Here is one to chalk up to the “I-should-have-known-better” category. The other day I needed to make some permissions changes to a SharePoint list, and the items within this list had special permissions (item-level security). After making the necessary changes at the list level, I noticed that there were a lot of individual people in the list permissions with “Limited Access.” Since I don’t like clutter, I thought I would just clean things up by removing the users that had Limited Access.
That was a mistake! Removing the users with Limited Access from the list’s root level permissions settings also removed all those users from the items in which they had item-level security set up!
Thinking about it after the fact, this makes perfect sense. By definition, Limited Access allows users to access certain areas of the site, such as a specific list, library, item, or document, without giving users access to your entire site. So removing a user with Limited Access will in fact remove that user from all the areas in which they had fine-grained permissions set up.
I was very lucky because for this particular list I had a PowerShell script written that sets the item-level security based on a person’s department and manager that can be run on demand (usually I run it whenever we have issues with the list or need to add a permissions exception). Simply running this script added back in all my item-level security permissions, but it could have been a nightmare if that script didn’t exist!
The moral of the story is to be very careful before removing any kind of permissions, and make sure you have a thorough understanding of what exactly it is that you are removing. And having your user permissions documented would be very beneficial in case you do accidentally delete someone’s permissions and need to restore them.