{"id":1293,"date":"2014-04-13T11:28:02","date_gmt":"2014-04-13T11:28:02","guid":{"rendered":"https:\/\/poiseddevelopers.com\/reality-tech\/?p=1293"},"modified":"2024-05-02T07:07:26","modified_gmt":"2024-05-02T07:07:26","slug":"checking-for-a-specific-permission-for-a-specific-user-or-group-in-sharepoint","status":"publish","type":"post","link":"https:\/\/poiseddevelopers.com\/reality-tech\/checking-for-a-specific-permission-for-a-specific-user-or-group-in-sharepoint\/","title":{"rendered":"Checking for a specific permission for a specific user or group in SharePoint"},"content":{"rendered":"

While the UI allows one to easily check permissions for a given user, how can one do that iteratively?<\/p>\n

Here\u2019s the heart of the magic:<\/p>\n

\r\n# first grab the user principal:\r\n  $user = $TargetWeb.Groups[$GroupToAdd];\r\n \r\n# Now let's get the Role Assignments for that user on the folder:\r\n  $RA = $folder.RoleAssignments.GetAssignmentByPrincipal($user);\r\n \r\n#Role bindings are useful\r\n  $RoleDefBindings = $RA.get_RoleDefinitionBindings();\r\n \r\n#Now let's grab the Role Definition for Contribute permission in this SPWeb:\r\n  $roledef = $TargetWeb.RoleDefinitions[\"Contribute\"];\r\n \r\nLastly we can check whether the role bindings for this user on this folder contains the Contribute Role Definition:\r\n  if ($RoleDefBindings.Contains($roledef)) {...}\r\n<\/pre>\n
Some useful routines first. Note I like to predefine a \u201cWrite\u201d permission that allows creation and editing but not deletion:<\/p>\n
\r\nfunction PermRole([string] $RoleChar)\r\n{\r\n    switch ($RoleChar)\r\n    {\r\n    \"R\" {$res=\"Read\"}\r\n    \"C\" {$res=\"Contribute\"}\r\n    \"W\" {$res=\"Contribute wo delete\"}\r\n    \"D\" {$res=\"Manage Hierarchy\"}  #aka design, for setting permissions\r\n    default {$res=$null}\r\n    }\r\n    return $res;\r\n}\r\n \r\n# Routine for adding permission based on passing in a character for the role definition to be granted:\r\nfunction AddPerm ([string] $RoleChar, [string] $RoleGroup)\r\n{ #JPItem\/f and TargetWeb are implied and not passed as parms for efficiency!\r\n    if ((!$RoleChar) -or (!$RoleGroup))\r\n    {\r\n    return; #race to be efficient on NullOp\r\n    }\r\n         \r\n    $RoleValue=PermRole($RoleChar);\r\n    if (!$RoleValue) \r\n    {\r\n    Write-Host -ForegroundColor -darkred \"ok, expected Role, but got none, for $($RoleChar)\"\r\n    return; \r\n    }\r\n     \r\n    try\r\n    {\r\n    #CONTROVERSIAL!\r\n    if ($RoleChar -eq \"W\")  #wipes out reads etc.\r\n    {\r\n    RemovePerm $RoleGroup\r\n    }\r\n         \r\n    try\r\n    {\r\n        $user = $TargetWeb.ensureuser($RoleGroup)\r\n    }\r\n    catch  #if the above fails, user is likely not a user, but in fact a group, let's retry as group\r\n    {\r\n        $user = $TargetWeb.Groups[$RoleGroup]\r\n    }\r\n    $roledef = $TargetWeb.RoleDefinitions[$RoleValue]\r\n    $roleass = New-Object Microsoft.SharePoint.SPRoleAssignment($user)\r\n    $roleass.RoleDefinitionBindings.Add($roledef)\r\n \r\n    $f1.RoleAssignments.Add($roleass)  #This is SPFolder specific in this routine\r\n    }\r\n    catch\r\n    {\r\n    Write-Host -ForegroundColor DarkRed \"ERR: Can't Assign $($RoleGroup)\"\r\n    }\r\n}\r\n<\/pre>\n
Let\u2019s first establish the libraries to look at across all webs and site collections:<\/p>\n
\r\n$libsArrStr=\"Library name 1|Library name 2\"\r\n$LibsArr=$libsArrStr.split(\"|\")\r\n$GroupToAdd = \"Department Contributors\"\r\n$Site = \"ht tp:\/\/SharePoint\/sites\/SiteOfInterest\"\r\n \r\n$TargetWeb=$web=get-spweb $Site;\r\n         \r\nWrite-Host \"==>working in $($web.url)\"\r\n             \r\nfor ($j=0; $j -lt $LibsArr.count; $j++)\r\n    {\r\n        $libStr=$LibsArr[$j];\r\n        $list=$web.Lists.TryGetList($libStr)\r\n             \r\n        if ($list -eq $null)\r\n        {\r\n            Write-Host -ForegroundColor DarkRed \"List not found\"\r\n        }\r\n        else\r\n        {\r\n        for ($fi=0; $fi -lt $list.Folders.Count; $fi++)\r\n        {\r\n            $f1 = $list.Folders.get_Item($fi)\r\n            $f = $f1.folder;\r\n                         \r\n      write-host -f green \"The Library $($listName) exists in the site $($web.url), about to set folder Perms\" \r\n                      \r\n        try\r\n        {\r\n            #the rule is if this field has data, make the user a Contributor\r\n            $f1.ResetRoleInheritance(); #badda-bing, security is inherited\r\n            $isWritable = ($f.item[\"TargetMetadata\"] -ne $null);\r\n            if (!$isWritable)\r\n            {\r\n                # nul op, already inherited\r\n            }\r\n                else  #let's see whether to break perms, based on whether the group already has Contribute\r\n                {\r\n                #let's see if the user has Contributor rights already; if so, no need to break inheritence\r\n                                             \r\n                $user = $TargetWeb.Groups[$GroupToAdd]\r\n                                     \r\n                $RA = $f1.RoleAssignments.GetAssignmentByPrincipal($user)\r\n                $RoleDefBindings = $RA.get_RoleDefinitionBindings()\r\n                $roledef = $TargetWeb.RoleDefinitions[\"Contribute\"]\r\n                if ($RoleDefBindings.Contains($roledef))  # user is already a Contributor, let's do nothing\r\n                {\r\n                }\r\n                else\r\n                {\r\n                    $f1.BreakRoleInheritance($true);  #minimalist approach\r\n                    addPerm \"C\"     $GroupToAdd                            \r\n                    }\r\n            }\r\n        }\r\n        catch\r\n        {\r\n            Write-Host problems setting perms\r\n        }\r\n    } #Folder processing for loop $fi\r\n    } # list found\r\n} #for loop $j\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
While the UI allows one to easily check permissions for a given user, how can one do that iteratively? Here\u2019s the heart of the magic: # first grab the user principal: $user = $TargetWeb.Groups[$GroupToAdd]; # Now let’s get the Role Assignments for that user on the folder: $RA = $folder.RoleAssignments.GetAssignmentByPrincipal($user); #Role bindings are useful $RoleDefBindings […]<\/p>\n","protected":false},"author":13,"featured_media":1296,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[21,32],"tags":[],"class_list":["post-1293","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-and-compliance","category-sharepoint"],"acf":[],"_links":{"self":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/1293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/comments?post=1293"}],"version-history":[{"count":4,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/1293\/revisions"}],"predecessor-version":[{"id":1301,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/1293\/revisions\/1301"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/media\/1296"}],"wp:attachment":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/media?parent=1293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/categories?post=1293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/tags?post=1293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}