Checking for a specific permission for a specific user or group in SharePoint

While the UI allows one to easily check permissions for a given user, how can one do that iteratively?

Here’s the heart of the magic:

# first grab the user principal:
$user = $TargetWeb.Groups[$GroupToAdd];
# Now let's get the Role Assignments for that user on the folder:
$RA = $folder.RoleAssignments.GetAssignmentByPrincipal($user);
#Role bindings are useful
$RoleDefBindings = $RA.get_RoleDefinitionBindings();
#Now let's grab the Role Definition for Contribute permission in this SPWeb:
$roledef = $TargetWeb.RoleDefinitions["Contribute"];
Lastly we can check whether the role bindings for this user on this folder contains the Contribute Role Definition:
if ($RoleDefBindings.Contains($roledef)) {...}

Some useful routines first. Note I like to predefine a “Write” permission that allows creation and editing but not deletion:

function PermRole([string] $RoleChar)
{
switch ($RoleChar)
{
"R" {$res="Read"}
"C" {$res="Contribute"}
"W" {$res="Contribute wo delete"}
"D" {$res="Manage Hierarchy"}  #aka design, for setting permissions
default {$res=$null}
}
return $res;
}
# Routine for adding permission based on passing in a character for the role definition to be granted:
function AddPerm ([string] $RoleChar, [string] $RoleGroup)
{ #JPItem/f and TargetWeb are implied and not passed as parms for efficiency!
if ((!$RoleChar) -or (!$RoleGroup))
{
return; #race to be efficient on NullOp
}
$RoleValue=PermRole($RoleChar);
if (!$RoleValue) 
{
Write-Host -ForegroundColor -darkred "ok, expected Role, but got none, for $($RoleChar)"
return; 
}
try
{
#CONTROVERSIAL!
if ($RoleChar -eq "W")  #wipes out reads etc.
{
RemovePerm $RoleGroup
}
try
{
$user = $TargetWeb.ensureuser($RoleGroup)
}
catch  #if the above fails, user is likely not a user, but in fact a group, let's retry as group
{
$user = $TargetWeb.Groups[$RoleGroup]
}
$roledef = $TargetWeb.RoleDefinitions[$RoleValue]
$roleass = New-Object Microsoft.SharePoint.SPRoleAssignment($user)
$roleass.RoleDefinitionBindings.Add($roledef)
$f1.RoleAssignments.Add($roleass)  #This is SPFolder specific in this routine
}
catch
{
Write-Host -ForegroundColor DarkRed "ERR: Can't Assign $($RoleGroup)"
}
}

Let’s first establish the libraries to look at across all webs and site collections:

$libsArrStr="Library name 1|Library name 2"
$LibsArr=$libsArrStr.split("|")
$GroupToAdd = "Department Contributors"
$Site = "ht tp://SharePoint/sites/SiteOfInterest"
$TargetWeb=$web=get-spweb $Site;
Write-Host "==>working in $($web.url)"
for ($j=0; $j -lt $LibsArr.count; $j++)
{
$libStr=$LibsArr[$j];
$list=$web.Lists.TryGetList($libStr)
if ($list -eq $null)
{
Write-Host -ForegroundColor DarkRed "List not found"
}
else
{
for ($fi=0; $fi -lt $list.Folders.Count; $fi++)
{
$f1 = $list.Folders.get_Item($fi)
$f = $f1.folder;
write-host -f green "The Library $($listName) exists in the site $($web.url), about to set folder Perms"  
try
{
#the rule is if this field has data, make the user a Contributor
$f1.ResetRoleInheritance(); #badda-bing, security is inherited
$isWritable = ($f.item["TargetMetadata"] -ne $null);
if (!$isWritable)
{
# nul op, already inherited
}
else  #let's see whether to break perms, based on whether the group already has Contribute
{
#let's see if the user has Contributor rights already; if so, no need to break inheritence
$user = $TargetWeb.Groups[$GroupToAdd]
$RA = $f1.RoleAssignments.GetAssignmentByPrincipal($user)
$RoleDefBindings = $RA.get_RoleDefinitionBindings()
$roledef = $TargetWeb.RoleDefinitions["Contribute"]
if ($RoleDefBindings.Contains($roledef))  # user is already a Contributor, let's do nothing
{
}
else
{
$f1.BreakRoleInheritance($true);  #minimalist approach
addPerm	"C" 	$GroupToAdd								
}
}
}
catch
{
Write-Host problems setting perms
}
} #Folder processing for loop $fi
} # list found
} #for loop $j
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *