ARBITRARY ARTICLES‎ > ‎All items‎ > ‎

Bulk edit Sharepoint list item-level permissions with Powershell

posted 2 Feb 2015, 00:54 by Markus Helander   [ updated 2 Mar 2015, 03:36 ]
When fiddling with Sharepoint Designer workflows and modifying item permission, you're generally walking on thin ice.

In my case item-level permissions needed to be granted on the basis of a form entry: the end users select a value to a column which need to define the permissions of the added item. 
Pretty simple.


Now, obviously the permissions are added via groups to avoid a catastrophe when single users need to be changed. But what if you need to a new group and you're not planning on manually going through tens of thousands of items.


As I see it, there are two ways and both include using Powershell:

1) Fire at will

- update your Designer workflow for the list.
- make the workflow start when modifying an item.
- run an insignificant change to all items with Powershell.

It would go something like:

$web = Get-SPWeb http://your-sharepoint-address-here
    $list = $web.Lists["List-name-here"]

    foreach ($item in $list.Items)
    {
    if($item['Column-name-here'] -eq "Column-value-to-look-for-here")

{

$item["Insignificant-column-to-change"] = "Insignificant-value"

$item.Update()

Write-Output (" Updated rights to ID " + $item['ID']);
}
}


2) Or then you can be like a sniper

- Create a Sharepoint permission group.
- Run the script below.


$web = Get-SPWeb http://your-sharepoint-address-here
    $list = $web.Lists["List-name-here"]

    foreach ($item in $list.Items)
    {
    if($item['Column-name-here'] -eq "Column-value-to-look-for-here") 

{
$groupname = "Sharepoint-permission-group-name-here";
$group = $web.SiteGroups[$groupname];   
$role = $web.RoleDefinitions["Permission-level-here"]
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment

($group)
$assignment.RoleDefinitionBindings.Add($role)
$item.RoleAssignments.Add($assignment)
$item.Update()
Write-Output (" Granted rights to ID " + $item['ID']);

}

}


The end result should give something like this:


And of course the the permission should be changed as well.