Manage SharePoint Folder Permissions Step by Step

SharePoint gives you a lot of control over who can access what inside a document library. The challenge is that this control lives across multiple panels, requires a specific sequence of steps to work correctly, and behaves differently depending on whether inheritance is active or not. Most of the confusion people run into around SharePoint folder permissions comes not from misunderstanding the concept but from missing one step in the process.

This guide focuses specifically on folders: how to access their permissions, how to grant and restrict access, how to remove users, and how to avoid the mistakes that make folder-level access management harder than it needs to be. If you want a broader overview of all SharePoint permission levels and how they work across sites and libraries, the SharePoint permission levels guide covers that in full.

What Are SharePoint Folder Permissions

SharePoint folder permissions are access rights that control who can view, edit, or manage content within a specific folder inside a document library. They are not separate from the broader SharePoint permission system but a layer within it. A folder can either follow the access rules set by its parent library or have its own unique set of permissions configured independently.

In practice, folder permissions serve three purposes:

• Control access: Determine who can open and view folder contents
• Protect sensitive data: Prevent unauthorized users from editing or deleting files
• Enable collaboration: Allow specific team members to contribute while restricting others

What matters most to understand before touching any folder permissions is that SharePoint operates on a principle called inheritance. By default, a folder does exactly what its parent library does. Until you change that, any adjustment you make at the folder level will not stick the way you expect.

This is also the point where many teams start questioning whether SharePoint is the right tool for the job, particularly when the folder in question contains client documents. When secure file sharing with clients is the goal, the inheritance model and multi-step configuration process can feel disproportionate to the task. Platforms like Clinked handle this by giving each client a dedicated, pre-permissioned workspace rather than requiring you to carve exceptions out of an inherited library structure.

Understanding Permission Inheritance in SharePoint

Every folder in a SharePoint library inherits its permissions from the library above it by default. That library inherits from the site. This chain is called permission inheritance, and it is what keeps a large SharePoint environment manageable without requiring administrators to configure every folder individually.

How Inheritance Works by Default

When a new folder is created, it automatically receives the same access rights as the library it sits in. If the Members group can edit content in the library, they can edit content in every new folder too. If a Visitor can read files in the library, they can read files in every folder as well. Any change made at the library level cascades down automatically to all folders that have not broken the inheritance chain.

When to Break Inheritance

Breaking inheritance means disconnecting a folder from its parent's rules and giving it its own unique permission set. This makes sense in specific situations:

• A confidential project folder that only a subset of the team should access
• Client-specific folders within a shared library, where clients should not see each other's content
• Folders containing HR, legal, or financial documents within a broader departmental site

The important caveat is that every folder where you break inheritance becomes an independent configuration to manage. Personnel changes, project endings, and access reviews all need to account for it separately. When this happens across dozens of folders, it becomes genuinely difficult to answer the question of who actually has access to what. That complexity is one of the most cited frustrations among SharePoint administrators, and it is a meaningful reason many client-focused teams eventually look at purpose-built client collaboration software that isolates access by design.

How to Access Folder Permissions in SharePoint

Before you can make any changes, you need to reach the right panel. The path is straightforward once you know it.

1. Navigate to the Folder

Open the SharePoint site and go to the document library where the folder lives. Locate the specific folder you want to manage.

2. Open the Manage Access Panel

Hover over the folder or select it using the checkbox next to its name. Click the ellipsis (three dots) that appears, then select Manage access from the dropdown. You can also right-click the folder name directly to surface the same option.

3. View Current Permission Settings

The Manage Access panel shows you every user and group that currently has access to this folder, along with their permission level. Can edit and Can view are the two you will see most often. Before making any changes, review this list carefully. It is common to find access that was granted months ago for a project that has since ended, or for users who have since left.

How to Grant Access to a SharePoint Folder

1. Break Permission Inheritance

This is the step that most people miss. If the folder is still inheriting permissions from its parent library, any user you add at the folder level may be overridden. You must stop inheritance first.

In the Manage Access panel, look for the link to advanced settings. In the classic SharePoint interface, go to Library Settings, then Permissions for this document library, then click Stop Inheriting Permissions. SharePoint will ask you to confirm. Once confirmed, the folder has its own independent permission set that you can configure freely.

2. Add Users or Groups

With inheritance broken, click Grant access or the share icon in the Manage Access panel. Enter the email addresses of the people you want to add, or type the name of an existing SharePoint group such as Owners, Members, or Visitors. Using groups rather than individual email addresses makes future maintenance significantly easier, which is worth the small amount of extra setup time.

3. Select the Permission Level

Choose the level of access that fits the need. The table below covers the two most common options at the folder level. For a full breakdown of all SharePoint permission levels and what each one allows, the SharePoint permission levels guide goes through every level in detail.

Permission LevelWhat Users Can DoCan viewOpen and read files, no ability to edit or deleteCan editView, upload, edit, and delete files within the folder

4. Save and Confirm Access

Click Grant access to apply. Optionally send an email notification to the users. Once saved, return to the Manage Access panel and verify the change. Confirm that the right people appear with the correct levels before closing the panel. It takes an extra thirty seconds and prevents a lot of follow-up troubleshooting.

One place where this process gets friction-heavy is with external clients. They need a Microsoft account, they must match the exact email address the invitation was sent to, and your organization's authentication policies may add further barriers they cannot troubleshoot themselves. If this is a recurring pain point in your workflow, Clinked's access and permissions model removes those barriers entirely by letting clients access their dedicated workspace without Microsoft account requirements.

How to Restrict Access to a Folder in SharePoint

1. Stop Inheriting Permissions

The same first step applies whether you are granting or restricting access. Without breaking inheritance, the parent library's permissions remain in control regardless of what you configure at the folder level. A user you remove from the folder's access list can still get in through their library-level permissions, which catches many administrators off guard.

2. Remove Unwanted Users or Groups

In the Manage Access panel, click the dropdown next to each user or group that should no longer have access and select Stop sharing or Remove. Work through the list systematically, particularly in folders that have accumulated multiple contributors over time.

📸 [Photo note: A screenshot showing the Manage Access panel with a user entry expanded, displaying the "Stop sharing" or "Remove" option, would be helpful here.]

3. Make the Folder Read Only

If you want certain users to see the folder's contents without being able to change anything, switch their permission from Can edit to Can view. They retain visibility but lose the ability to upload, modify, or delete files.

SharePoint Permission Levels Explained

For the purposes of folder-level access management, the three levels you will work with most are Full Control, Edit, and Read. Here is a brief summary of what each means at the folder level. For the complete breakdown including Design, Contribute, View Only, and Limited Access, refer to the SharePoint permission levels guide.

Full Control

Users with Full Control can do everything: read, edit, delete, and manage who else has access to the folder. Reserve this exclusively for site owners and IT administrators. Assigning it to anyone who does not genuinely need permission-management rights is a security risk, and it is one of the most common over-permissioning mistakes in SharePoint environments.

Edit

Edit allows users to view, upload, modify, and delete files within the folder. They cannot change who has access. This is the standard level for active project contributors.

Read

Read provides view-only access. Users can open and read files but cannot upload, edit, or delete anything. This is the right choice for stakeholders, reviewers, and clients who need visibility without the ability to change content.

Custom Permission Levels

Administrators can build custom permission levels by combining specific individual capabilities. This is rarely necessary at the folder level and adds significant management complexity. If a use case genuinely requires it, it is worth considering whether that complexity is a sign the folder should live in a separate library with a purpose-configured baseline permission set instead.

How to Remove User Permissions in SharePoint

1. Open Manage Access

Navigate to the folder and open the Manage Access panel the same way you would to view permissions.

2. Select the User to Remove

Find the user or group in the current access list. Use the search functionality within the panel if there are many entries to sort through.

3. Confirm Permission Removal

Click the dropdown next to their name and select Stop sharing or Remove direct access. Confirm when prompted. Access is revoked immediately.

One important note: if the user has access through a SharePoint group rather than a direct individual assignment, removing them from the folder-level list alone will not fully revoke access. Their group membership still applies. You will need to remove them from the group itself, or their access will persist regardless of what you change at the folder level. This is another reason why group-based access management, covered in the next section, is the cleaner long-term approach.

How to Restore Permission Inheritance

If you have applied unique permissions to a folder and later decide the parent library's settings should apply again, you can revert to inheritance.

In the folder's permission settings, accessible through the classic interface at Library Settings and then Permissions, select Delete unique permissions or Inherit permissions from parent. This removes all custom access rights on that folder immediately and replaces them with whatever the parent library currently has.

This step cannot be undone selectively. If certain users needed different access than the parent library provides, you will need to reconfigure that separately after restoring inheritance. Use it as a cleanup step when a project ends or when a previous configuration has become too complex to manage.

How to Manage Access in SharePoint with User Groups

The single most impactful thing you can do to keep SharePoint folder permissions manageable is to assign access to groups rather than individual users. Every direct user assignment you make today is a future maintenance item and a potential access gap when that person changes roles or leaves.

Benefits of Using Groups for Permissions

• Easier maintenance: Update the group once and the change applies across every folder and library where that group has access
• Consistency: Every group member has identical access rights, reducing the risk of accidental discrepancies across folders
• Offboarding efficiency: Removing someone from a group revokes their access everywhere in a single action, with no need to hunt through individual folder permission lists

1. Create or Select a User Group

SharePoint creates three groups automatically for every site: Owners with Full Control, Members with Edit access, and Visitors with Read access. These cover most common scenarios. If your structure requires something more specific, such as a group with read access only to particular client folders, you can create custom groups in Site Settings under People and Groups.

2. Assign the Group to the Folder

In the Manage Access panel, enter the group name rather than individual email addresses. Assign the appropriate permission level and confirm. From that point, the group's membership determines who has access, not a list of individually named users.

3. Manage Group Membership Over Time

When team composition changes, update the group rather than editing folder permissions. The change propagates automatically to every location where that group has access. At scale, this is the only approach that remains auditable and manageable.

SharePoint Security Permissions Best Practices

Avoid Over-Permissioning at the Site Level

Start with the minimum access level required and grant more only when there is a specific reason. Giving everyone Edit access because it is easier than deciding who should have Read is a common mistake that creates real security exposure, particularly now that AI tools like Microsoft Copilot surface content based on existing permissions.

Use Groups Instead of Individual Users

Already covered above, but worth repeating: individual assignments compound into maintenance problems over time. Groups keep your permission model clean and auditable.

Audit Folder Permissions Regularly

Quarterly reviews of folders with broken inheritance are a sensible minimum. Check who currently has access, confirm it is still appropriate, and remove anything that has outlived its purpose. Forgotten guest accounts and former employee access are the most commonly cited permission gaps in SharePoint environments.

Document Your Permission Structure

Every time you break inheritance on a folder, record it: what was configured, why, and when. Without that record, the reasoning behind unusual permission structures becomes invisible the moment the person who set them up moves on.

Common SharePoint Folder Permission Mistakes to Avoid

• Breaking inheritance unnecessarily: Every folder with unique permissions is an independent configuration to maintain. Structure your content so that folders requiring different access levels live in separate libraries with the right baseline permissions, rather than stacking exceptions within a single library.
• Assigning permissions to individuals instead of groups: Direct user assignments accumulate silently. When those users leave or change roles, their permissions persist until someone manually removes them from every location they were individually assigned.
• Forgetting to remove former employees and clients: Outdated access for ex-employees, former contractors, and past clients is the most common compliance gap in SharePoint environments and one that regular access reviews exist to prevent.
• Not testing after changes: After any permission change, verify the outcome using SharePoint's built-in Check Permissions feature or by logging in as the affected user. What looks correct in the admin panel does not always behave as expected when group memberships and inheritance interact.

For a deeper look at the structural reasons why folder-level access issues in SharePoint tend to recur, particularly when external clients are involved, the SharePoint issues guide covers the patterns in detail.

Simplify Permissions Management with a Secure Client Portal

Folder permissions in SharePoint are manageable for internal teams working within the same Microsoft 365 tenant. The inheritance model works, groups keep things scalable, and the configuration process is learnable. Where it consistently breaks down is client-facing access.

External users do not share your tenant, your authentication policies, or your Microsoft account ecosystem. Granting a client access to a specific folder triggers layers of authentication, guest account management, and link expiry policies that your team manages but your client experiences as friction. The link works one week and not the next. A client who should only see one folder can sometimes navigate where they should not. Troubleshooting why access broke for a specific client can consume more time than the original file sharing task warranted.

Clinked is built specifically for this scenario. Each client gets a dedicated workspace with access controls applied at the folder and file level from the start, no inheritance to break, no Microsoft account required, and no authentication layers your client needs to navigate. The document management is built around client collaboration rather than retrofitted from an enterprise intranet model, and every action is tracked in real-time audit logs so you always know who accessed, edited, or downloaded any file.

For teams in accounting, legal, financial services, and other regulated sectors where demonstrable access control is a compliance requirement, Clinked's ISO 27001 certification, SOC 2 compliance, and AES-256 encryption cover the security baseline without requiring a separate Microsoft Purview configuration to achieve it.

Book a demo to see how Clinked streamlines secure collaboration

FAQs about SharePoint Folder Permissions

What are the four main permission levels in SharePoint?

The four primary levels are Full Control, Edit, Contribute, and Read. Full Control grants complete administrative rights including permission management. Edit covers creating, modifying, and deleting content. Contribute is similar to Edit but limited to working within existing lists and libraries rather than creating new ones. Read is view-only. For a detailed breakdown of all seven SharePoint permission levels including Design, View Only, and Limited Access, the complete permission levels guide covers each one.

Can I set different permissions for subfolders than the parent folder?

Yes. You can break inheritance on any subfolder to assign unique permissions independently of its parent folder or library. The same process applies: access the subfolder's permissions, stop inheriting permissions, and configure the access rights you need. Each subfolder with broken inheritance becomes its own configuration to maintain, so this capability is best used deliberately rather than routinely.

How do I check who currently has access to a SharePoint folder?

Open the folder in the document library, click the ellipsis, and select Manage access. The panel lists all users and groups with current access along with their permission levels. For a broader view across multiple folders or an entire site, go to Site Settings and then Site permissions. A tenant-wide report across all sites requires PowerShell or a third-party governance tool, as SharePoint does not offer a native cross-site permissions overview.

Why can't a user access a SharePoint folder after I granted permission?

The most common cause is that inheritance was not broken first, meaning the parent library's settings are overriding the access you granted at the folder level. Other possibilities include the user being signed into a different Microsoft account than the one the invitation was sent to, or a delay in group membership propagating. Verify inheritance is broken, confirm the account being used matches the invited email, and check that any group assignments have taken effect. Our guide on recurring SharePoint access issues covers why these problems tend to resurface structurally.

Can external users be granted access to specific SharePoint folders?

Yes, if your SharePoint administrator has enabled external sharing at the tenant level. External users are invited by email and assigned a specific permission level on the folder. The practical challenge is that they must navigate Microsoft's authentication system, including creating a Microsoft account if they do not already have one that matches the invited email address exactly. This is frequently where client access fails. If external collaboration with clients is a regular part of your workflow, a dedicated client portal removes those authentication barriers and gives clients a straightforward, branded experience that does not depend on the Microsoft ecosystem to function.

Related reading: SharePoint Permission Levels: Complete Guide and why Microsoft SharePoint issues feel never-ending.

‍