Microsoft has a document on how to customize list permission. Customize permissions for a SharePoint list or library (microsoft.com)
Let’s explore by setting up some basic permissions in our AppTest site.
In Figure 1, our approver user has a visitor permission to the SharePoint site. He cannot see any items on the Orders List in figure 2 although there is already 1 order in the list. This is because we had previously set the list row level security to read items only created by the creator.
Remember that we had created a permission level called approver so lets assign the approver user to this permission in the advanced site permissions instead of the visitor permission.
Now the approver user should be able to see the item created by test user.
Besides the item in the list, the approver user is able to browse other information in the site like documents and user permissions.
Lets remove the approver permission from our approver user first and add the list permission via the List Settings in Orders List.
We should stop inheriting permissions from parent to the Orders list in order to give approver permission to our approver user.
Verify that the permission is given.
Now the approver does not have access to the AppTest site as seen in Figure 9 since permissions have been removed at site level.
However, approver user is able to access Orders list (list permission explicitly given) and also our new HR list as seen in Figure 10.
Once we give the explicit list permission of approver on Orders to approver user, a limited access permission is also applied to site level and inherited to HR list.
See the links below for detailed description of limited access permission.
The 1st link describes the limited access permission and the 2nd link describes when a list or item permission is granted to a user on list/item level, a limited access permission will be automatically created on the parent of the list/item.
To further illustrate, lets given add and edit permission to the our approver permission and that HR list item level security is enabled to read for all items.
Now we have 2 items in HR list under the admin user.
In Figure 12, the approver user can now add/edit items in Orders list since the approver permission is given explicitly in the list.
For HR list, the approver user cannot add/edit item and he can’t even see the existing items since what the list inherited from the parent is only the limited access permission, not the approver permission.
The same restriction applies to files in Document, SitePages and other site resources.
To stop the approver user from even seeing the HR list, the admin user can go to HR List setting and stop the permission inheritance from parent.