locked
How do I explicitly give a user permission to a web programmatically? RRS feed

  • Question

  • Hi,
     
    I want to give a user explicit permissions to an spweb. Is this possible in MOSS 2007?

    If so, can someone show me how? I dont want to add them to a group or assign any roles to them. I just want to give them explicit permissions. I have a feeling this is no longer possible. Would be grateful if someone can confirm.

    Just wanted to add this needs to be done programmatically.

    Thanks
    jasear
    Tuesday, November 25, 2008 10:43 AM

Answers

  • Yes, it's possible. In SharePoint it's a two-step process, though.

    First off, SharePoint has a bunch of sets of individual permissions. For instance, you can have permission to read a list item, but there's a different permission as well for reading list "pages", i.e. the "View", "Edit", page for a list item. So if you're going to grant them something as simple as "read" access, it's actually going to be, most likely, a collection of these different read permissions. These individual permissions are part of the SPBasePermissions enumeration.

    What you're going to do is create a new SPRoleDefinition, which is an object which contains these set of rights. So for instance, on out of the box SharePoint sites, you'll usually have an "Approvers" group, and the "Approvers" group has the "Approve" set of permissions. "Approve" is a Role Definition. To get the existing Role Definitions for the particular SPWeb you're in, you can access it by checking the SPWeb.RoleDefinitions property, which will return a collection of the Role Definitions that have already been applied to that web. (For instance, if you want to assign your user the "Approve" set of permissions, you don't need to create a new set of permissions, you can just use the existing set of permissions. To reiterate, you're not making the user a member of any group; you're just assigning them a set of permissions, which in this case happens to include the "approve" permission.)

    Now, a List, List Item, or Web can have multiple Role Assignments assigned to it, a Role Assignment being both a user or group, and the permission group assigned to that entity. Using object model wording, an SPRoleAssignment object is a combination of a user or group, and an SPRoleDefinition. For instance, I could say "John Doe" is assigned the "Approve" permission set for this particular list item, and that would be a Role Assignment.

    Take a look at the SDK for SPRoleAssignment to see an example of how this is done in code.
    http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.sproleassignment.aspx

    http://blog.beckybertram.com
    Tuesday, November 25, 2008 3:24 PM

All replies

  • Yes, it's possible. In SharePoint it's a two-step process, though.

    First off, SharePoint has a bunch of sets of individual permissions. For instance, you can have permission to read a list item, but there's a different permission as well for reading list "pages", i.e. the "View", "Edit", page for a list item. So if you're going to grant them something as simple as "read" access, it's actually going to be, most likely, a collection of these different read permissions. These individual permissions are part of the SPBasePermissions enumeration.

    What you're going to do is create a new SPRoleDefinition, which is an object which contains these set of rights. So for instance, on out of the box SharePoint sites, you'll usually have an "Approvers" group, and the "Approvers" group has the "Approve" set of permissions. "Approve" is a Role Definition. To get the existing Role Definitions for the particular SPWeb you're in, you can access it by checking the SPWeb.RoleDefinitions property, which will return a collection of the Role Definitions that have already been applied to that web. (For instance, if you want to assign your user the "Approve" set of permissions, you don't need to create a new set of permissions, you can just use the existing set of permissions. To reiterate, you're not making the user a member of any group; you're just assigning them a set of permissions, which in this case happens to include the "approve" permission.)

    Now, a List, List Item, or Web can have multiple Role Assignments assigned to it, a Role Assignment being both a user or group, and the permission group assigned to that entity. Using object model wording, an SPRoleAssignment object is a combination of a user or group, and an SPRoleDefinition. For instance, I could say "John Doe" is assigned the "Approve" permission set for this particular list item, and that would be a Role Assignment.

    Take a look at the SDK for SPRoleAssignment to see an example of how this is done in code.
    http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.sproleassignment.aspx

    http://blog.beckybertram.com
    Tuesday, November 25, 2008 3:24 PM
  • Thanks for your reply becky.

    We are actually doing a migration from SPS 2003 to MOSS 2007 by writing our own migration tool. In SPS 2003 you could give explicit permissions to a user without having them in a role(s) (before they were called groups) or groups (known as cross-site groups before). In effect you could select the permissions (which come from the SPBasePermissions enum known as SPRights before) and apply them to the user. Which in effect was storing a permission mask against the user.

    In Lists it was even worse. But my question really is whether we can do the same kind of thing in MOSS 2007 which I think we cant. It seems as if a user gets its permissions from role(s) or group(s) only.
    jasear
    Thursday, November 27, 2008 1:29 PM