How to ensure users within particular SharePoint groups can only delete their own items SharePoint document libraries for the entire site collection
- February 8, 2016
- Posted by: Brian Ham
- Category: Information Strategies Tips
The ‘out of the box’ Sharepoint permission level of Contribute, typically assigned to basic users, allows for the ability to delete any items within document libraries, however, due to security requirements of many organizations, basic users should not be able to delete another user’s documents and/or folders.
When integrating SharePoint with CRM, basic users are typically accustomed to the ‘delete your own’ permissions to allow for corrections of mistakes at the record level.
This functionality is built into SharePoint at the individual list level and you can easily write code to set this up for any individual document library, however this becomes a maintenance nightmare if you have a large implementation with over several hundred document libraries, as each document library would have to be set up with an event handler to accomplish this.
The only option built into Sharepoint that comes close to this functionality across the entire site collection without breaking inheritance is to create a custom permission level which is usually Contribute without the ‘’Delete Items” capability.
A major issue with removing Delete Items capability is that now, basic users are unable to delete their own documents that are added into SharePoint by mistake.
Secondly, removing the delete items option in SharePoint also does not allow any users in this permission level to rename documents and/or folders. https://support.microsoft.com/en-us/kb/2505742
An easy solution to provide ‘delete your own’ functionality is to perform a check against the items retroactively via PowerShell within the recycle bin after they have been deleted and restore the item automatically if the ‘delete your own items’ rules for an entire site collection.
The PowerShell script below will take the specified name of the SharePoint group that has contribute permissions and wish to ensure that users within that group can only delete their own by comparing the deleted by user with the created by user within that group and restores the file/folder only if they do not match and are members of the group specified.
This PowerShell script can then be set up as a scheduled task and scheduled run as often as needed within your instance to ensure ‘delete your own’ rights.