Create Permission Level Programmatically in SharePoint

June 8, 2023 Salaudeen Rajack 0 Comments create custom permission level sharepoint 2013 programmatically, sharepoint create permission level programmatically, sharepoint powershell create custom permission level

While it’s relatively easy to create permission levels in SharePoint 2010 UI, We had 2000+ site collections in web applications, and a scripting/programmatic way to create permission levels would be the best choice.

We wanted to do a SharePoint permission level customization by eliminating delete capability from contributor permission level. Lets copy the contributor permission and remove the “Delete” capability from it.

Copy Existing Permission level and change permission level’s Permissions:

using (SPSite site = new SPSite("https://sharepoint.crescent.com"))
{
	using (SPWeb web = site.OpenWeb())
	{
		//Get the Contributor permission level
		SPRoleDefinition roleDefContributor = web.RoleDefinitions.GetByType(SPRoleType.Contributor);

		//copy Contributor permission level
		SPRoleDefinition roleDefContributorNoDelete = new SPRoleDefinition(roleDefContributor);

		//Retain all permissions but Remove the DeleteItems rights from the  permission level (You can use: | to Add, & to remove all but the specified permission)
		roleDefContributorNoDelete.BasePermissions ^= SPBasePermissions.DeleteListItems;

		roleDefContributorNoDelete.Name = "Contributor without Delete";

		roleDefContributorNoDelete.Description = "Contributor without Delete";

		web.RoleDefinitions.Add(roleDefContributorNoDelete);
	}
}

For complete SharePoint 2010 permission levels and permissions definition, Refer this SharePoint 2010 permission levels matrix: https://office.microsoft.com/en-us/templates/sharepoint-server-2010-groups-and-permissions-reference-chart-TC101977256.aspx

Create permission level programmatically object model c#
Alternatively, you can create a permission level from the scratch. Here is how:

using (SPSite site = new SPSite("https://sharepoint.crescent.com"))
{
	using (SPWeb web = site.OpenWeb())
	{
		//Get all Permission Levels
		web.AllowUnsafeUpdates = true;
		
		//Create New Permission Level
		SPRoleDefinition roleDef = new SPRoleDefinition();
		
		//Set the base Permissions for the Permission Level
		roleDef.BasePermissions = SPBasePermissions.ViewListItems | SPBasePermissions.AddListItems | SPBasePermissions.EditListItems |  SPBasePermissions.OpenItems |  SPBasePermissions.ViewVersions | SPBasePermissions.ManagePersonalViews | SPBasePermissions.ViewFormPages |  SPBasePermissions.Open | SPBasePermissions.ViewPages | SPBasePermissions.CreateSSCSite | SPBasePermissions.BrowseDirectories | SPBasePermissions.BrowseUserInfo | SPBasePermissions.AddDelPrivateWebParts | SPBasePermissions.UpdatePersonalWebParts | SPBasePermissions.UseClientIntegration | SPBasePermissions.UseRemoteAPIs | SPBasePermissions.CreateAlerts | SPBasePermissions.EditMyUserInfo;

		roleDef.Name = "Contribute without Delete";
		roleDef.Description = "Contribute without Delete Permission Level";
		
		//Add the Permission Level
		web.RoleDefinitions.Add(roleDef);

		web.Update();

	   Console.ReadLine();    
	}
}

This will add a permission level programmatically. To modify the permissions, you have to use the BasePermissions property (SPBasePermissions enumeration): https://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions%28v=office.14%29.aspx

Add Permission Level in PowerShell Script
In SharePoint 2010 create permission level programmatically using PowerShell, here is the script:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Get the Target Site collection's Root web
$web = Get-SPWeb "https://sharepoint.crescent.com/sites/operations"

#Get Contributor Base Permission
#$Contributor = $Web.RoleDefinitions["Contribute"]
#write-host $Contributor.BasePermissions
#or you can use: [System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") to get all base permissions

#Create New Permission Level
$ContributeNoDelete =New-Object Microsoft.SharePoint.SPRoleDefinition
$ContributeNoDelete.Name="Contribute without Delete"
#permission level description
$ContributeNoDelete.Description="Contribute without Delete Permission Level"
#Set the Base Permissions 
$ContributeNoDelete.BasePermissions="ViewListItems, AddListItems, EditListItems,  OpenItems, ViewVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo"

#Add the Permission Level
$web.RoleDefinitions.Add($ContributeNoDelete);
write-host "Permission level created successfully"

#Grant Permission Level Access to a SharePoint Group directly
$SPGroup = $web.SiteGroups["Operations Members"]

$RoleAssignment= new-object Microsoft.SharePoint.SPRoleAssignment($SPGroup)
#Get the permission levels to apply
$RoleDef = $web.Site.RootWeb.RoleDefinitions["Contribute without Delete"]
#Assign the groups to the permission level
$RoleAssignment.RoleDefinitionBindings.Add($RoleDef)
#Add to web 
$web.RoleAssignments.Add($RoleAssignment)

$web.Update()
Write-Host "Permission Level granted to the Group"

$web.Dispose()

This will create a SharePoint 2010 custom permission level”Contribute without Delete” and add permission level to group: “Operations Members” with the created permission level.

Similarly, To remove a permission level from an existing SharePoint group, the PowerShell code goes like:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Get the Target Site collections's Root web
$web = Get-SPWeb "https://sharepoint.crescent.com/sites/operations"

#Remove Permission Level From a SharePoint Group
#Get the SharePoint Group
$SPGroup = $web.SiteGroups["Operations Members"]

#Get the Role Assignment 
$RoleAssignment= $web.RoleAssignments.GetAssignmentByPrincipal($SPGroup)
#Remove the Role Definition
$RoleAssignment.RoleDefinitionBindings.Remove($web.RoleDefinitions["Contribute"])
$RoleAssignment.Update();

$web.Dispose()

SharePoint 2010 change permission level for group

sharepoint 2010 change permission level for a group

To Change Permissions of a existing Permission Level:

 using (SPSite site = new SPSite("https://sharepoint.crescent.com"))
{
	using (SPWeb web = site.OpenWeb())
	{
		SPRoleDefinition roleDef = web.RoleDefinitions["Contribute without Delete"];

		//Update Permissions for the Role Definition
		roleDef.BasePermissions = SPBasePermissions.AddListItems | SPBasePermissions.BrowseDirectories | SPBasePermissions.EditListItems | SPBasePermissions.Open | SPBasePermissions.OpenItems | SPBasePermissions.ViewListItems | SPBasePermissions.ViewFormPages | SPBasePermissions.ViewPages | SPBasePermissions.CancelCheckout | SPBasePermissions.DeleteListItems | SPBasePermissions.ApproveItems;

		  roleDef.Update()
	}
}

Delete custom role definition (Permission Level) Programmatically:
If you want to remove an existing permission level, use this code:

using (SPSite site = new SPSite("https://sharepoint.crescent.com"))
{
	using (SPWeb web = site.OpenWeb())
	{
	   web.RoleDefinitions.Delete("Contribute without Delete");
	 
	   Console.ReadLine();    
	}
}

SharePoint 2010 get permission levels
To check SharePoint permission level programmatically:

using (SPSite site = new SPSite("https://sharepoint.crescent.com"))
{
	using (SPWeb web = site.OpenWeb())
	{
		//Get all Permission Levels
		foreach (SPRoleDefinition role in web.RoleDefinitions)
		{
		   Console.WriteLine(role.Name.ToString());
		}

	   Console.ReadLine();    
	}
}

SharePoint Diary

Create Permission Level Programmatically in SharePoint

Copy Existing Permission level and change permission level’s Permissions:

Related Posts

Salaudeen Rajack

Leave a Reply Cancel reply