Thursday, May 9, 2013

SharePoint 2010 Create Permission Level Programmatically

While its relatively easy to Create permission levels in SharePoint 2010 UI, We had 2000+ site collections in a web applications and scripting/programmatic way to create permission level would be the best choice.

We wanted to do a SharePoint permission level customization by eliminating delete capability from contributor permission level. Lets copy the contributor permission and remove the "Delete" capability from it.

Copy Existing Permission level and change permission level Permissions:

          using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
            {
                using (SPWeb web = site.OpenWeb())
                {

                            //Get the Contributor permission level
                            SPRoleDefinition roleDefContributor = web.RoleDefinitions.GetByType(SPRoleType.Contributor);
                            
                            //copy Contributor permission level
                            SPRoleDefinition roleDefContributorNoDelete = new SPRoleDefinition(roleDefContributor);

                            //Retain all permissions but Remove the DeleteItems rights from the  permission level (You can use: | to Add, & to remove all but the specified permission)
                            roleDefContributorNoDelete.BasePermissions ^= SPBasePermissions.DeleteListItems;

                            roleDefContributorNoDelete.Name = "Contributor without Delete";

                            roleDefContributorNoDelete.Description = "Contributor without Delete";

                            web.RoleDefinitions.Add(roleDefContributorNoDelete);

                    }

                }
For complete SharePoint 2010 permission levels and permissions definition, Refer this SharePoint 2010 permission levels matrix: http://office.microsoft.com/en-us/templates/sharepoint-server-2010-groups-and-permissions-reference-chart-TC101977256.aspx

Create permission level programmatically object model c#
Alternatively, you can create a permission level from the scratch. Here is how:
 using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
            {
                using (SPWeb web = site.OpenWeb())
                {
                    //Get all Permission Levels
                    web.AllowUnsafeUpdates = true;
                    
                    //Create New Permission Level
                    SPRoleDefinition roleDef = new SPRoleDefinition();
                    
                    //Set the base Permissions for the Permission Level
                    roleDef.BasePermissions = SPBasePermissions.ViewListItems | SPBasePermissions.AddListItems | SPBasePermissions.EditListItems |  SPBasePermissions.OpenItems |  SPBasePermissions.ViewVersions | SPBasePermissions.ManagePersonalViews | SPBasePermissions.ViewFormPages |  SPBasePermissions.Open | SPBasePermissions.ViewPages | SPBasePermissions.CreateSSCSite | SPBasePermissions.BrowseDirectories | SPBasePermissions.BrowseUserInfo | SPBasePermissions.AddDelPrivateWebParts | SPBasePermissions.UpdatePersonalWebParts | SPBasePermissions.UseClientIntegration | SPBasePermissions.UseRemoteAPIs | SPBasePermissions.CreateAlerts | SPBasePermissions.EditMyUserInfo;

                    roleDef.Name = "Contribute without Delete";
                    roleDef.Description = "Contribute without Delete Permission Level";
                    
                    //Add the Permission Level
                    web.RoleDefinitions.Add(roleDef);

                    web.Update();

                   Console.ReadLine();    
                }
            }
This will add a permission level programmatically. To modify the permissions, you have to use the BasePermissions property (SPBasePermissions enumeration): http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions%28v=office.14%29.aspx


Add Permission Level in PowerShell code
In SharePoint 2010 create permission level programmatically using Powershell, here is the script:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Get the Target Site collection's Root web
$web = Get-SPWeb "http://sharepoint.crescent.com/sites/operations"

#Get Contributor Base Permission
#$Contributor = $Web.RoleDefinitions["Contribute"]
#write-host $Contributor.BasePermissions
#or you can use: [System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") to get all base permissions

#Create New Permission Level
$ContributeNoDelete =New-Object Microsoft.SharePoint.SPRoleDefinition
$ContributeNoDelete.Name="Contribute without Delete"
#permission level description
$ContributeNoDelete.Description="Contribute without Delete Permission Level"
#Set the Base Permissions 
$ContributeNoDelete.BasePermissions="ViewListItems, AddListItems, EditListItems,  OpenItems, ViewVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo"

#Add the Permission Level
$web.RoleDefinitions.Add($ContributeNoDelete);
write-host "Permission level created successfully"

#Grant Permission Level Access to a SharePoint Group directly
$SPGroup = $web.SiteGroups["Operations Members"]

$RoleAssignment= new-object Microsoft.SharePoint.SPRoleAssignment($SPGroup)
#Get the permission levels to apply
$RoleDef = $web.Site.RootWeb.RoleDefinitions["Contribute without Delete"]
#Assign the groups to the permission level
$RoleAssignment.RoleDefinitionBindings.Add($RoleDef)
#Add to web 
$web.RoleAssignments.Add($RoleAssignment)

$web.Update()
Write-Host "Permission Level granted to the Group"

$web.Dispose()
This will create a SharePoint 2010 custom permission level"Contribute without Delete" and add permission level to group: "Operations Members" with the created permission level.

Similarly, To remove a permission level from an existing SharePoint group, the PowerShell code goes like:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Get the Target Site collections's Root web
$web = Get-SPWeb "http://sharepoint.crescent.com/sites/operations"

#Remove Permission Level From a SharePoint Group
#Get the SharePoint Group
$SPGroup = $web.SiteGroups["Operations Members"]

#Get the Role Assignment 
$RoleAssignment= $web.RoleAssignments.GetAssignmentByPrincipal($SPGroup)
#Remove the Role Definition
$RoleAssignment.RoleDefinitionBindings.Remove($web.RoleDefinitions["Contribute"])
$RoleAssignment.Update();

$web.Dispose()

SharePoint 2010 change permission level for group
sharepoint 2010 change permission level for a group

To Change Permissions of a existing Permission Level:
 using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
            {
                using (SPWeb web = site.OpenWeb())
                {
                    SPRoleDefinition roleDef = web.RoleDefinitions["Contribute without Delete"];

                    //Update Permissions for the Role Definition
                    roleDef.BasePermissions = SPBasePermissions.AddListItems | SPBasePermissions.BrowseDirectories | SPBasePermissions.EditListItems | SPBasePermissions.Open | SPBasePermissions.OpenItems | SPBasePermissions.ViewListItems | SPBasePermissions.ViewFormPages | SPBasePermissions.ViewPages | SPBasePermissions.CancelCheckout | SPBasePermissions.DeleteListItems | SPBasePermissions.ApproveItems;

                      roleDef.Update()
                }
           }

Delete custom role definition (Permission Level) Programmatically:
If you want to remove an existing permission level, use this code:
using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
            {
                using (SPWeb web = site.OpenWeb())
                {
                   web.RoleDefinitions.Delete("Contribute without Delete");
                 
                   Console.ReadLine();    
                }
            }


SharePoint 2010 get permission levels
To check SharePoint permission level programmatically:
 using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
            {
                using (SPWeb web = site.OpenWeb())
                {
                    //Get all Permission Levels
                    foreach (SPRoleDefinition role in web.RoleDefinitions)
                    {
                       Console.WriteLine(role.Name.ToString());
                    }

                   Console.ReadLine();    
                }
            }

Related Post: SharePoint 2010 Permission Levels - Explained



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!

You might also like:

Related Posts Plugin for WordPress, Blogger...