Fresh Content on SharePointJoel.com SharePoint Ads
Subscribe in a reader
This very thorough thought through answer by Mitch Prince on an Internal DL needs to see the light of day. I did a blog not long ago on SharePoint Groups, Permissions, Site Security, and Depreciated Site Groups and was going to append this on it, but decided this was worth it's own post.
<update 10/16/07> This stsadm extension has some very useful ways of exposing the base permission levels (rights).</update>
SPRole, SPRights, and SPPermission classes are obsolete. Now, in WSS v3, users gain access to sites through role assignments that are assigned either individually or to a group.
“Use the new SPRoleDefinition and SPRoleAssignment classes instead, to define roles and to assign users to them. For more information, see Changes in the Authorization Object Model. (In Windows SharePoint Services 2.0, SPRole represented a site group and is maintained for backward compatibility.)”. These classes also use SPBasePermissions.
A role is added to the RoleAssignments property can be added to SPWeb, SPList, or SPListItem using the RoleAssignments property of these classes. Roles can’t be assigned at the site collection level because, SPSiteCollection doesn’t support this property or expose a method that performs this operation.
You can check if a user has a particular right using one of the DoesUserHavePermissions overloaded methods available on SPWeb, SPList, or SPListItem.
The following MSDN topics provide an overview of role assignments (authorization) in WSS v3:
Authorization Object Relations
http://msdn2.microsoft.com/en-us/library/ms457294.aspx
Changes in the Authorization Object Model
http://msdn2.microsoft.com/en-us/library/ms469194.aspx
Role Assignments, Role Definitions, and Inheritance
http://msdn2.microsoft.com/en-us/library/ms414036.aspx
The following code snippet shows you how to create a role definition and then how to assign it to a group within a site:
SPWeb site = SPContext.Current.Site.AllWebs["Site_Name/Subsite_Name"];
SPRoleDefinitionCollection roles = site.RoleDefinitions;
//Create a new role definition with the name “Role_Definition_Name” with a bunch of permissions
SPRoleDefinition roleDefinition = roles["Role_Definition_Name"];
roleDefinition.BasePermissions = SPBasePermissions.AddListItems |
SPBasePermissions.BrowseDirectories |
SPBasePermissions.EditListItems |
SPBasePermissions.DeleteListItems |
SPBasePermissions.AddDelPrivateWebParts;
roleDefinition.Update();
//Creates a new role assignment for a group
SPGroup myGroup = site.SiteGroups["Group_Name"];
SPRoleAssignmentCollection roleAssignments = site.RoleAssignments;
// SPRoleAssignment accepts a SPPrincipal which can be a SPUser or SPGroup
SPRoleAssignment roleAssignment = new SPRoleAssignment(myGroup);
//add a new role definition to the bound role definitions for the role assignment
SPRoleDefinitionBindingCollection roleDefBindings = roleAssignment.RoleDefinitionBindings;
roleDefBindings.Add(roleDefinitions["Role_Definition_Name"]);
//Add the new role assignment to the collection of role assignments for the site.
roleAssignments.Add(roleAssignment);
The SPList.WriteSecurity property gets/sets the write security setting for the list. You can set this to write all items, write all my items, or read-only.
Other Related Authorization Topics
Web application policies are new in WSS v3 too. These are set using SPWebApplication.PolicyRoles property which returns a SPPolicyRoleCollection. These policies override rights lower down at the site and list level.
Methods used with authorization with workflows:
SPWorkflowWorkflowRoleCreator.GetWorkflowRoleForPermission
SPWorkflowWorkflowRoleCreator .GetWorkflowRoleForGroups
System.Workflow.Activities.WorkflowRole
Regards,
Mitch
PingBack from http://www.artofbam.com/wordpress/?p=5563
PingBack from http://msdnrss.thecoderblogs.com/2007/10/05/sharepoint-roles-assignments/
Microsoft.SharePoint.SPSite does not contain a definition for 'RoleDefinitions'.... Any thoughts?
Después de algún tiempo sin postear el habitual recopilatorio de recursos interesantes de WSS 3.0 &
Is there a way to define custom "rights"? The SPBasePermissions enumeration doesn't appear to be extensible, but the use of the word "Base" implies that there is something other than base.
For example, say I am writing a custom feature in WSS. There is a specific action that my user may or may not be authorized to take. I want to be able to configure this right at the site or list level using normal ACL's in SharePoint.
Can I do this? How?
Thanks,
Steve Wright
HI,
Is it possible to assign existing group to a list item by reading the share point object model.
Thanks
Hi Joel
Is it possible to assign rights to just one list item at a time using the API? For example I receive a list item via a timed job. I don't want to make the list read only just the list item that gets inserted.
Mark
I believe "roleDefinitions" should be "roles" on the line:
Great post, though!
The line
Has the following error: The name 'roleDefinitions' does not exist in the current context.
Why you write an article if yo don't know the theme?