Setting List Item Permissions Programatically in WSS 3.0/MOSS 2007


[update: a quick review by one of our SDETs resulted in some good suggestions to make the code below more useable, and I’ve added them to the code below (1.  Using GetByType to return the Role Definition rather than specifying the name as a string, thereby working in localized versions other than en-us and 2.  checking for unique permissions prior to adding the Role Assignment to the List Item, and breaking permission inheritance if needed – in the case of inherited permissions, the call would otherwise fail).  Thanks, Eric!]


[another quick update:  be aware that item-level permissions cannot be set/modified via any out-of-the-box Web Service.  The Permissions Web Service (permissions.asmx) can be used to work with permissions on sites or lists, but not items.  I hope to create another post sometime relatively soon on creating custom Web Services in WSS 3.0/MOSS 2007, and perhaps I’ll use the code below in the context of a custom web service for that post as well.]


One of the cool new things in Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 (get your public beta here) — and make no mistake, there are a lot of cool things to go around in these products — is fine-grained (item-level) security.  This was a big big customer wish from the current “v2” versions of the products, and it’s fantastic to see it in the products now.  The whole permissions object model has changed (for the better) as a result, and the product team has built in some great flexibility when working with role-based item-level security via the object model.  I’ve created a quick sample that shows how to set permissions using the various new OM objects and methodologies, and have included it below as an example that can be expanded to other “permissionable” objects within WSS/MOSS as well.


In this sample, I’m going set permissions on a individual SPListItem.  I’ll create or access a Role Assignment (which essentially represents the user), bind a Role Definition to the Assignment (such as “Full Control”, “Contribute,” etc.), then add the Role Assignment to the object’s RoleAssignments collection.  Here’s the code (I’m using a simple C# console app…assume a reference to Microsoft.Sharepoint.dll):


=====


using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.SharePoint;


namespace ListItemPerms
{
    class Program
    {
        static void Main(string[] args)
        {
            SetListItemPerms();
        }


        static void SetListItemPerms()
        {
            //Get SPWeb object


            SPSite Site = new SPSite(“http://<url>”); //e.g., “http://myserver/mysite
            SPWeb Web = Site.OpenWeb();


            //Get Role Definition from SPWeb


            SPRoleDefinition RoleDefinition = Web.RoleDefinitions.GetByType(SPRoleType.Administrator); //or whichever SPRoleType you choose


            //Get SPListItem


            SPList List = Web.Lists[“<list name>”]; //e.g., “Announcements”
            SPListItem ListItem = List.Items[1];


            //Create new Role Assignment
            //Add Role Definition to Role Assignment’s Role Definition Bindings


            SPRoleAssignment RoleAssignment = new SPRoleAssignment(“<login name>”, //e.g., “MYDOMAIN\UserA”
                                                                    “<email address>”, //e.g., “
usera@example.com
                                                                    “<display name>”, //e.g., “User A”
                                                                    “<notes>”); //e.g., “Here are some notes.”


            RoleAssignment.RoleDefinitionBindings.Add(RoleDefinition);


            //Check for permission inheritance, and break if necessary


            if(!ListItem.HasUniqueRoleAssignments)
            {
                        ListItem.BreakRoleInheritance(true); //pass true to copy role assignments from parent, false to start from scratch
            }           


            //Add Role Assignment to SPListItem’s Role Assignment Collection


            ListItem.RoleAssignments.Add(RoleAssignment);
            ListItem.Update();


        }
       
    }
}


=====


And that’s that!  The user that I specified when creating my new Role Assignment will have Full Control of this single List Item only.  :-)


 

Comments (6)

  1. Here is an assortment of various 2007 Microsoft Office SharePoint Server Documentation / Reference Materials…

  2. RW Dupin says:

    I get the following error when I try to change the permmissions on a list item :”You cannot customize permission levels in a web site with inherited permission levels”. This seems simple enough to solve but I made the site not inherit permissions I still got the same error , any ideas . Here is my code

    SPWeb web = SPControl.GetContextWeb(Context);
    web.RoleDefinitions;

    item.BreakRoleInheritance(false);
    item.Update();

    for (int i = 0; i < item.RoleAssignments.Count; i++) { SPRoleAssignment assingn = item.RoleAssignments[i]; for (int y = 0; y < assingn.RoleDefinitionBindings.Count; y++) { SPRoleDefinition def = assingn.RoleDefinitionBindings[y]; if (!def.Name.Equals("TeamOwner")) { def.BasePermissions ^= SPBasePermissions.DeleteListItems; } } } item.Update(); return; I did the for loops for debugging

  3. 逛到一篇 很好的 Blog Setting List Item Permissions Programatically in WSS 3.0/MOSS 2007 程式碼 很簡單, 但卻 強調出 該有的架構…

  4. phammk@aol.com says:

    How do make this code work as a Web Service ?

    I’ve not overcome the credential problem no matter what i used, i.e, impersonation (thru web.config), new CredentialCache, or running the Web Service using a special App Pool with Admin rights.

    The code works fine, when it is execute inside VS 2005. But not thru

    IIs, ie, stand alone.

  5. Guarav says:

    Hi ,

    How can I create custom permission level for particular site collection by custom code or script in MOSS 2007.