What permissions are behind the permission levels (roles) in SharePoint
Recently, I was involved in a support request where I had to find out what SPBasePermissions are assigned behind permission level in SharePoint using SharePoint OM code. First some basics about permission level and base permissions.
If you are in your SharePoint site, click Site Actions > Site Settings > click "People and groups" under "Users and Permissions" section > click "Site Permissions" in the left navigation menu > And use the Settings menu in the Permissions list to select "Permission Levels". You'll get to see the roles (technically these are permissions levels).
If you click on one particular role (for e.g., Contribute), you'll get to see the "Permissions" assigned to that particular role.
These are basically classified into List, Site & Personal permissions. They basically dictate what action an user in a particular role can perform in the SharePoint site. The permissions levels act as masks (permission masks to be precise) and allows us to group a set of base permissions within a sort of a group called "Permission Levels".
Now, the requirement I had was to find out which SharePoint role (e.g., contributor, designer etc.,) has which base permissions assigned to it. The code below did it for me:
StringBuilder sb = new StringBuilder();
using (SPSite site = new SPSite("https://wss"))
{
using (SPWeb web = site.OpenWeb())
{
SPRoleDefinitionCollection roleDefinitions = web.RoleDefinitions;
foreach (SPRoleDefinition roleDefinition in roleDefinitions)
{
sb.Append(System.Environment.NewLine + System.Environment.NewLine +
"Role Definition: " + roleDefinition.Name + System.Environment.NewLine +
"==================================================" +
System.Environment.NewLine);
XmlDocument xmldoc = new XmlDocument();
xmldoc.LoadXml(roleDefinition.Xml);
XmlNode nodes = xmldoc.DocumentElement;
sb.Append(nodes.Attributes["BasePermissions"].Value);
}
textBox1.Text = sb.ToString();
}
}
Here's the output:
Role Definition: Full Control
==================================================
FullMask
Role Definition: Design
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo
Role Definition: Manage Hierarchy
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ViewUsageData, CreateSSCSite, ManageSubwebs, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, ManageWeb, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, EnumeratePermissions
Role Definition: Approve
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo
Role Definition: Contribute
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, DeleteVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo
Role Definition: Read
==================================================
ViewListItems, OpenItems, ViewVersions, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts
Role Definition: Restricted Read
==================================================
ViewListItems, OpenItems, Open, ViewPages
Role Definition: Limited Access
==================================================
ViewFormPages, Open, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs
Role Definition: Sridhar Role
==================================================
9223372036854644735
Role Definition: View Only
==================================================
ViewListItems, ViewVersions, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts
In situations where you aren't very sure if a particular base permission is assigned to a role or not, the above code snippet could prove handy! SDK reference for SPRoleDefinition.BasePermissions property.
Comments
Anonymous
April 24, 2009
PingBack from http://www.betteritsolutions.com/?p=20Anonymous
July 15, 2011
It may be important to note that CreateSSCSite (0x400000) is a hidden base permission, and that it is not copied if you copy a built-in permission level using the "Copy Permission Level" button at the bottom of ~/_layouts/editrole.aspxAnonymous
August 12, 2013
Is it feasible to assign one unique permission to each group so that each group can be identified in a page? Or would there be another way to hide or show edit, create, delete buttons etc according to a user's group membership?Anonymous
November 20, 2013
can you please upload entire code. in this some code is hided