I plan to create a file exchange in the document library where everyone can only see their folder and only within that folder have the ability to share files outside the organization.
I have created a script that creates a folder in the document library, breaks its inheritance, removes existing folder permissions, and assigns permissions to a particular user via csv.
The site is prepared as follows:
From sharepoint admin -> file_exchange site -> in members tab I add users not in any group
Site members tab - Sharepoint group in which there is a domain group in which all users are, as below
Site permissions:
Domain group in which there are all users - Read
Sharepoint group in which there is a domain group in which there are all users, as above - Read
Site Owners group - Full control
Library permissions
Sharepoint group in which there is a domain group in which there are all users, as above - Read
Site Owners group - Full control
On each folder created by the script is the permission for the user to edit
Everything creates fine except for the last step, which is to grant permissions for a given user via csv. Through powershell (pnp.powershell) I get a message that the user was not found. The problem is that when I go into the library permissions -> check permissions and enter the user in question, I get the message:
Limited Access Given directly
Read Given through the “All_Access_Exchange” group.
Weirdest, when I run the script again after clicking “check permissions” the permissions are given correctly. This happens every time and on every user entered.
Below I send the script I use and a sample of one user in a csv file:
$SiteURL = "MY SITE"
$CSVFilePath = "C:\DATA.csv"
$LibraryName = "Shared Documents"
$CSVFile = Import-Csv $CSVFilePath
ForEach ($Row in $CSVFile) {
$FolderName = $Row.FolderName
$FolderName = [RegEx]::Replace($FolderName, "[{0}]" -f ([RegEx]::Escape([String]'\"*:<>?/\|')), '_')
$Folder = Add-PnPFolder -Name $FolderName -Folder $LibraryName
Write-Host "Folder created:" $FolderName -ForegroundColor Green
$FolderItem = Get-PnPListItem -List $LibraryName -Query "<View><Query><Where><Eq><FieldRef Name='FileLeafRef'/><Value Type='Text'>$FolderName</Value></Eq></Where></Query></View>"
if ($FolderItem) {
$FolderItem.BreakRoleInheritance($true, $false)
Invoke-PnPQuery
Write-Host "Inheritance break for:" $FolderName -ForegroundColor Yellow
$RoleAssignments = Get-PnPProperty -ClientObject $FolderItem -Property RoleAssignments
$RoleAssignments | ForEach-Object {
$_.RoleDefinitionBindings.RemoveAll()
$_.Update()
}
Invoke-PnPQuery
Write-Host "Permission deleted for:" $FolderName -ForegroundColor Red
$UserName = $Row.UserName
$User = Get-PnPUser -Identity $UserName
if ($User) {
set-PnPListItemPermission -List $LibraryName -Identity $FolderItem.Id -User $UserName -AddRole "Contribute"
Write-Host "Permission granted for:" $UserName -ForegroundColor Green
} else {
Write-Host "Cant`f find user:" $UserName -ForegroundColor Red
}
} else {
Write-Host "Can`t find folder:" $FolderName -ForegroundColor Red
}
}
CSV
foldername,username
001_name_lastname,i:0#.f|membership|user@domain.com.pl
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 59%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 82%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELZ%3C/text%3E%3C/svg%3E)