Tuesday, November 22, 2016

SharePoint Online: Create Permission Level using PowerShell

Requirement: Create a new permission level in SharePoint online site collection for contribute without delete permissions.

SharePoint Permission levels are set of actions user can perform in SharePoint, packaged as a group to make permission management easier. So, Instead of providing individual permissions to users and groups, you pick a permission level and assign it to the new user. (or even Add the user to a group which has a specific permission level associated).

Contribute without delete permission level is often required in real world scenarios. Lets say, You want your users to be able to add files to the library but not delete files from the library. To achieve, we can simply copy the "Contribute" permission level and take off "Delete Items" permission from it!

How to create a permission level in SharePoint?

  • Go to the Site Settings >> Click on Site Permissions
  • Click on Permission Levels button from the ribbon
This takes you to the page which lists all default permission levels available in SharePoint with their  corresponding description.  Now you can either Add a Permission Level or click on any existing permission level, Copy and then Edit the new permission level to fill your requirements.

Do not change any default permission levels such as "Full Control" or "Contribute".

SharePoint Online PowerShell to Create Permission Level 
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
  
##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com/"
$SourcePermissionLevelName ="Contribute"
$TargetPermissionLevelName ="Contribute Without Delete"

Try {
    #Get Credentials to connect
    $Cred = Get-Credential
    $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl)
    $Ctx.Credentials = $Credentials
    $Web = $Ctx.Web

    #Get the source permission level
    $RoleDefinitions = $web.RoleDefinitions
    $Ctx.Load($RoleDefinitions)  
    $SourceRoleDefinition = $RoleDefinitions.GetByName($SourcePermissionLevelName)
    $Ctx.Load($SourceRoleDefinition)
    $Ctx.ExecuteQuery()

    #get base permissions from the source and remove "Delete"
    $TargetBasePermissions = $SourceRoleDefinition.BasePermissions
    $TargetBasePermissions.clear([Microsoft.SharePoint.Client.PermissionKind]::DeleteListItems)

    #check if the given permission level exists already!
    $TargetPermissionLevel = $RoleDefinitions | Where-Object { $_.Name -eq $TargetPermissionLevelName } 
    if($TargetPermissionLevel -eq $null)
    {
        #Create new permission level from source permission level
        $PermissionCreationInfo = New-Object Microsoft.SharePoint.Client.RoleDefinitionCreationInformation
        $PermissionCreationInfo.Name = $TargetPermissionLevelName
        $PermissionCreationInfo.Description = $TargetPermissionLevelName
        $PermissionCreationInfo.BasePermissions = $TargetBasePermissions

        #Add the role definitin to the site
        $TargetPermissionLevel = $Web.RoleDefinitions.Add($PermissionCreationInfo)
        $Ctx.ExecuteQuery() 
 
        Write-host "New Permission Level Created Successfully!" -ForegroundColor Green
    }
    else
    {
        Write-host "Permission Level Already Exists!" -ForegroundColor Red
    }
}
Catch {
    write-host -f Red "Error Creating Permission Level!" $_.Exception.Message
}
Instead of copying an existing permission level and manipulating it, You can also create new permission level from the scratch.
#Create base Permission set
$Permissions = New-Object Microsoft.SharePoint.Client.BasePermissions
#Add permissions to it
$Permissions.Set([Microsoft.SharePoint.Client.PermissionKind]::ViewListItems)
$Permissions.Set([Microsoft.SharePoint.Client.PermissionKind]::ViewVersions)  
This script copies existing permission level and creates the new permission level



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.
*Sponsored


Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!


You might also like:

Related Posts Plugin for WordPress, Blogger...