How to create unique permissions for a file or folder

This got to be one of the most frequent requests from my clients and loyal blog followers. As a matter of fact, I am pretty amazed at how often this comes up. The request is to be able to create unique permissions for a file or a folder on a given SharePoint site. In this article, I want to document the steps to achieve it.

Best Practice for permissions in SharePoint

I blogged about this previously. Before you start creating unique permissions for files and folders, please note that the best practice in SharePoint is to manage security at the site level. That’s why every time you create a Team in Teams – it spins up a separate SharePoint site. That’s why every time you create a Private or Shared Channel, it creates a separate SharePoint site for each channel. Managing permissions at the site level is much cleaner, easier, and more intuitive.

How to create unique permissions for a file or folder

That said, exceptions do happen, and you must create unique permissions for a file or folder. It is one thing if you have a bunch of folders/content to hide – in this case, a separate SharePoint site is a way to go. However, it is another thing if you have an occasional file or folder here and there that needs to be seen only by certain users and not everyone who has access to the site. So here is how to achieve this.

Use Case

To ensure we are on the same page, here is the use case for unique permissions for a file or folder. I have a Project Site (Team Site) with three members total (myself as the owner and John and Mary as members)

By default, since the security in SharePoint is inherited, John, Mary, and I have add/edit/delete access to everything on a site, including all the files and folders within a Document library. However, there is one folder that only Greg and Mary need access to, and it needs to be hidden from John. So that is essentially what I will explain how to achieve.

Additionally, I want to highlight the fact that we are hiding files and folders from users who already have access to the site. We are not talking about extending access to other users (via Sharing). This is something I explain in this post.

Create unique permissions for a file or folder via Manage Access

I will use an example of setting unique permissions on a folder, but the same steps apply to unique permissions on a file.

1. Right-click on a file or folder and choose Manage access
2. It will now list all the groups of users who have access to this folder. Because security is inherited, it lists all the groups from the site level being propagated to the folder. As the Owner of a team, I am in the Owners Group (yes, it is listed twice, don’t ask me why this is the case), then we have John and Mary with Edit access to that folder and Visitors group (empty in my case) with read-only access to this folder.
3. So to ensure that John does not have access to the folder, we need to remove the Members group from the folder. Click drop-down next to the group name and choose Stop sharing.
4. You will not see adjusted permissions for the folder (without the Members Group)
5. However, by removing the Members group, everyone in that group (in my case, John and Mary) lost access to the folder. But we need Mary to be able to still access and edit the folder. So for this, click the “+” sign to add the user(s) back.
6. This is where you will need to type in the name of the user(s) from that Members group you removed that you do want to access that folder still. You can also grant access to the security groups as well. You can even specify whether they will have edit or read-only access to the folder. I would uncheck Notify people checkbox, so they do not get an extra email, and then click Grant access.
7. If you click Manage access on a folder again, you will see the revised permissions on a folder

User Experience

Once the unique folder permissions have been set, the folder will become invisible to those who do not have access to it.

Mary’s view of a document library

John’s view of the same document library (Invoices folder not visible)

How to check who has access to a given file or folder

Let’s say you set up all these files and folders with unique permissions and wonder if certain users have access to it or not. In this case, you can use the Check Permissions button.

1. Right-click on a file or folder and choose Manage access
2. In the Manage access window, click Advanced
3. It will open up a page that looks like it came from 2013. And that’s because it did. Don’t be scared. That’s what SharePoint looked like back then, and Microsoft did not modernize it yet. It will essentially list the unique permissions for a folder we set before. You just need to click on the Check Permissions button.
4. You will now be able to type in the user’s name and see if they have access to the given file or folder or not.

How to list all files and folders with unique permissions

If you are a Site Owner and wondering which files and folders on your site have unique permissions, there is a way to achieve this. I documented the steps in this article.

How to re-inherit site-level permissions

If you would like to do the opposite and re-establish (re-inherit) site-level permissions for a file or folder, here is how to do this:

1. Right-click on a file or folder and choose Manage access
2. In the Manage access window, click Advanced
3. From the “classic” page that will appear, click Delete unique permissions
4. On the warning pop-up that will appear, click OK
5. You will now see the site-level security groups and permissions propagated to the file or folder – so it will essentially undo any unique access you created.
6. Clicking Manage access on a folder, will show the modern page of the screenshot above, proving the permissions have been re-inherited.

Important Notes

• Manage access security settings do not apply to Group Owners/Site Owners. In other words, Group Owners and Site Owners will always see all the files and folders, and you can’t hide anything from them. That is why when you click Manage access, you can’t even alter their permissions.
• Once you create unique permissions for a file or folder, that file or folder no longer has an inheritance from the site-level permissions. So, for example, if you add additional security groups at the site level – they will not propagate to the files and folders with unique permissions.
• When you create unique permissions for a folder, these permissions apply to the whole contents of that folder (all the files and subfolders underneath)