You need to let users upload files to a SharePoint document library without letting them view, edit, or delete existing files. The standard permission levels like Contribute or Edit give too much access. A custom permission level set to Upload Only solves this, but many administrators make mistakes that break the feature or expose data. This article explains how to create a custom permission level for upload-only access and covers the critical mistakes to avoid so your solution works correctly and securely.
Key Takeaways: Creating an Upload-Only Permission Level in SharePoint
- Site Settings > Site Permissions > Permission Levels: The exact location where you create a new permission level by copying an existing one.
- Add Items permission only: The single permission you must select to allow uploads without view, edit, or delete rights.
- Break permission inheritance on the library: Required to assign the custom permission level to a specific group without affecting the rest of the site.
Why Standard Permission Levels Do Not Work for Upload-Only Access
SharePoint ships with several default permission levels: Full Control, Design, Edit, Contribute, Read, and Limited Access. Contribute allows users to add, edit, and delete items. Edit grants even more rights including managing lists. Neither level restricts users to upload-only behavior. Read-only users can view files but cannot upload. No built-in level matches the requirement of uploading without viewing or editing existing content. You must create a custom permission level that includes only the Add Items permission and excludes View Items, Edit Items, and Delete Items. The technical root cause of failed upload-only setups is almost always selecting the wrong combination of permissions or failing to manage inheritance at the library level.
The Permission Hierarchy Problem
SharePoint permissions are hierarchical. A site collection inherits permissions from the top-level site. Libraries inherit permissions from the site by default. If you create a custom permission level but do not break inheritance on the target library, users assigned the custom level may still have higher-level access from the parent site. This is the most common cause of upload-only setups that accidentally allow viewing or editing.
What the Add Items Permission Actually Controls
The Add Items permission allows a user to upload new files to a library. It does not automatically grant the right to see existing files. However, SharePoint requires at least the View Application Pages permission and the Open permission for the user to access the library at all. These two permissions are minimal and do not expose file contents. The mistake is including View Items alongside Add Items, which defeats the upload-only purpose.
Steps to Create a Custom Permission Level for Upload Only
Follow these steps exactly to avoid the most common mistakes. You need site owner permissions on the SharePoint site where the library exists.
- Navigate to Site Permissions
Go to your SharePoint site. Select the gear icon in the top right corner and choose Site Permissions. This opens the permissions page for the site collection. - Open Permission Levels
On the ribbon, select Permission Levels. This page lists all default and custom permission levels for the site. - Copy an Existing Permission Level
Select the Contribute permission level. On the next page, choose Copy Permission Level. Naming it Upload Only helps identify it later. Do not select Edit or Full Control as the base because they include too many permissions. - Clear Unwanted Permissions
On the copy page, uncheck the following permissions: View Items, View Versions, Edit Items, Delete Items, Delete Versions, and Manage Lists. Keep only Add Items checked under the List Permissions section. Also keep View Application Pages and Open checked under Site Permissions. These two are required for library access. - Save the Permission Level
Select Create at the bottom of the page. SharePoint adds the new Upload Only level to the list of permission levels for the site. - Break Permission Inheritance on the Library
Navigate to the document library where you want upload-only access. Select the gear icon and choose Library Settings. Under Permissions and Management, select Permissions for this document library. On the ribbon, select Stop Inheriting Permissions. Confirm the action. - Remove Existing Users or Groups
After breaking inheritance, the library shows all inherited permissions. Remove any users or groups that should not have upload-only access by selecting them and choosing Remove User Permissions. Keep only users who need full access if any. - Grant Upload-Only Access to a Group
Select Grant Permissions. In the dialog, enter the name of a SharePoint group or individual user. Under Permission Level, select Upload Only from the dropdown. Select Share.
Common Mistakes and How to Avoid Them
Accidentally Including the View Items Permission
The most frequent error is leaving View Items checked when copying the Contribute level. Users with View Items can see all files in the library, including files uploaded by other users. To fix this, go back to Permission Levels, select the Upload Only level, and uncheck View Items. Then save the level. Existing group assignments update automatically.
Failing to Break Inheritance on the Library
If you assign the Upload Only permission level to a group but the library still inherits permissions from the site, users in that group might retain higher-level access from the site. Always break inheritance on the library before assigning the custom level. If you skip this step, remove the group from the site-level permissions and then assign them only at the library level.
Using the Wrong Permission Level as a Base
Copying from Edit or Full Control introduces many unnecessary permissions that are hard to track. Always copy from Contribute because it has the fewest permissions while still including Add Items. If you already created a level from Edit, create a new one from Contribute and delete the old one.
Not Testing with a User Who Has No Other Access
After setting up upload-only access, test by signing in as a user who only belongs to the group with Upload Only permissions. If that user can see existing files, check whether View Items is still enabled in the permission level. If the user cannot access the library at all, verify that View Application Pages and Open are checked in the permission level.
Forgetting to Remove Inherited Permissions
After breaking inheritance, the library still shows all the groups and users from the parent site. If you do not remove them, those users keep their original access. For example, if the Members group had Contribute at the site level, they still have Contribute at the library level until you remove them. Remove all groups that should not have access to the library, then add back only the groups that need upload-only access.
Upload Only vs Contribute vs Read: Permission Comparison
| Permission | Upload Only | Contribute | Read |
|---|---|---|---|
| Add Items (upload files) | Yes | Yes | No |
| View Items (see files) | No | Yes | Yes |
| Edit Items | No | Yes | No |
| Delete Items | No | Yes | No |
| View Application Pages | Yes | Yes | Yes |
| Open | Yes | Yes | Yes |
After creating the custom permission level and assigning it correctly, your users can upload files to the library without seeing or modifying existing content. Next, consider setting up a file upload notification flow using SharePoint Power Automate to alert administrators when new files arrive. A practical tip: always create a test library with a few dummy files before applying the Upload Only level to a production library. This lets you verify the permission behavior without risking real data exposure.