none
Adding a group to library permissions using Powershell RRS feed

  • Question

  • I am very new to SharePoint 2010 and powershell, so please bear with me.   I have written a script that created a document library called "Audit Logs" for every site collection in our environment.  I then wanted to ensure that only Site Collection administrators and the individual site Owners group had access to this document library.  I was able to write a script to break the inheritance, allowing only the site collection administrators to view the library. 

    I found out after writing this script that the owners group ALSO needs to be able to access the Audit Logs document library.

    Here is what I have so far:

    $site = Get-SPSite | Get-SPWeb -limit all | ForEach-Object {
        $listName = "Audit Logs"
        
        
        $list = $_.Lists[$listName]
        $list.BreakRoleInheritance($False)
        
        $list.Update()
        }

    I have seen various methods for adding a group, but every method seems to be different and I haven't had much luck.  I am using powershell and Sharepoint 2010 Enterprise.

    Thanks in advance!



    • Edited by kfassanella Tuesday, January 29, 2013 3:36 PM
    Tuesday, January 29, 2013 2:08 PM

Answers

  • Hi,

    I understand that you want to grant permission for  the owners group to the Audit Logs library. You can use the script below:

    $ownersSPGroupName = "owners"

    $webUrl="http://serverURL"

    $spweb = Get-SPWeb $webUrl

    # Look up the list named "Audit Logs"

    $questionsList = $spWeb.Lists["Audit Logs "]

    # Set the Read access Item-level permissions settings to "Read items that were created by the user"

    $questionsList.ReadSecurity = 2

    # Set the Create and Edit access Item-level permissions to "Create items and edit items that were created by the user

    $questionsList.WriteSecurity = 2

    # Assign the "Contribute" RoleDefition to the site's owners group

    $ownersSPGroup = $spWeb.Groups[$ownersSPGroupName]

    $questionsList.BreakRoleInheritance($true)

    $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($ownersSPGroup)

    # Assuming this is a default site, we'll look for a role definition of the type "Contributer".

    # This way, the script will also work with SharePoint sites created in languages besides English.

    $assignment.RoleDefinitionBindings.Add(($spWeb.RoleDefinitions | Where-Object { $_.Type -eq "Contributor" }))

    $questionsList.RoleAssignments.Add($assignment)

    $questionsList.Update()

    $spWeb.Dispose()

    $spSite.Dispose()

    For more information, please refer to this site:

    Modifying list permissions from Powershell: http://blog.morg.nl/2011/09/modifying-list-permissions-from-powershell/

    Adding permission to list using powershell: http://social.technet.microsoft.com/forums/en-US/sharepointadminprevious/thread/4373cef1-2471-4199-aa16-784684fc82de

    Thanks,

    Entan Ming


    Entan Ming
    TechNet Community Support

    Wednesday, January 30, 2013 7:56 AM
    Moderator
  • $spSites = Get-Spweb -Limit All
    foreach ($SPsite in $spSites)
    {
       $webUrl= $SPsite.url
       $listTemplate = [Microsoft.sharepoint.SPListTemplateType]::DocumentLibrary
       $spWeb.Lists.Add("Audits","Location for storage of Audit Files",$listTemplate)
       $spList="Audits"
       $spWeb = ([Microsoft.SharePoint.PowerShell.SPWebPipeBind]$webUrl).Read()
       $spList =  $spWeb.Lists[$spList]
       $spList.BreakRoleInheritance("true");
       $spweb.AllowUnsafeupdates = $true
       [Microsoft.SharePoint.SPRoleAssignmentCollection] $spRoleAssignments = $spList.RoleAssignments
      for([int] $a = $spRoleAssignments.Count-1; $a -ge 0; $a--)
             {
    if($spRoleAssignments[$a].Member.Name -ne "Test site Owners" -or $spRoleAssignments[$a].Member.Name -ne "System Account")
            {

                $spRoleAssignments.Remove($a);

            }
             }
        $spweb.AllowUnsafeupdates = $false
        $spWeb.Dispose()
    }

    Modify IF condition as per your requirment.:)

    Regards

    Gyan Shukla

            

    GYAN SHUKLA

    Wednesday, January 30, 2013 11:17 AM
  • Hey guys, wanted to say thanks for the help.  I was able to get my script to work.  I used some bits and pieces from all over the internet to finally get what I needed. 

    Here is my script:

    if ( -not $(Get-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction "SilentlyContinue" )) {Add-PSSnapin Microsoft.SharePoint.PowerShell}
     
    $sites = Get-SPSite | Select RootWeb, URL
        
        foreach ($site in $sites){
           
        $ListName = "Audit Logs"
        $PermissionLevel = "Full Control"
        $web = $site.rootweb
        #$web = Get-SpSite -identity $site.url
        #$web = Get-SPWeb -Identity $site.url        
        $list = $web.Lists | where {$_.Title -match $ListName}
            if ($list -ne $null)
            {
                if ($list.HasUniqueRoleAssignments -eq $False)
                {
                    $list.BreakRoleInheritance($True)                
                }
                
                if ($list.HasUniqueRoleAssignments -eq $True)
                {
                    ForEach ($SiteGroup in $web.SiteGroups) {                    
                    
                        if ($SiteGroup.Name -match "Owners")
                        {
                            #write-host $SiteGroup.Name
                            $GroupName = $SiteGroup.Name
                            $roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($SiteGroup)
                            $roleDefinition = $web.RoleDefinitions[$PermissionLevel];
                            $roleAssignment.RoleDefinitionBindings.Add($roleDefinition);
                            $list.RoleAssignments.Add($roleAssignment)
                            $list.Update();
                            Write-Host "Successfully added <$GroupName> to the <$ListName> list in <$site>. " -foregroundcolor Green
                        }                
                        else
                        {
                             Write-Host "No Owners groups exist." -foregroundcolor Red
                        }
                    }
                    }
                }
            }
    
    
    

    Friday, February 1, 2013 1:28 PM

All replies

  • Hi,

    I understand that you want to grant permission for  the owners group to the Audit Logs library. You can use the script below:

    $ownersSPGroupName = "owners"

    $webUrl="http://serverURL"

    $spweb = Get-SPWeb $webUrl

    # Look up the list named "Audit Logs"

    $questionsList = $spWeb.Lists["Audit Logs "]

    # Set the Read access Item-level permissions settings to "Read items that were created by the user"

    $questionsList.ReadSecurity = 2

    # Set the Create and Edit access Item-level permissions to "Create items and edit items that were created by the user

    $questionsList.WriteSecurity = 2

    # Assign the "Contribute" RoleDefition to the site's owners group

    $ownersSPGroup = $spWeb.Groups[$ownersSPGroupName]

    $questionsList.BreakRoleInheritance($true)

    $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($ownersSPGroup)

    # Assuming this is a default site, we'll look for a role definition of the type "Contributer".

    # This way, the script will also work with SharePoint sites created in languages besides English.

    $assignment.RoleDefinitionBindings.Add(($spWeb.RoleDefinitions | Where-Object { $_.Type -eq "Contributor" }))

    $questionsList.RoleAssignments.Add($assignment)

    $questionsList.Update()

    $spWeb.Dispose()

    $spSite.Dispose()

    For more information, please refer to this site:

    Modifying list permissions from Powershell: http://blog.morg.nl/2011/09/modifying-list-permissions-from-powershell/

    Adding permission to list using powershell: http://social.technet.microsoft.com/forums/en-US/sharepointadminprevious/thread/4373cef1-2471-4199-aa16-784684fc82de

    Thanks,

    Entan Ming


    Entan Ming
    TechNet Community Support

    Wednesday, January 30, 2013 7:56 AM
    Moderator
  • $spSites = Get-Spweb -Limit All
    foreach ($SPsite in $spSites)
    {
       $webUrl= $SPsite.url
       $listTemplate = [Microsoft.sharepoint.SPListTemplateType]::DocumentLibrary
       $spWeb.Lists.Add("Audits","Location for storage of Audit Files",$listTemplate)
       $spList="Audits"
       $spWeb = ([Microsoft.SharePoint.PowerShell.SPWebPipeBind]$webUrl).Read()
       $spList =  $spWeb.Lists[$spList]
       $spList.BreakRoleInheritance("true");
       $spweb.AllowUnsafeupdates = $true
       [Microsoft.SharePoint.SPRoleAssignmentCollection] $spRoleAssignments = $spList.RoleAssignments
      for([int] $a = $spRoleAssignments.Count-1; $a -ge 0; $a--)
             {
    if($spRoleAssignments[$a].Member.Name -ne "Test site Owners" -or $spRoleAssignments[$a].Member.Name -ne "System Account")
            {

                $spRoleAssignments.Remove($a);

            }
             }
        $spweb.AllowUnsafeupdates = $false
        $spWeb.Dispose()
    }

    Modify IF condition as per your requirment.:)

    Regards

    Gyan Shukla

            

    GYAN SHUKLA

    Wednesday, January 30, 2013 11:17 AM
  • Hey guys, wanted to say thanks for the help.  I was able to get my script to work.  I used some bits and pieces from all over the internet to finally get what I needed. 

    Here is my script:

    if ( -not $(Get-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction "SilentlyContinue" )) {Add-PSSnapin Microsoft.SharePoint.PowerShell}
     
    $sites = Get-SPSite | Select RootWeb, URL
        
        foreach ($site in $sites){
           
        $ListName = "Audit Logs"
        $PermissionLevel = "Full Control"
        $web = $site.rootweb
        #$web = Get-SpSite -identity $site.url
        #$web = Get-SPWeb -Identity $site.url        
        $list = $web.Lists | where {$_.Title -match $ListName}
            if ($list -ne $null)
            {
                if ($list.HasUniqueRoleAssignments -eq $False)
                {
                    $list.BreakRoleInheritance($True)                
                }
                
                if ($list.HasUniqueRoleAssignments -eq $True)
                {
                    ForEach ($SiteGroup in $web.SiteGroups) {                    
                    
                        if ($SiteGroup.Name -match "Owners")
                        {
                            #write-host $SiteGroup.Name
                            $GroupName = $SiteGroup.Name
                            $roleAssignment = new-object Microsoft.SharePoint.SPRoleAssignment($SiteGroup)
                            $roleDefinition = $web.RoleDefinitions[$PermissionLevel];
                            $roleAssignment.RoleDefinitionBindings.Add($roleDefinition);
                            $list.RoleAssignments.Add($roleAssignment)
                            $list.Update();
                            Write-Host "Successfully added <$GroupName> to the <$ListName> list in <$site>. " -foregroundcolor Green
                        }                
                        else
                        {
                             Write-Host "No Owners groups exist." -foregroundcolor Red
                        }
                    }
                    }
                }
            }
    
    
    

    Friday, February 1, 2013 1:28 PM
  • Hey brilliant yaar I am looking for this answer itself and at last go it. Thank you very much.

    Friday, December 6, 2013 2:22 PM