SharePoint Roles Assignments
This very thorough thought through answer by Mitch Prince on an Internal DL needs to see the light of day. I did a blog not long ago on SharePoint Groups, Permissions, Site Security, and Depreciated Site Groups and was going to append this on it, but decided this was worth it's own post.
<update 10/16/07> This stsadm extension has some very useful ways of exposing the base permission levels (rights).</update>
SPRole, SPRights, and SPPermission classes are obsolete. Now, in WSS v3, users gain access to sites through role assignments that are assigned either individually or to a group.
“Use the new SPRoleDefinition and SPRoleAssignment classes instead, to define roles and to assign users to them. For more information, see Changes in the Authorization Object Model. (In Windows SharePoint Services 2.0, SPRole represented a site group and is maintained for backward compatibility.)”. These classes also use SPBasePermissions.
A role is added to the RoleAssignments property can be added to SPWeb, SPList, or SPListItem using the RoleAssignments property of these classes. Roles can’t be assigned at the site collection level because, SPSiteCollection doesn’t support this property or expose a method that performs this operation.
You can check if a user has a particular right using one of the DoesUserHavePermissions overloaded methods available on SPWeb, SPList, or SPListItem.
The following MSDN topics provide an overview of role assignments (authorization) in WSS v3:
Authorization Object Relations
http://msdn2.microsoft.com/en-us/library/ms457294.aspx
Changes in the Authorization Object Model
http://msdn2.microsoft.com/en-us/library/ms469194.aspx
Role Assignments, Role Definitions, and Inheritance
http://msdn2.microsoft.com/en-us/library/ms414036.aspx
The following code snippet shows you how to create a role definition and then how to assign it to a group within a site:
SPWeb site = SPContext.Current.Site.AllWebs["Site_Name/Subsite_Name"];
SPRoleDefinitionCollection roles = site.RoleDefinitions;
//Create a new role definition with the name “Role_Definition_Name” with a bunch of permissions
SPRoleDefinition roleDefinition = roles["Role_Definition_Name"];
roleDefinition.BasePermissions = SPBasePermissions.AddListItems |
SPBasePermissions.BrowseDirectories |
SPBasePermissions.EditListItems |
SPBasePermissions.DeleteListItems |
SPBasePermissions.AddDelPrivateWebParts;
roleDefinition.Update();
//Creates a new role assignment for a group
SPGroup myGroup = site.SiteGroups["Group_Name"];
SPRoleAssignmentCollection roleAssignments = site.RoleAssignments;
// SPRoleAssignment accepts a SPPrincipal which can be a SPUser or SPGroup
SPRoleAssignment roleAssignment = new SPRoleAssignment(myGroup);
//add a new role definition to the bound role definitions for the role assignment
SPRoleDefinitionBindingCollection roleDefBindings = roleAssignment.RoleDefinitionBindings;
roleDefBindings.Add(roleDefinitions["Role_Definition_Name"]);
//Add the new role assignment to the collection of role assignments for the site.
roleAssignments.Add(roleAssignment);
The SPList.WriteSecurity property gets/sets the write security setting for the list. You can set this to write all items, write all my items, or read-only.
Other Related Authorization Topics
Web application policies are new in WSS v3 too. These are set using SPWebApplication.PolicyRoles property which returns a SPPolicyRoleCollection. These policies override rights lower down at the site and list level.
Methods used with authorization with workflows:
SPWorkflowWorkflowRoleCreator.GetWorkflowRoleForPermission
SPWorkflowWorkflowRoleCreator .GetWorkflowRoleForGroups
System.Workflow.Activities.WorkflowRole
Regards,
Mitch
