Managing permissions is a very important aspect of SharePoint. As there are so many techniques to authenticate a user to a SharePoint application, the permissions part takes care of the authorization. There are so many articles that discuss the permissions levels, groups etc to a great extent.
In this post I’m going to discuss the following things.
- Code snippet to break role inheritance of a Securable Object – In current example a list
- Analyzing the code with User Interface
public static void AssignUniquePermissions(string ctxUrl,string listTitle)
{
ClientContext ctx = new ClientContext(ctxUrl);
List targetList = ctx.Web.Lists.GetByTitle("listTitle");
ctx.Load(targetList);
// the below line of code breaks the Permission Inheritane
// The below piece of code is equivalent to...
targetList.BreakRoleInheritance(true,false);
/* PermissionKind => is an Enum type that represents
all the permissions available */
/* BasePermissions => is a class to which we set the Selected
Permissions. Later we use 'BasePermissions' object in creating
the 'RoleDefinition' */
BasePermissions permissions = new BasePermissions();
permissions.Set(PermissionKind.ViewListItems);
permissions.Set(PermissionKind.AddListItems);
permissions.Set(PermissionKind.EditListItems);
permissions.Set(PermissionKind.DeleteListItems);
/* Create a new role definition => Creating a Permission Level
@ /_layouts/addrole.aspx of site collection. */
//The below piece of code is equivalent to...
RoleDefinitionCreationInformation roleDefInfo = new RoleDefinitionCreationInformation();
// Permission Level Name
roleDefInfo.Name = "ExampleEditListItems1";
roleDefInfo.Description = "Allows a user to manage list items";
roleDefInfo.BasePermissions = permissions;
/* Adds RoleDefinition => Adds Permission Level
@ /_layouts/role.aspx */
RoleDefinition roleDef = ctx.Site.RootWeb.RoleDefinitions.Add(roleDefInfo);
// Creating another RoleDefinition
BasePermissions permissions2 = new BasePermissions();
permissions2.Set(PermissionKind.ApproveItems);
RoleDefinitionCreationInformation roleDefInfo2 = new RoleDefinitionCreationInformation();
// Permission Level Name
roleDefInfo2.Name = "ExampleEditListItems2";
roleDefInfo2.Description = "Allows a user to Approve Items";
roleDefInfo2.BasePermissions = permissions2;
RoleDefinition roleDef2 = ctx.Site.RootWeb.RoleDefinitions.Add(roleDefInfo2);
/* The permissions we are assigning to the User/Group
Equivalent to 'Grant User Permissions Directly
(in this example) by selecting multiple permission
levels */
// The below piece of code is equivalent To..
RoleDefinitionBindingCollection permissionLevelsCollection = new RoleDefinitionBindingCollection(ctx);
// Add the role to the collection.
permissionLevelsCollection.Add(roleDef);
permissionLevelsCollection.Add(roleDef2);
// User user = ctx.Web.EnsureUser("Domain\\userId"); (or)
Group group = ctx.Web.SiteGroups.GetById(12);
/* The page that contains all the Permissions. =>
@ _layouts/user.aspx of the corresponding securable object */
RoleAssignmentCollection roleAssignmentCollection = targetList.RoleAssignments;
RoleAssignment roleAssignment = roleAssignmentCollection.Add(group, permissionLevelsCollection);
ctx.ExecuteQuery();
Console.WriteLine("Done!!");
Console.ReadKey();
}
targetList.BreakRoleInheritance(true,false);
This above line of code is equivalent to clicking on the ‘Stop Inheriting Permissions’ option in the ribbon
What is the difference between BreakRoleInheritance(true,true/false)?
This function breaks the role inheritance of the SecurableObject on which we are calling the function in both cases.
The second parameter(true/false) acts on the Child objects of the SecurableObject on which we called the function.
true: It makes the children of the current SecurableObject inherit RoleAssignments from the current SecurableObject even though they have UniqueRoleAssignments on them.
false: It allows the children of the current SecurableObject have their own RoleAssignments(UniqueRoleAssignments) if they have any.
Back To Code
Creating a RoleDefinition:
Creating a RoleDefinition is equivalent to creating a new permission level from the SharePoint UI @ ‘addrole.aspx’ of the root web
// Adds the permission level to the collection of permission levels at the root web level RoleDefinition roleDef = ctx.Site.RootWeb.RoleDefinitions.Add(roleDefInfo);
Everything I mentioned in the below image happens only after executing the query.
You find this info when you click on the Permission Level created @
~siteCollectionUrl/_layouts/editrole.aspx?role=ExampleEditListItems1
Back To The Code
Granting Permissions To a User Or Group:
Adding RoleDefinition Objs to RoleDefinitionBindingCollection obj is equivalent to
select the multiple permission checkboxes as shown in the below image.
permissionLevelsCollection.Add(roleDef); permissionLevelsCollection.Add(roleDef2);
// if we want to grant permissions to a user
User user = ctx.Web.EnsureUser("Domain\\userId");
(or)
// if we want to grant permissions to a Group
// The group id '12' represents 'TestGroup1' as shown in the above image
Group group = ctx.Web.SiteGroups.GetById(12);
// This line of code grants permissions to the Group
RoleAssignment roleAssignment = roleAssignmentCollection.Add(group, permissionLevelsCollection);
// This line of code grants permissions to the User
RoleAssignment roleAssignment = roleAssignmentCollection.Add(user, permissionLevelsCollection);
SharePoint | Office 365 Concepts and Updates 