[-AddPermissions] <list-of-permissions>
  [-RemovePermissions] <list-of-permissions>
  [-Item <list-item>]


>= kenaflow 1.0.0




Use this cmdlet to add and remove permissions to and from a list item. It's a combination of the cmdlets Add-KFPermission and Remove-KFPermission.

Both parameters -AddPermissons and -RemovePermissions gets a single permission object or a list of permission objects of the following form.

The permission object is specified as a PowerShell Hashtable:

   User = <string-or-object>;
   PermissionsSets = @(<permission-set-name>[, <permission-set-name>[, ...]]);
   Quick = "CRUDMA";

The User property of the permission object can be:

  • List of strings or objects
  • string, that describe the user
  • object as (array of) SharePoint FieldUserValue

Such a "string" of the User property of the permission object can be:

  • a user login name
  • an email address
  • a SharePoint field of the currently processed or with -Item specified list item
  • a combination of all of them separated by "," or ";"


  • User = @($item["Author"])
  • User = $item["Author"]
  • User = @($item["Author"], $item["Editor"])
  • User = "{{Author}}"
  • User = "{{Author}},{{Editor}}"
  • User = @($item["Author"], "{{Editor}},sharepoint\ingo", "ingo@sharepoint.farm")

The kenaflow template engine is used to resolve the given strings. Templates

Also SharePoint groups are resolved. E.g. User = @("Intranet Owners")

The parameter -PermissionSets is a PowerShell list of one or more names of valid / existing SharePoint permission sets, such as "Full Control" or "Design". - Custom permission sets can be named too. But the have to exist!

The parameter -Quick is a kind of shortcut to -PermissionSets. kenaflow can create it's own permission sets as specified in the _wfconfig.ps1 file. They have to be created using program switch --createpermissionsets. This permission sets are by default named as:

  • kenaflow Create => C
  • kenaflow Read => R
  • kenaflow Update => U
  • kenaflow Delete => D
  • kenaflow Manage => M
  • kenaflow Approve => A

The first letter(s) in combination can be used in parameter -Quick to specify these permission sets. - But they have to be configured in _wfconfig.ps1 and must exist in SharePoint! - For example: Quick="CUD" => "Create", "Update", "Delete" - but not "Read".

The base permissions of each of the kenaflow defined permission sets can be found here: Permissions.

This is an example for a valid permission object - if the kenaflow permission sets are configured.

    User = @("{{Author}}", $item["Editor"]);
    PermissionSets = @("Read");
    Quick = "CUD"

Multiple permission objects can be specified as a list:

    @{User="sharepoint\ingo"; Quick="CUD"},
    @{User="sharepoint\kenaflow";PermissionSets=@("Full Control")}


[-AddPermissions] <list-of-permissions>

One or more permission objects as described above to be added to the list item.

[-RemovePermissions] <list-of-permissions>

One or more permission objects as described above to be removed from the list item.

[-Item <list-item>]

The list item to be processed.


Permissions can only be added to the list item if it has its own permissions - and not inherited permissions from its parent. If an item with active permission inheritance is given the inheritance will be stopped by default. But if you specify -BreakPermissionInheritance:$false the cmdlet will fail and stop if the list item has active permission inheritance.


If the cmdlet stop permission inheritance it can copy the permissions of the parent or start with a blank set of permissions which is the default.


kenaflow tries to resolve the given User property of each permission object. If this fails and -ThrowResolveErrors is specified the cmdlet will fail. Otherwise the not existing or not successfully resolved principal is skipped.


This is a default parameter for all kenaflow cmdlets. If set to $true (default!) the engine will pass exception within the cmdlet to the script for further handling.


$newEditor = "sharepoint\user3"

Update-KFPermission -AddPermissions @(
        User = "user1@sharepoint.farm";
        PermissionSets = @("Full Control");
        User = "user2@sharepoint.farm";
        PermissionSets = "Read";
) -RemovePermissions @(
    @{ User="{{Author}}"; Quick="R" },
    @{ User="{{currentEditor}}"; Quick="R" },
    @{ User=$newEditor; Quick="R" }