Ā· 3 min read
Prevent Document Library Deletion
With document libraries, there isn't a permission level to restrict deletion of document libraries. There is the standard out of the box 'Manage Lists' permission that includes the ability to create or delete lists/libraries.
With document libraries, there isnāt a permission level to restrict deletion of document libraries. There is the standard out of the box āManage Listsā permission that includes the ability to create or delete lists/libraries. However, did you know that this permission level is assigned to the Edit permission which in turn by default is assigned to Site Members group.
Any list or library that is deleted goes to the Recycle Bin and there are two levels (user and admin) and they will stay there for 93 days per level. Typically, if you are managing a large set of libraries across many site collections it may become harder to detect these.
Now, there are a couple of simple options here:
- Remove the Delete Library option, they can add but not remove.
- Block both create and delete by switching the Edit permission to Contribute.
Point 2 can be a little heavy to block creation - in the past, I have setup typically required additional configuration such as custom Content Types and Metadata for Document/Records Management. It cannot be expected or assumed that all staff would know how to configure these libraries and to do these consistently. For these situations, in the past I have created a provisioning solution to configure the libraries for the requester.
Unfortunately, on a list or library you cannot remove the delete option with the user interface, it has to be done by API call.
Itās scriptinā timeā¦
I typically include two actions into my provisioning scripts to do the following:
- Disable Library Delete
- Change the Site Members group to āContributeā
The scripts are quite simple to stop this from occurring, in these examples, I use the PnP-PowerShell library to perform these actions.
1. Remove Delete Option
This script removes the delete option from the document library:
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[string]$Url,
[Parameter(Mandatory = $true)]
[string]$LibraryTitle,
[Parameter(Mandatory = $false)]
[switch]$EnableDeletion = $false
)
process {
# PnP Online Connection
if((Get-PnPConnection).Url -ne $Url){
Connect-PnPOnline -Url $Url -NoTelemetry
}
$list = Get-PnPList -Identity $LibraryTitle
if($list){
$list.AllowDeletion = $EnableDeletion
$list.Update()
Invoke-PnPQuery
Write-Host "Updated settings"
}else{
Write-Host "List not found!"
}
Write-Host "Script Complete! :)" -ForegroundColor Green
}
2. Replacing the members permissions from Edit to Contribute
This script lowers the permissions of the Site Members group to Contribute permission:
Connect-PnPOnline -Url "https://<tenant>.sharepoint.com"
$membersGroup = Get-PnPGroup -AssociatedMemberGroup
Set-PnPGroupPermissions -Identity $membersGroup `
-RemoveRole "Edit" -AddRole "Contribute"
Write-Host "Done! :-)" -ForegroundColor Green
Few things to note
- By removing the delete option, if you are a site owner, this will stop YOU as well, as it removes the UI option to delete. You will need a script to restore the option.
- In Office 365 Groups, the āDocumentsā library already has this removed.
- In Communication Sites, the option to remove āDocumentsā and āSite Pagesā is shown - which means any of your content editors can delete the libraries and potentially cause an outage on your site if you are using this as an Intranet.
- Different site templates have different options, so its best to check the types of sites you plan or use, to see if you need to level out the options accordingly to your policies.
Useful References
Enjoy!