You need to restrict access to specific rows in a SharePoint list without affecting the whole list or site. SharePoint list item-level permissions let you break inheritance on individual items and grant unique permissions. This article provides a governance checklist to plan, apply, and audit item-level permissions correctly. You will learn the exact steps to configure permissions, avoid common security gaps, and maintain a clean permission structure.
Key Takeaways: Item-Level Permission Governance for SharePoint Lists
- SharePoint list > List Settings > Permissions for this list: Use this path to stop inheriting permissions from the parent site before setting item-level rules.
- Item-level permissions > Stop Inheritance: Breaks permission inheritance on a single list item so you can assign unique access to that row.
- SharePoint admin center > Site permissions > Permission reports: Run permission reports to audit item-level changes and detect over-permissioned items.
What Are Item-Level Permissions in SharePoint Lists
In SharePoint, every list inherits permissions from its parent site by default. All items in the list share the same access rights as the site. Item-level permissions let you break that inheritance on a single list item. You can then grant unique permissions to that one row without changing the rest of the list or the site.
This feature is useful when a list contains sensitive data such as employee salaries, contract terms, or confidential project notes. Only specific users or groups should see or edit those rows. The rest of the list remains accessible to everyone who has list-level permissions.
Item-level permissions are not the same as column-level permissions. Column-level permissions hide or restrict a field across all items. Item-level permissions control access to entire rows. You can combine both for fine-grained data protection.
Prerequisites for Setting Item-Level Permissions
Before you change permissions on a single item, confirm the following:
- You have Full Control or Manage Permissions permission on the list.
- The list does not use Content Approval where item-level permissions conflict with approval states.
- You have a clear mapping of which users or groups need access to each item.
- You have documented the baseline permission structure of the site and list.
Governance Checklist for Item-Level Permissions
Use this checklist before, during, and after setting item-level permissions. Each step reduces the risk of permission errors and audit failures.
Before You Start: Plan Your Permission Model
- Audit the current permission state of the list
Go to the list, select the gear icon, and choose List Settings. Under Permissions and Management, click Permissions for this list. Note whether the list is inheriting permissions from the parent site or has unique permissions. Record the groups and users that currently have access. - Identify which items need unique permissions
Create a spreadsheet or use a SharePoint column (e.g., a Choice column named “Permission Level”) to mark items that require restricted access. Do not set item-level permissions on more than 10 percent of a list without a performance impact assessment. - Define the groups that will receive item-level access
Create SharePoint groups at the site level for each role that needs item-specific access. For example, create a group called “Contract Viewers” rather than adding individual users on each item. This makes auditing and future changes easier. - Document the permission plan
Write down which items get unique permissions, which groups get access, and the permission level (Read, Contribute, Edit, or Full Control). Store this document in a secure location such as a SharePoint library with restricted access.
While Setting Permissions: Apply Correctly
- Open the item and stop inheritance
Navigate to the list item, click the three dots (ellipsis) next to the item name, and select Manage Access. On the Manage Access pane, click Stop Sharing. This breaks permission inheritance for that item only. A warning message confirms the change. - Remove inherited users and groups that should not have access
After stopping inheritance, the item still shows all inherited permissions. Click the X next to any user or group that should not have access to this item. Do not skip this step. If you leave inherited permissions in place, the item remains visible to users you intended to exclude. - Add the correct groups or users with the correct permission level
Click Add People, type the SharePoint group name or individual user, and select the permission level from the dropdown. Use the Read permission level for view-only access. Use Contribute or Edit only if users need to modify the item. Click Share to apply. - Verify the item permissions immediately
While still on the Manage Access pane, review the list of users and groups. Confirm that only the intended identities appear. Check that no inherited entries remain unless they are explicitly allowed.
After Setting Permissions: Audit and Maintain
- Run a site permissions report
Go to the SharePoint admin center, select Active sites, choose your site, and click Permissions. Click View permission reports and select Unique permissions report. This shows every item in the site with broken inheritance. Review the list for any items that should not have unique permissions. - Schedule quarterly permission reviews
Set a recurring calendar reminder to run the unique permissions report every three months. Compare the report against your documented permission plan. Revoke any permissions that are no longer needed. - Use a flow or PowerShell script to detect orphaned permissions
Create a Power Automate flow that triggers when a list item is deleted. The flow should check whether that item had unique permissions and log the event. Alternatively, use the SharePoint Online Management Shell with the Get-SPOListItem command to list items with unique permissions and compare them against active users.
Common Pitfalls When Setting Item-Level Permissions
Users Still See the Item After Removing Their Access
This happens when you stop inheritance but do not remove the inherited users. After breaking inheritance, the item retains all inherited permission entries. You must manually delete each user or group that should not have access. Always check the Manage Access pane after stopping inheritance and remove any entries that are not explicitly allowed.
Item Permission Changes Are Not Applied to New Items
Item-level permissions apply only to the specific item you configure. New items added to the list inherit from the list level, not from any existing items. If you need every new item to follow a permission pattern, you must either set permissions manually on each new item or use a Power Automate flow that applies permissions based on a column value.
Performance Degradation on Large Lists
SharePoint lists with more than 5,000 items and many unique permissions can cause slow load times or threshold errors. The SharePoint list view threshold is 5,000 items. When you break inheritance on many items, each permission check adds overhead. Keep the number of items with unique permissions under 10 percent of the total list size. If you need row-level security on a large dataset, consider using a separate site or a SQL database with a SharePoint connector.
Item-Level Permissions vs Column-Level Permissions: Key Differences
| Item | Item-Level Permissions | Column-Level Permissions |
|---|---|---|
| Scope | Entire row (all columns) of a single item | One or more columns across all items |
| Use case | Hide or restrict access to a specific record such as an employee contract or a confidential project task | Hide sensitive fields such as Social Security numbers or salary amounts from users who can view the item |
| Configuration | Break inheritance on the item and assign unique permissions | Set permissions on the column via list settings or column formatting JSON |
| Audit complexity | Requires unique permissions report from SharePoint admin center | Requires column formatting review or third-party tool |
| Performance impact | High on lists with many unique permission items | Low because column permissions do not affect item enumeration |
You now have a governance checklist to plan, apply, and audit item-level permissions in SharePoint lists. Start by auditing your current permission state and documenting which items need unique access. Apply permissions using the Manage Access pane and always remove inherited users. Run the unique permissions report quarterly to keep your permission structure clean and avoid performance issues.
Next, explore SharePoint column-level permissions to restrict access to specific fields within items. Combine both techniques for a defense-in-depth approach to sensitive list data. For large-scale permission management, use PowerShell scripts to automate permission checks and generate compliance reports.