Tuesday, February 28, 2012

Powershell and SharePoint Permissions

Scenario: SharePoint provide options to have security at different level, here some related functions which you can use.
Code:

#Load SharePoint Snap In
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
function Create-SPGroupInWeb
{
 param ($Url, $GroupName, $PermissionLevel, $Description)
 $web = Get-SPWeb -Identity $Url
 if ($web.SiteGroups[$GroupName] -ne $null)
 {
  Write-Host "Group $GroupName already exists!" -foregroundcolor Red
 }
 else
 {
  $web.SiteGroups.Add($GroupName, $web.Site.Owner, $web.Site.Owner, $Description)
  $group = $web.SiteGroups[$GroupName]
  $roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($group)
  $roleDefinition = $web.Site.RootWeb.RoleDefinitions[$PermissionLevel]
  $roleAssignment.RoleDefinitionBindings.Add($roleDefinition)
  $web.RoleAssignments.Add($roleAssignment)
  $web.Update()
  Write-Host "Group $GroupName created successfully" -foregroundcolor Green
 }

 $web.Dispose()
}
function Remove-SPPermisssionFromListGroup
{
 param ($Url, $ListName, $GroupName, $PermissionLevel)
 $web = Get-SPWeb -Identity $Url
 $list = $web.Lists.TryGetList($ListName)
 if ($list -ne $null)
 {
  if ($list.HasUniqueRoleAssignments -eq $False)
  {
   $list.BreakRoleInheritance($True)
  }
  else
  {
   if ($web.SiteGroups[$GroupName] -ne $null)
   {
    $group = $web.SiteGroups[$GroupName]
    $roleAssign = $list.RoleAssignments.GetAssignmentByPrincipal($group);
    $roleDefinition = $web.RoleDefinitions[$PermissionLevel];
    $roleAssign.RoleDefinitionBindings.Remove($roleDefinition);
    $roleAssign.Update();
    $list.Update();
    Write-Host "Successfully removed $PermissionLevel permission from $GroupName group in $ListName list." -foregroundcolor Green
   }
   else
   {
    Write-Host "Group $GroupName does not exist." -foregroundcolor Red
   }
  }
 }
 else
 {
  Write-Host "List $ListName does not exist!" -foregroundcolor Red
 }

 $web.Dispose()
}
function Add-SPPermissionToListGroup
{
 param ($Url, $ListName, $GroupName, $PermissionLevel)
 $web = Get-SPWeb -Identity $Url
 $list = $web.Lists.TryGetList($ListName)
 if ($list -ne $null)
 {
  if ($list.HasUniqueRoleAssignments -eq $False)
  {
   $list.BreakRoleInheritance($True)
  }
  else
  {
   if ($web.SiteGroups[$GroupName] -ne $null)
   {
    $group = $web.SiteGroups[$GroupName]
    $roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($group)
    $roleDefinition = $web.RoleDefinitions[$PermissionLevel];
    $roleAssignment.RoleDefinitionBindings.Add($roleDefinition);
    $list.RoleAssignments.Add($roleAssignment)
    $list.Update();
    Write-Host "Successfully added $PermissionLevel permission to $GroupName group in $ListName list. " -foregroundcolor Green
   }
   else
   {
    Write-Host "Group $GroupName does not exist." -foregroundcolor Red
   }
  }
 }

 $web.Dispose()
}
function Remove-SPPermisssionFromListItemGroupSpecific
{
 param ($Url, $ListName, $GroupName, $PermissionLevel)
 $web = Get-SPWeb -Identity $Url
 $list = $web.Lists.TryGetList($ListName)
 if ($list -ne $null)
 {
  foreach ($item in $list.Items) 
  {
   if ($item.HasUniqueRoleAssignments -eq $False)
   {
    $item.BreakRoleInheritance($True)
   }
   else
   {
    if ($web.SiteGroups[$GroupName] -ne $null)
    {
     $group = $web.SiteGroups[$GroupName]
     $roleAssign = $item.RoleAssignments.GetAssignmentByPrincipal($group);
     $roleDefinition = $web.RoleDefinitions[$PermissionLevel];
     $roleAssign.RoleDefinitionBindings.Remove($roleDefinition);
     $roleAssign.Update();
     $item.SystemUpdate();                    
     Write-Host "Successfully removed $PermissionLevel permission from $GroupName group in $ListName list." -foregroundcolor Green
    }
    else
    {
     Write-Host "Group $GroupName does not exist." -foregroundcolor Red
    }
   }
  }
 }
 else
 {
  Write-Host "List $ListName does not exist!" -foregroundcolor Red
 }

 $web.Dispose()
}
function Remove-SPPermisssionFromListItemGroupAll
{
 param ($Url, $ListName, $GroupName)
 $web = Get-SPWeb -Identity $Url
 $list = $web.Lists.TryGetList($ListName)
 if ($list -ne $null)
 {
  foreach ($item in $list.Items) 
  {
   if ($item.HasUniqueRoleAssignments -eq $False)
   {
    $item.BreakRoleInheritance($True)
   }
   else
   {
    if ($web.SiteGroups[$GroupName] -ne $null)
    {
     $group = $web.SiteGroups[$GroupName]
                    $item.RoleAssignments.Remove($group)
     $item.SystemUpdate();                    
     Write-Host "Successfully removed $PermissionLevel permission from $GroupName group in $ListName list." -foregroundcolor Green
    }
    else
    {
     Write-Host "Group $GroupName does not exist." -foregroundcolor Red
    }
   }
  }
 }
 else
 {
  Write-Host "List $ListName does not exist!" -foregroundcolor Red
 }

 $web.Dispose()
}
function Add-SPPermissionToListItemGroup
{
 param ($Url, $ListName, $GroupName, $PermissionLevel)
 $web = Get-SPWeb -Identity $Url
 $list = $web.Lists.TryGetList($ListName)
 if ($list -ne $null)
 {
  foreach ($item in $list.Items) 
  {
   if ($item.HasUniqueRoleAssignments -eq $False)
   {
    $item.BreakRoleInheritance($True)
   }
   else
   {
    if ($web.SiteGroups[$GroupName] -ne $null)
    {
     $group = $web.SiteGroups[$GroupName]
     $roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($group)
     $roleDefinition = $web.RoleDefinitions[$PermissionLevel];
     $roleAssignment.RoleDefinitionBindings.Add($roleDefinition);
     $item.RoleAssignments.Add($roleAssignment)
     $item.SystemUpdate();
     Write-Host "Successfully added $PermissionLevel permission to $GroupName group in $ListName list. " -foregroundcolor Green
    }
    else
    {
     Write-Host "Group $GroupName does not exist." -foregroundcolor Red
    }
   }
  }
 }

 $web.Dispose()
}
function Add-SPPermissionToListItemGroupConditional
{
 param ($Url, $ListName, $Caml, $GroupName, $PermissionLevel)
 $web = Get-SPWeb -Identity $Url
 $list = $web.Lists.TryGetList($ListName)
 if ($list -ne $null)
 {
        $spQuery = New-Object Microsoft.SharePoint.SPQuery        
        $spQuery.Query = $Caml
        $spQuery.RowLimit = 10000
        $listItems = $list.GetItems($spQuery)        
        $listItems.Count
  foreach ($item in $listItems) 
  {
   if ($item.HasUniqueRoleAssignments -eq $False)
   {
    $item.BreakRoleInheritance($True)
   }
   else
   {
    if ($web.SiteGroups[$GroupName] -ne $null)
    {
     $group = $web.SiteGroups[$GroupName]
     $roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($group)
     $roleDefinition = $web.RoleDefinitions[$PermissionLevel];
     $roleAssignment.RoleDefinitionBindings.Add($roleDefinition);
     $item.RoleAssignments.Add($roleAssignment)
     $item.SystemUpdate();
     Write-Host "Successfully added $PermissionLevel permission to $GroupName group in $ListName list. " -foregroundcolor Green
    }
    else
    {
     Write-Host "Group $GroupName does not exist." -foregroundcolor Red
    }
   }
  }
 }

 $web.Dispose()
}
$Url=Read-Host "Enter site url"

Remove-SPPermisssionFromListItemGroupSpecific $Url "Shared Documents" "Team Visitors" "Read"
Remove-SPPermisssionFromListItemGroupAll $Url "Shared Documents" "Team Visitors"
Add-SPPermissionToListItemGroup $Url "Shared Documents" "Team Visitors" "Contribute"
Add-SPPermissionToListItemGroupConditional $Url "Shared Documents" "<Where><Eq><FieldRef Name='Create' /><Value Type='Boolean'>1</Value></Eq></Where>" "Team Visitors" "Contribute"

1 comments:

Anonymous,  January 30, 2013 at 10:00 AM  

Amazing work, Sandeep! Thanks for sharing!