SharePoint site owners often need to give specific users the ability to upload files without letting them edit, delete, or view other content. The built-in permission levels like Contribute or Edit grant more access than you want for this scenario. A custom permission level for upload only solves this problem by restricting the user to exactly one action: adding documents to a library. This article explains how to create that custom permission level step by step. It also covers the exact permissions to enable and disable, common mistakes to avoid, and what users can and cannot do after the change.
Key Takeaways: Creating a Custom Upload-Only Permission Level
- Site Settings > Site Permissions > Permission Levels: The starting point to create any custom permission level.
- Enable only “Add Items” and “View Application Pages”: These two checkboxes give upload ability without edit or delete rights.
- Break permission inheritance on the target library: Required to assign the custom level to a specific group without affecting the rest of the site.
What a Custom Upload-Only Permission Level Does
A custom permission level lets you combine individual SharePoint permissions into a named role. SharePoint includes several built-in levels such as Read, Contribute, and Full Control. None of these restrict a user to only uploading files. The Contribute level includes the ability to edit and delete items. The Read level prevents uploads entirely. A custom level for upload only gives you exact control over what a user can do inside a document library.
Before you begin, you need the following prerequisites:
- You must be a SharePoint site owner or have Full Control permissions on the site.
- The site must use classic or modern permission modes. This process works the same in both.
- You need access to the SharePoint admin center if the site is a communication site or a modern team site connected to a Microsoft 365 group. In that case, you may need to manage permissions through the site settings rather than the group.
The custom level you create will only apply to the specific library where you assign it. Users with this level can upload files but cannot open, edit, delete, or download existing files. They also cannot see the library contents in a list view. This is the strictest upload-only configuration available in SharePoint without using third-party tools.
Steps to Create the Upload-Only Permission Level and Assign It
- Navigate to Permission Levels
Go to your SharePoint site. Click the gear icon in the top right and select Site Settings. If you do not see Site Settings, click Site Information and then View All Site Settings. Under the Users and Permissions section, click Site permissions. On the ribbon, click Permission Levels. - Add a New Permission Level
Click Add a Permission Level at the top of the page. Enter a name such as “Upload Only” and a description like “Can upload files but cannot view, edit, or delete existing files.” - Select the Correct Permissions
Scroll down to the List Permissions section. Check only the box for Add Items. Then scroll to the Site Permissions section and check the box for View Application Pages. Do not check any other boxes. The View Application Pages permission is required for the user to reach the upload dialog. Without it, the upload button will not appear. Click Create at the bottom. - Break Permission Inheritance on the Target Library
Go to the document library where you want to assign upload-only access. Click the gear icon and select Library Settings. On the ribbon, click Permissions for this document library. If the message “This library inherits permissions from its parent” appears, click Stop Inheriting Permissions. Confirm the action. - Grant the Upload-Only Permission Level to Users
With the library permissions page open, click Grant Permissions. In the dialog, enter the names or email addresses of the users or group. Under the Select a permission level section, uncheck any pre-selected levels. Scroll to find your custom Upload Only level and check that box. Click Share. - Remove Any Other Permissions for Those Users
If the users or group already have permissions from the parent site, those inherited permissions still apply. After breaking inheritance, you must remove the unwanted permission entries. On the library permissions page, select the user or group. Click Edit User Permissions. Uncheck all permission levels except Upload Only. Click OK.
Common Mistakes and Limitations When Setting Upload-Only Permissions
Users cannot see the upload button
If the View Application Pages permission is missing, the upload interface will not render. Double-check that this permission is enabled in your custom level. Without it, the user will see a blank page or a permission denied error when they open the library.
Users can still see folder names or file metadata
The upload-only level does not grant View Items permission. This means the user cannot see the list of files in the library. However, if the library has folders, the folder structure may still appear if the library uses modern views that show folders by default. To hide folders entirely, set the default view to show all items without folders. Go to Library Settings > Advanced Settings and set Folders in the New Folder Command to No.
Users can overwrite existing files
The Add Items permission allows uploading a file with the same name as an existing file. SharePoint will create a new version of that file by default. If you want to prevent overwrites, enable versioning and set the library to require check-out. Go to Library Settings > Versioning Settings and select Yes for Require Check Out. Users with upload-only access cannot check out files, so they will receive an error if they try to upload a duplicate name.
Users cannot upload files larger than the site limit
SharePoint has a default file upload limit of 250 MB per file. This limit applies to all users regardless of permission level. If your users need to upload larger files, increase the limit in the SharePoint admin center. Go to Admin > SharePoint > Settings and change the File upload limit value to a maximum of 250 GB.
The custom level does not appear in the Grant Permissions dialog
Custom permission levels only appear when you are managing permissions on a securable object that does not inherit permissions. If the library still inherits permissions from the site, the custom level will not be available. Break inheritance first, then grant permissions again.
Upload-Only vs Contribute vs Read: Key Differences
| Item | Upload Only (Custom) | Contribute (Built-in) | Read (Built-in) |
|---|---|---|---|
| Upload files | Yes | Yes | No |
| View files | No | Yes | Yes |
| Edit files | No | Yes | No |
| Delete files | No | Yes | No |
| Download files | No | Yes | Yes |
| Overwrite existing file | Yes (creates new version) | Yes | No |
The table shows that Upload Only gives the narrowest set of abilities. Contribute includes all list actions except managing permissions. Read only allows viewing and downloading. Choose Upload Only when you want a user to submit files without seeing or modifying anything in the library.
Conclusion
You can now create a custom permission level that restricts users to upload-only access in a SharePoint document library. The key steps are enabling only Add Items and View Application Pages in a new permission level, breaking inheritance on the target library, and assigning that level to the specific users or group. After setup, test the access by logging in as the restricted user and confirming that the upload button appears but the file list does not. For stricter control, enable versioning and require check-out on the library to prevent file overwrites. This approach gives you precise control over content submission without exposing the full library to contributors.