While its relatively easy to create permission levels from SharePoint 2010 UI, We had 2000+ site collections in a web applications and scripting/programmatic way to create permission level would be the best choice.
We wanted to do a SharePoint permission level customization by eliminating delete capability from contributor permission level. Lets copy the contributor permission and remove the "Delete" capability from it.
Copy Existing Permission level and change permission level Permissions:
Create permission level programmatically object model c#
Alternatively, you can create a permission level from the scratch. Here is how:
Add Permission Level in PowerShell code
In SharePoint 2010 create permission level programmatically using Powershell, here is the script:
Similarly, To remove a permission level from an existing SharePoint group, the PowerShell code goes like:
![sharepoint 2010 change permission level for a group]( "sharepoint 2010 change permission level for a group")
To Change Permissions of a existing Permission Level:
Delete custom role definition (Permission Level) Programmatically:
If you want to remove an existing permission level, use this code:
SharePoint 2010 get permission levels
To check SharePoint permission level programmatically:
![]()
We wanted to do a SharePoint permission level customization by eliminating delete capability from contributor permission level. Lets copy the contributor permission and remove the "Delete" capability from it.
Copy Existing Permission level and change permission level Permissions:
using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
{
using (SPWeb web = site.OpenWeb())
{
//Get the Contributor permission level
SPRoleDefinition roleDefContributor = web.RoleDefinitions.GetByType(SPRoleType.Contributor);
//copy Contributor permission level
SPRoleDefinition roleDefContributorNoDelete = new SPRoleDefinition(roleDefContributor);
//Retain all permissions but Remove the DeleteItems rights from the permission level (You can use: | to Add, & to remove all but the specified permission)
roleDefContributorNoDelete.BasePermissions ^= SPBasePermissions.DeleteListItems;
roleDefContributorNoDelete.Name = "Contributor without Delete";
roleDefContributorNoDelete.Description = "Contributor without Delete";
web.RoleDefinitions.Add(roleDefContributorNoDelete);
}
}
For complete SharePoint 2010 permission levels and permissions definition, Refer this SharePoint 2010 permission levels matrix: http://office.microsoft.com/en-us/templates/sharepoint-server-2010-groups-and-permissions-reference-chart-TC101977256.aspxCreate permission level programmatically object model c#
Alternatively, you can create a permission level from the scratch. Here is how:
using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
{
using (SPWeb web = site.OpenWeb())
{
//Get all Permission Levels
web.AllowUnsafeUpdates = true;
//Create New Permission Level
SPRoleDefinition roleDef = new SPRoleDefinition();
//Set the base Permissions for the Permission Level
roleDef.BasePermissions = SPBasePermissions.ViewListItems | SPBasePermissions.AddListItems | SPBasePermissions.EditListItems | SPBasePermissions.OpenItems | SPBasePermissions.ViewVersions | SPBasePermissions.ManagePersonalViews | SPBasePermissions.ViewFormPages | SPBasePermissions.Open | SPBasePermissions.ViewPages | SPBasePermissions.CreateSSCSite | SPBasePermissions.BrowseDirectories | SPBasePermissions.BrowseUserInfo | SPBasePermissions.AddDelPrivateWebParts | SPBasePermissions.UpdatePersonalWebParts | SPBasePermissions.UseClientIntegration | SPBasePermissions.UseRemoteAPIs | SPBasePermissions.CreateAlerts | SPBasePermissions.EditMyUserInfo;
roleDef.Name = "Contribute without Delete";
roleDef.Description = "Contribute without Delete Permission Level";
//Add the Permission Level
web.RoleDefinitions.Add(roleDef);
web.Update();
Console.ReadLine();
}
}
This will add a permission level programmatically. To modify the permissions, you have to use the BasePermissions property
(SPBasePermissions enumeration): http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions%28v=office.14%29.aspxAdd Permission Level in PowerShell code
In SharePoint 2010 create permission level programmatically using Powershell, here is the script:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#Get the Target Site collection's Root web
$web = Get-SPWeb "http://sharepoint.crescent.com/sites/operations"
#Get Contributor Base Permission
#$Contributor = $Web.RoleDefinitions["Contribute"]
#write-host $Contributor.BasePermissions
#or you can use: [System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") to get all base permissions
#Create New Permission Level
$ContributeNoDelete =New-Object Microsoft.SharePoint.SPRoleDefinition
$ContributeNoDelete.Name="Contribute without Delete"
#permission level description
$ContributeNoDelete.Description="Contribute without Delete Permission Level"
#Set the Base Permissions
$ContributeNoDelete.BasePermissions="ViewListItems, AddListItems, EditListItems, OpenItems, ViewVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo"
#Add the Permission Level
$web.RoleDefinitions.Add($ContributeNoDelete);
write-host "Permission level created successfully"
#Grant Permission Level Access to a SharePoint Group directly
$SPGroup = $web.SiteGroups["Operations Members"]
$RoleAssignment= new-object Microsoft.SharePoint.SPRoleAssignment($SPGroup)
#Get the permission levels to apply
$RoleDef = $web.Site.RootWeb.RoleDefinitions["Contribute without Delete"]
#Assign the groups to the permission level
$RoleAssignment.RoleDefinitionBindings.Add($RoleDef)
#Add to web
$web.RoleAssignments.Add($RoleAssignment)
$web.Update()
Write-Host "Permission Level granted to the Group"
$web.Dispose()
This will create a SharePoint 2010 custom permission level"Contribute without Delete" and add permission level to group: "Operations Members" with the created permission level.Similarly, To remove a permission level from an existing SharePoint group, the PowerShell code goes like:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue #Get the Target Site collections's Root web $web = Get-SPWeb "http://sharepoint.crescent.com/sites/operations" #Remove Permission Level From a SharePoint Group #Get the SharePoint Group $SPGroup = $web.SiteGroups["Operations Members"] #Get the Role Assignment $RoleAssignment= $web.RoleAssignments.GetAssignmentByPrincipal($SPGroup) #Remove the Role Definition $RoleAssignment.RoleDefinitionBindings.Remove($web.RoleDefinitions["Contribute"]) $RoleAssignment.Update(); $web.Dispose()SharePoint 2010 change permission level for group
To Change Permissions of a existing Permission Level:
using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
{
using (SPWeb web = site.OpenWeb())
{
SPRoleDefinition roleDef = web.RoleDefinitions["Contribute without Delete"];
//Update Permissions for the Role Definition
roleDef.BasePermissions = SPBasePermissions.AddListItems | SPBasePermissions.BrowseDirectories | SPBasePermissions.EditListItems | SPBasePermissions.Open | SPBasePermissions.OpenItems | SPBasePermissions.ViewListItems | SPBasePermissions.ViewFormPages | SPBasePermissions.ViewPages | SPBasePermissions.CancelCheckout | SPBasePermissions.DeleteListItems | SPBasePermissions.ApproveItems;
roleDef.Update()
}
}
Delete custom role definition (Permission Level) Programmatically:
If you want to remove an existing permission level, use this code:
using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
{
using (SPWeb web = site.OpenWeb())
{
web.RoleDefinitions.Delete("Contribute without Delete");
Console.ReadLine();
}
}SharePoint 2010 get permission levels
To check SharePoint permission level programmatically:
using (SPSite site = new SPSite("http://sharepoint.crescent.com"))
{
using (SPWeb web = site.OpenWeb())
{
//Get all Permission Levels
foreach (SPRoleDefinition role in web.RoleDefinitions)
{
Console.WriteLine(role.Name.ToString());
}
Console.ReadLine();
}
}