How to resolve 'broken' unique permissions in a SPO library?

[Windows Server]

PROBLEM: I have many thousands of files and folders in multiple SharePoint Site libraries that somehow seem to have acquired unique Group permissions. Users with high-level permissions have lost visibility to many folders and files.  

 

DETAILS: There are five different permission groups that are given access to any new folder created in the library: Owner; Site Member; Library Manager; Library Contributor; Library Member.  

I'm using Teams to apply most user permissions. A Team is given a particular group permission and any user in that Team inherits that permission level (Library Member). For high-level permissions (Library Manager), I just manually put that person in that permission group.   

 

OBSERVATIONS: If I create a new folder, as the admin or someone with 'manage' permissions, the folder inherits the proper permissions. We also have a new folder workflow that creates these folders. I've confirmed that the items created with this process inherit the proper permissions.   

My only guess is that at some point the permission levels or groups were changed and folders did not inherit the proper updates.  

What I'm also struggling to track down is how some files in more recent folders are still hidden from users with Manage permissions. I think this has to do with the way sharing links are being created and shared. For instance, if "Jen" unintentionally creates a restrictive sharing link and shares that with "Bob", when Bob clicks on that link, the web browser is caching that permission even though he has full write access to all documents. When Bob clicks this link in his email, the files are showing as view only and he can not view any other contents of the library. There's a prompt that says something like you must be an authorized user, click here to sign in. When you click that, this restores all proper permissions. 

 

SOLUTIONS(?): I've found that there's a script to remove unique permissions and intend to give this a try. I'm hesitant to pull the trigger on this because it will kill any legit sharing links with our outside partners. I really don't want to kill links; I want to reset the Permission Groups for all contents of a library.  

# Set Variables $SiteURL = "https://yoursharepointsite.sharepoint.com" $LibraryName = "Documents" $BatchSize = 500 # Connect to SharePoint Online Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential) # Function to reset permissions for a batch of items function Reset-PermissionsForBatch { param ( [Parameter(Mandatory=$true)] [array]$Items ) foreach ($Item in $Items) { if ($Item.HasUniqueRoleAssignments) { Set-PnPListItemPermission -List $LibraryName -Identity $Item.Id -InheritPermissions Write-Host "Reset permissions for item ID: $($Item.Id)" } } } # Get all items in the library in batches $ListItems = Get-PnPListItem -List $LibraryName -PageSize $BatchSize -ScriptBlock { param($items) Reset-PermissionsForBatch -Items $items }

 

View the full article