What permissions are behind the permission levels (roles) in SharePoint

  • Article

Recently, I was involved in a support request where I had to find out what SPBasePermissions are assigned behind permission level in SharePoint using SharePoint OM code. First some basics about permission level and base permissions.

If you are in your SharePoint site, click Site Actions > Site Settings > click "People and groups" under "Users and Permissions" section > click "Site Permissions" in the left navigation menu > And use the Settings menu in the Permissions list to select "Permission Levels". You'll get to see the roles (technically these are permissions levels).

image

If you click on one particular role (for e.g., Contribute), you'll get to see the "Permissions" assigned to that particular role.

image

These are basically classified into List, Site & Personal permissions. They basically dictate what action an user in a particular role can perform in the SharePoint site. The permissions levels act as masks (permission masks to be precise) and allows us to group a set of base permissions within a sort of a group called "Permission Levels".

Now, the requirement I had was to find out which SharePoint role (e.g., contributor, designer etc.,) has which base permissions assigned to it. The code below did it for me:

             StringBuilder sb = new StringBuilder();
            using (SPSite site = new SPSite("https://wss"))
            {
                using (SPWeb web = site.OpenWeb())
                {
                    SPRoleDefinitionCollection roleDefinitions = web.RoleDefinitions;
                    foreach (SPRoleDefinition roleDefinition in roleDefinitions)
                    {
                        sb.Append(System.Environment.NewLine + System.Environment.NewLine +
                            "Role Definition: " + roleDefinition.Name + System.Environment.NewLine +
                            "==================================================" +
                            System.Environment.NewLine);
                        XmlDocument xmldoc = new XmlDocument();
                        xmldoc.LoadXml(roleDefinition.Xml);
                        XmlNode nodes = xmldoc.DocumentElement;
                        sb.Append(nodes.Attributes["BasePermissions"].Value);
                    }
                    textBox1.Text = sb.ToString();
                }
            }

Here's the output:

Role Definition: Full Control
==================================================
FullMask

Role Definition: Design
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Role Definition: Manage Hierarchy
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ViewUsageData, CreateSSCSite, ManageSubwebs, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, ManageWeb, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, EnumeratePermissions

Role Definition: Approve
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Role Definition: Contribute
==================================================
ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, DeleteVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Role Definition: Read
==================================================
ViewListItems, OpenItems, ViewVersions, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts

Role Definition: Restricted Read
==================================================
ViewListItems, OpenItems, Open, ViewPages

Role Definition: Limited Access
==================================================
ViewFormPages, Open, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs

Role Definition: Sridhar Role
==================================================
9223372036854644735

Role Definition: View Only
==================================================
ViewListItems, ViewVersions, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts

 

In situations where you aren't very sure if a particular base permission is assigned to a role or not, the above code snippet could prove handy!  SDK reference for SPRoleDefinition.BasePermissions property.