Construct XML to Update Access Control Lists

To update the Access Control Lists of items in SharePoint, you must construct some XML that specifies the identifiers of the items to update, and provides information about how to change the ACL.

<identifiersXML>
    <identifier value="...">
        <acl_update>
            ...
        </acl_update>
    </identifier>
</identifiersXML>

In the identifier value attribute, replace "..." with the document identifier of the item that you want to update. A document identifier can be found in the AUTN_IDENTIFIER field of an indexed document.

You can update the ACLs of several items by including more than one identifier element in your XML:

<identifiersXML>
    <identifier value="...">
        <acl_update>
            ...
        </acl_update>
    </identifier>
    <identifier value="...">
        <acl_update>
            ...
        </acl_update>
    </identifier>
</identifiersXML>

The following table describes the XML elements that you can use in the acl_update element to specify how to change the ACL:

XML Element Description Permitted Occurrences
<break_inheritance/>

Add this element to your XML to prevent permissions being inherited from the parent object in SharePoint.

If specified, this element must be the first child of acl_update.

0 or 1
<enable_inheritance revert_acl="true" />

Add this element to your XML to inherit ACL settings from the parent object in SharePoint.

If specified, this element must be the first child of acl_update.

The attribute revert_acl must be specified and must be true. SharePoint does not support both inherited and unique permissions on a single item. For example:

<enable_inheritance revert_acl="true" />

0 or 1
<ace action="...">

Add or remove an entry from the ACL. The action attribute must be specified and accepts the value add or remove.

The following child elements must all appear exactly once:

  • principal - the user or group whose permissions you want to modify in the ACL.
  • principalType - the type of principal specified by the principal element.

    • DomainUser - a domain user, for example DOMAIN\USER
    • SID - an SID, for example S-1-1-0
    • SharepointGroup - a SharePoint group
    • Claim - a claim
  • level - a comma-separated list of permissions to add or remove. You can specify any permissions that are defined on the SharePoint site. For a list of possible permissions go the page https://mySharePointSite/_layouts/role.aspx, where mySharePointSite is the URL of a SharePoint site.

0 or more

The following example demonstrates how to change the ACL for an item in SharePoint:

  • grant read permission to MYDOMAIN\user1
  • grant read and contribute permissions to MYDOMAIN\user2
  • remove full control permission from MYDOMAIN\user3
<identifiersXML> 
    <identifier value="...">
        <acl_update> 
            <break_inheritance/> 
            <ace action="add"> 
                <principal>MYDOMAIN\user1</principal> 
                <principalType>DomainUser</principalType> 
                <level>Read</level> 
            </ace> 
            <ace action="add"> 
                <principal>MYDOMAIN\user2</principal> 
                <principalType>DomainUser</principalType> 
                <level>Read, Contribute</level> 
            </ace> 
            <ace action="remove"> 
                <principal>MYDOMAIN\user3</principal> 
                <principalType>DomainUser</principalType> 
                <level>Full Control</level> 
            </ace> 
        </acl_update> 
    </identifier> 
</identifiersXML> 

The following example demonstrates how to change the ACL for an item, so that ACL entries are inherited from the parent object in SharePoint and all non-inherited entries are removed:

<identifiersXML> 
    <identifier value="..."> 
        <acl_update> 
            <enable_inheritance revert_acl="true"/> 
        </acl_update> 
    </identifier> 
</identifiersXML>