While the UI allows one to easily check permissions for a given user, how can one do that iteratively?
Here’s the heart of the magic:
# first grab the user principal: $user = $TargetWeb.Groups[$GroupToAdd]; # Now let's get the Role Assignments for that user on the folder: $RA = $folder.RoleAssignments.GetAssignmentByPrincipal($user); #Role bindings are useful $RoleDefBindings = $RA.get_RoleDefinitionBindings(); #Now let's grab the Role Definition for Contribute permission in this SPWeb: $roledef = $TargetWeb.RoleDefinitions["Contribute"]; Lastly we can check whether the role bindings for this user on this folder contains the Contribute Role Definition: if ($RoleDefBindings.Contains($roledef)) {...} |
Some useful routines first. Note I like to predefine a “Write” permission that allows creation and editing but not deletion:
function PermRole([string] $RoleChar) { switch ($RoleChar) { "R" {$res="Read"} "C" {$res="Contribute"} "W" {$res="Contribute wo delete"} "D" {$res="Manage Hierarchy"} #aka design, for setting permissions default {$res=$null} } return $res; } # Routine for adding permission based on passing in a character for the role definition to be granted: function AddPerm ([string] $RoleChar, [string] $RoleGroup) { #JPItem/f and TargetWeb are implied and not passed as parms for efficiency! if ((!$RoleChar) -or (!$RoleGroup)) { return; #race to be efficient on NullOp } $RoleValue=PermRole($RoleChar); if (!$RoleValue) { Write-Host -ForegroundColor -darkred "ok, expected Role, but got none, for $($RoleChar)" return; } try { #CONTROVERSIAL! if ($RoleChar -eq "W") #wipes out reads etc. { RemovePerm $RoleGroup } try { $user = $TargetWeb.ensureuser($RoleGroup) } catch #if the above fails, user is likely not a user, but in fact a group, let's retry as group { $user = $TargetWeb.Groups[$RoleGroup] } $roledef = $TargetWeb.RoleDefinitions[$RoleValue] $roleass = New-Object Microsoft.SharePoint.SPRoleAssignment($user) $roleass.RoleDefinitionBindings.Add($roledef) $f1.RoleAssignments.Add($roleass) #This is SPFolder specific in this routine } catch { Write-Host -ForegroundColor DarkRed "ERR: Can't Assign $($RoleGroup)" } } |
Let’s first establish the libraries to look at across all webs and site collections:
$libsArrStr="Library name 1|Library name 2" $LibsArr=$libsArrStr.split("|") $GroupToAdd = "Department Contributors" $Site = "ht tp://SharePoint/sites/SiteOfInterest" $TargetWeb=$web=get-spweb $Site; Write-Host "==>working in $($web.url)" for ($j=0; $j -lt $LibsArr.count; $j++) { $libStr=$LibsArr[$j]; $list=$web.Lists.TryGetList($libStr) if ($list -eq $null) { Write-Host -ForegroundColor DarkRed "List not found" } else { for ($fi=0; $fi -lt $list.Folders.Count; $fi++) { $f1 = $list.Folders.get_Item($fi) $f = $f1.folder; write-host -f green "The Library $($listName) exists in the site $($web.url), about to set folder Perms" try { #the rule is if this field has data, make the user a Contributor $f1.ResetRoleInheritance(); #badda-bing, security is inherited $isWritable = ($f.item["TargetMetadata"] -ne $null); if (!$isWritable) { # nul op, already inherited } else #let's see whether to break perms, based on whether the group already has Contribute { #let's see if the user has Contributor rights already; if so, no need to break inheritence $user = $TargetWeb.Groups[$GroupToAdd] $RA = $f1.RoleAssignments.GetAssignmentByPrincipal($user) $RoleDefBindings = $RA.get_RoleDefinitionBindings() $roledef = $TargetWeb.RoleDefinitions["Contribute"] if ($RoleDefBindings.Contains($roledef)) # user is already a Contributor, let's do nothing { } else { $f1.BreakRoleInheritance($true); #minimalist approach addPerm "C" $GroupToAdd } } } catch { Write-Host problems setting perms } } #Folder processing for loop $fi } # list found } #for loop $j |
Want to talk?
Drop us a line. We are here to answer your questions 24*7.