there%20may%20be%20some%20%22Limited%20Permissions%22%20on%20the%20root%20or%20other%20higher%20permissions%20anywhere%20else%20in%20the%20%22SPO%20universe%22%2C%20which%20could%20still%20grant%20you%20concerning%20users%20access.%20Try%20his%20suggested%20solution%20to%20check%20the%20resulting%20permissions%20on%20your%20items.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-168209%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-168209%22%20slang%3D%22en-US%22%3E%3CP%3EI%20suggest%20to%20identify%20the%20source%20of%20your%20test%20users'%20permission%20through%20%22Check%20permissions%22%2C%20perhaps%20they%20are%20inheriting%20rights%20you%20are%20not%20aware%20of.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20354px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F29737iF73E0762682034EF%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22check.jpg%22%20title%3D%22check.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166955%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166955%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20not%20working%20for%20me%20(in%20SPOnline).%20My%20test%20users%20only%20have%20read%20and%20create%20(add)%2C%20but%20they%20are%20able%20to%20see%20all%20of%20the%20list%20items%20that%20they%20did%20not%20create.%20The%20advanced%20settings%20are%20%3CEM%3ERead%20items%20that%20were%20created%20by%20the%20user%20%3C%2FEM%3E%26amp%3B%3CEM%3E%20Create%20items%20and%20edit%20items%20that%20were%20created%20by%20the%20user%3C%2FEM%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-49756%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49756%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Torill%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20item%20permission%20will%20really%20secure%20the%20content%20from%20other%20users%2C%20there's%20no%20way%20to%20access%20them%2C%20also%20not%20via%20SharePoint%20search.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20Administrators%20and%20Site%20Owners%20with%20Full%20Control%20still%20have%20the%20access%20and%20can%20see%20all%20items.%20This%20makes%20sense%2C%20because%20users%20with%20Full%20Control%20are%20responsible%20to%20maintain%20the%20site%20and%20therefore%20should%20have%20access%20to%20all%20within%20this%20scope.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20as%20Tiago%20already%20stated%2C%20I'd%20be%20careful%20with%20item%20level%20permission.%20The%20limit%20will%20be%20reach%20very%20fast%2C%20when%20you%20have%20a%20couple%20of%20users%20and%20items.%20See%20this%20scenario%3A%20You%20have%26nbsp%3B3%20items%20and%203%20users.%20How%20many%20single%20item%20permission%20do%20you%20have%3F%20Three%3F%20No%2C%20it's%209%20already!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EItem%201%3A%3C%2FP%3E%3CP%3EUser%201%20yes%3C%2FP%3E%3CP%3EUser%202%20no%3C%2FP%3E%3CP%3EUser%203%20no%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eitem%202%3A%3C%2FP%3E%3CP%3EUser%201%20no%3C%2FP%3E%3CP%3EUser%202%20yes%3C%2FP%3E%3CP%3EUser%203%20no%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eitem%203%3A%3C%2FP%3E%3CP%3EUser%201%20no%3C%2FP%3E%3CP%3EUser%202%20no%3C%2FP%3E%3CP%3EUser%203%20yes%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHence%2C%20I'd%20only%20recommend%20to%20have%20this%20on%20a%20small%20list%20with%20only%20a%20few%20users%20and%20make%20sure%20you%20have%20a%20kind%20of%20retention%20that%20outdated%20items%20(and%20their%20permissions)%20will%20be%20deleted%20automatically.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESummarized%2C%20item%20level%20permissions%20really%20secure%20each%20item%2C%20but%20consider%20above%20mentioned%20limitations.%20If%20you%20want%20to%20achieve%20a%20certain%20scenario%2C%20please%20let%20us%20know%20and%20we%20can%20maybe%20recommend%20best%20practices.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20%22SharePointing%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-49740%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49740%22%20slang%3D%22en-US%22%3E%3CP%3EI%20havent%20got%20time%20to%20test%20but%20I%20would%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Set%20as%20can%20only%20view%20own%20items%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Create%20an%20item%20with%20your%20user%20account%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Search%20for%20that%20item%20with%20another%20account%20eg.%20does%20it%20appear%2C%20I%20would%20say%2099%25%20%26nbsp%3Bnot%20as%20the%20feature%20would%20be%20useless%20but%20have%20not%20tested%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20also%20depend%20on%20your%20particular%20scenario%20as%20well%20%26amp%3B%20how%20%26nbsp%3Bsecure%20it%20needs%20to%20be%2C%20obviously%20anyone%20able%20to%20edit%20the%20list%20could%20change%20the%20setting%20on%20the%20list%20%26amp%3B%20then%20view%20all%20the%20items%20if%20they%20really%20wanted%20to.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-49487%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49487%22%20slang%3D%22en-US%22%3EThe%20answer%20is%20that%20it%20depends....what%20is%20happening%20when%20you%20use%20this%20configuration%20is%20that%20you%20are%20hidding%20elements%20not%20created%20by%20current%20user%20from%20the%20general%20list%20view...but%20(just%20tested)%20imagine%20the%20following%20scenario%3A%3CBR%20%2F%3E(1)%20You%20have%20a%20user%20that%20is%20part%20of%20the%20team%20site%20members%20group%20what%20means%20he%2Fshe%20can%20create%20list%20items%3CBR%20%2F%3E(2)%20You%20have%2C%20as%20site%20owner%20%2F%20site%20administrator%20configure%20this%20item%20level%20security%20option%20in%20the%20list%3CBR%20%2F%3E(3)%20You%20create%20an%20item%20in%20the%20list%20with%20the%20site%20member%20user%3CBR%20%2F%3E(4)%20Site%20owner%20user%20is%20not%20able%20to%20see%20the%20new%20element%20created...but%20imagine%20he%2Fshe%20is%20a%20smart%20guy%20that%20knows%20the%20format%20of%20SharePoint%20Url%20view%20%2F%20edit%20form%20for%20list%20items...he%2Fshe%20can%20type%20directly%20the%20Url%20of%20the%20list%20item%20created%20by%20the%20team%20member%20user%20and%20see%20all%20the%20item%20information%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-49410%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49410%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20this%20will%20lock%20the%20itens%20just%20for%20the%20users%20with%20permissions.%3C%2FP%3E%3CP%3EBut%2C%20be%20carefull%20implementing%20this.%20This%20feature%20can%20lead%20to%20performance%20issues.%20You%20can%20read%20more%20online%20about%20it%2C%20here%20goes%20just%20a%20link%3A%20%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Foffice%2Fen-US%2F3a1a4d17-1f7d-4754-9fa3-cb7d9c96b43a%2Flist-item-level-permission-performance-issue-alternate-solution%3Fforum%3Dsharepointgeneralprevious%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Foffice%2Fen-US%2F3a1a4d17-1f7d-4754-9fa3-cb7d9c96b43a%2Flist-item-level-permission-performance-issue-alternate-solution%3Fforum%3Dsharepointgeneralprevious%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-49392%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49392%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20I%20know%20that%20a%20view%20does%20not%20apply%20security%2C%20which%20is%20why%20I%20am%20wondering%20if%20this%20setting%20does%20change%20the%20permissions%20on%20the%20item%2C%20as%20the%20setting%20suggests%20(%22item-level%20permissions%22)%20or%20if%20it%20is%20just%20creating%20a%20view.%20The%20list%20item%20still%20inherits%20permissons%20from%20the%20list%2C%20so%20everyone%20with%20access%20to%20the%20list%20are%20still%20listed%20with%20permissions%20on%20the%20item%2C%20even%20if%20they%20are%20not%20able%20to%20view%20or%20change%20it%20after%20this%20setting%20has%20been%20set.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20for%20users%20with%20access%20to%20the%20list%2C%20and%20thereby%20to%20all%20items%20that%20inherrits%20from%20the%20list)%20to%20get%20access%20to%20list%20items%20they%20have%20not%20created%20through%20e.g.%20MS%20Graph%2C%20or%20is%20this%20a%20secure%20way%20to%20keep%20the%20access%20to%20list%20items%20only%20to%20the%20person%20who%20created%20the%20list%20item%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-49387%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20list%20-%20item-level%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49387%22%20slang%3D%22en-US%22%3E%3CP%3EA%20view%20is%20just%20a%20query%20presenting%20the%20data%2C%20has%20no%20security%20applied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESetting%20can%20only%20edit%20own%20items%20is%20done%20at%20permissons%20level%20so%20they%20can%20only%20edit%20the%20items%20they%20have%20created%20as%20that%20user%3C%2FP%3E%3C%2FLINGO-BODY%3E
Torill S
Occasional Contributor

I have a question about the "item-level permission"-option found in list advanced settings on custom lists. Here you can choose that users can only see or edit items that they themselves have created. How secure is this option? I have noticed that all people that have access to the list are listed on Permissions for the item. Does this work like the [Me]-filter, so it hides the items from people but that this item can be accessed through other ways?

10 Replies

A view is just a query presenting the data, has no security applied.

 

Setting can only edit own items is done at permissons level so they can only edit the items they have created as that user

Yes, I know that a view does not apply security, which is why I am wondering if this setting does change the permissions on the item, as the setting suggests ("item-level permissions") or if it is just creating a view. The list item still inherits permissons from the list, so everyone with access to the list are still listed with permissions on the item, even if they are not able to view or change it after this setting has been set.

 

Is it possible for users with access to the list, and thereby to all items that inherrits from the list) to get access to list items they have not created through e.g. MS Graph, or is this a secure way to keep the access to list items only to the person who created the list item?

Yes, this will lock the itens just for the users with permissions.

But, be carefull implementing this. This feature can lead to performance issues. You can read more online about it, here goes just a link: https://social.technet.microsoft.com/Forums/office/en-US/3a1a4d17-1f7d-4754-9fa3-cb7d9c96b43a/list-i...

The answer is that it depends....what is happening when you use this configuration is that you are hidding elements not created by current user from the general list view...but (just tested) imagine the following scenario:
(1) You have a user that is part of the team site members group what means he/she can create list items
(2) You have, as site owner / site administrator configure this item level security option in the list
(3) You create an item in the list with the site member user
(4) Site owner user is not able to see the new element created...but imagine he/she is a smart guy that knows the format of SharePoint Url view / edit form for list items...he/she can type directly the Url of the list item created by the team member user and see all the item information

I havent got time to test but I would:

 

- Set as can only view own items

 

- Create an item with your user account

 

- Search for that item with another account eg. does it appear, I would say 99%  not as the feature would be useless but have not tested

 

 

Would also depend on your particular scenario as well & how  secure it needs to be, obviously anyone able to edit the list could change the setting on the list & then view all the items if they really wanted to.

Highlighted
Solution

Hi Torill,

 

the item permission will really secure the content from other users, there's no way to access them, also not via SharePoint search.

 

However, Administrators and Site Owners with Full Control still have the access and can see all items. This makes sense, because users with Full Control are responsible to maintain the site and therefore should have access to all within this scope.

 

However, as Tiago already stated, I'd be careful with item level permission. The limit will be reach very fast, when you have a couple of users and items. See this scenario: You have 3 items and 3 users. How many single item permission do you have? Three? No, it's 9 already!

 

Item 1:

User 1 yes

User 2 no

User 3 no

 

item 2:

User 1 no

User 2 yes

User 3 no

 

item 3:

User 1 no

User 2 no

User 3 yes

 

Hence, I'd only recommend to have this on a small list with only a few users and make sure you have a kind of retention that outdated items (and their permissions) will be deleted automatically.

 

Summarized, item level permissions really secure each item, but consider above mentioned limitations. If you want to achieve a certain scenario, please let us know and we can maybe recommend best practices. :)

 

Happy "SharePointing"

It's not working for me (in SPOnline). My test users only have read and create (add), but they are able to see all of the list items that they did not create. The advanced settings are Read items that were created by the user & Create items and edit items that were created by the user.

I suggest to identify the source of your test users' permission through "Check permissions", perhaps they are inheriting rights you are not aware of.

 

check.jpg

Hi Ronald, when you break inheritance, it first copies the existing permissions. Hence, if you really want to limit on item level basis, remove all existing permissions first and the start assigning new permission.

 

@Zoltan Bagyon is also right, there may be some "Limited Permissions" on the root or other higher permissions anywhere else in the "SPO universe", which could still grant you concerning users access. Try his suggested solution to check the resulting permissions on your items.

When I share an individual list item with someone, I set it as "Edit".  However, when the users go to edit the list item, they cannot.  When I check the unique permissions, it reads Contribute.  I have to grant edit permissions manually.  Why would it give me the option to edit when the user only receives contribute permissions?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies