As a SharePoint site owner, you may have users who can access a document library but should not have direct permissions there. Direct permissions override site-level group memberships and can create security gaps. Over time, these direct assignments accumulate and make permission management harder. This article provides a practical checklist to identify and remove direct user permissions from a library while preserving necessary access through SharePoint groups.
Key Takeaways: Direct Library Permission Removal Checklist
- Library Settings > Permissions for this document library: View all users and groups that have direct permissions on the library.
- Check Permissions tool: Test a user’s effective permissions to confirm they still have access after removal.
- Remove User Permissions button: Delete direct permission entries for users who already have access via a SharePoint group.
What Are Direct User Permissions on a Library
Direct user permissions are permission assignments made directly to a specific user account on a document library, bypassing SharePoint groups. When you grant a user access directly on the library, that permission is independent of site-level group memberships. This creates a security risk because the user retains access even if they are removed from all site groups. Direct permissions also make auditing difficult since the user’s name appears as a separate entry in the library’s permission list rather than being managed through a group.
SharePoint groups such as Members, Owners, and Visitors are the recommended way to manage access. When a user is added to a group, they inherit the group’s permissions. Direct permissions override or add to group permissions. The goal of this checklist is to identify users who have direct permissions and also belong to a group that already grants them access. In that case, the direct entry is redundant and should be removed.
Prerequisites
Before you begin, you must have Full Control or Manage Permissions permission level on the library. You also need a list of users who should have access through groups only. Review your site’s SharePoint groups and their members before removing any direct entries.
Checklist: Steps to Identify and Remove Direct Permissions
Follow these steps in order. Do not skip the verification step after removal.
- Open the library permission page
Navigate to the document library. Click the gear icon in the top-right corner and select Library settings. Under the Permissions and Management section, click Permissions for this document library. This page shows all users and groups that have direct permissions on this library. - Identify direct user entries
Look for entries where the Type column shows User instead of SharePoint Group. These are direct permissions. Make a list of the user names and their permission levels. Do not remove entries for groups or for users who must have unique permissions. - Check if the user already has group access
For each direct user entry, note the permission level shown. Then go to the site’s People and Groups page. Verify whether the user is a member of a SharePoint group that already grants them the same or higher permission level. For example, if the user has Contribute directly but is also a member of the Members group which provides Contribute, the direct entry is redundant. - Remove the direct permission entry
Return to the library permission page. Select the check box next to the user’s name. Click Remove User Permissions on the ribbon. Confirm the removal when prompted. The user will still have access through their group membership. - Verify effective permissions
After removal, click Check Permissions on the ribbon. Enter the user’s name and click Check Now. The results show the user’s effective permissions. Confirm they still have the expected access level from their group membership. If the result shows No access, the user needs to be added to a group.
If Users Lose Access After Removal
Removing a direct permission can accidentally revoke a user’s access if they were not in any SharePoint group that grants library permissions. Here is how to handle that situation.
User has no access after Check Permissions
If the Check Permissions tool shows No access, the user was relying solely on the direct permission you removed. Add the user to the appropriate SharePoint group. For example, if they need to edit documents, add them to the Members group. If they need read-only access, add them to the Visitors group. Do not re-add the direct permission.
User still has access but with wrong permission level
Sometimes a user belongs to a group that grants a lower permission level than the direct entry provided. For example, the direct entry granted Full Control but the user is only a member of Members group with Contribute. In that case, either move the user to the Owners group or create a new group with the correct permission level. Do not restore the direct permission.
Direct Permission vs Group Membership: Comparison
| Item | Direct Permission | Group Membership |
|---|---|---|
| Management | Managed per user on each library | Managed centrally in site groups |
| Auditing | Harder to track; each user is a separate entry | Easy to see who belongs to which group |
| Risk | User retains access if removed from all groups | Access is removed when user leaves the group |
| Recommended use | Only for temporary or exceptional access | Standard method for all users |
Using group membership instead of direct permissions simplifies permission management and reduces security risks. Always prefer adding users to SharePoint groups over assigning direct permissions on a library.