What permissions are behind the permission levels (roles) in SharePoint


Recently, I was involved in a support request where I had to find out what SPBasePermissions are assigned behind permission level in SharePoint using SharePoint OM code.  First some basics about permission level and base permissions.


If you are in your SharePoint site, click Site Actions > Site Settings > click “People and groups” under “Users and Permissions” section > click “Site Permissions” in the left navigation menu > And use the Settings menu in the Permissions list to select “Permission Levels”.  You’ll get to see the roles (technically these are permissions levels).


image


If you click on one particular role (for e.g., Contribute), you’ll get to see the “Permissions” assigned to that particular role.


image


These are basically classified into List, Site & Personal permissions.  They basically dictate what action an user in a particular role can perform in the SharePoint site.  The permissions levels act as masks (permission masks to be precise) and allows us to group a set of base permissions within a sort of a group called “Permission Levels”.


Now, the requirement I had was to find out which SharePoint role (e.g., contributor, designer etc.,) has which base permissions assigned to it.  The code below did it for me:

            StringBuilder sb = new StringBuilder();
using (SPSite site = new SPSite(“http://wss”))
{
using (SPWeb web = site.OpenWeb())
{
SPRoleDefinitionCollection roleDefinitions = web.RoleDefinitions;
foreach (SPRoleDefinition roleDefinition in roleDefinitions)
{
sb.Append(System.Environment.NewLine + System.Environment.NewLine +
“Role Definition: ” + roleDefinition.Name + System.Environment.NewLine +
“==================================================” +
System.Environment.NewLine);
XmlDocument xmldoc = new XmlDocument();
xmldoc.LoadXml(roleDefinition.Xml);
XmlNode nodes = xmldoc.DocumentElement;
sb.Append(nodes.Attributes[“BasePermissions”].Value);
}
textBox1.Text = sb.ToString();
}
}

Here’s the output:


Role Definition: Full Control
==================================================
FullMask

Role Definition: Design
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Role Definition: Manage Hierarchy
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ViewUsageData, CreateSSCSite, ManageSubwebs, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, ManageWeb, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, EnumeratePermissions

Role Definition: Approve
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Role Definition: Contribute
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, DeleteVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Role Definition: Read
==================================================
ViewListItems, OpenItems, ViewVersions, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts

Role Definition: Restricted Read
==================================================
ViewListItems, OpenItems, Open, ViewPages

Role Definition: Limited Access
==================================================
ViewFormPages, Open, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs

Role Definition: Sridhar Role
==================================================
9223372036854644735

Role Definition: View Only
==================================================
ViewListItems, ViewVersions, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts

 


In situations where you aren’t very sure if a particular base permission is assigned to a role or not, the above code snippet could prove handy!  SDK reference for SPRoleDefinition.BasePermissions property.

Comments (4)

  1. It may be important to note that CreateSSCSite (0x400000) is a hidden base permission, and that it is not copied if you copy a built-in permission level using the "Copy Permission Level" button at the bottom of ~/_layouts/editrole.aspx

  2. Marlin7 says:

    Is it feasible to assign one unique permission to each group so that each group can be identified in a page? Or would there be another way to hide or show edit, create, delete buttons etc according to a user's group membership?

  3. Kumar says:

    can you please upload entire code. in this some code is hided