Sladescross's Blog

Blogging about Sharepoint related stuff

Sharepoint Security Breakdown of Permission Levels April 8, 2010

Filed under: Permission Levels,Permissions,Security,Sharepoint — sladescross @ 10:03 am

http://techtrainingnotes.blogspot.com/2010/01/sharepoint-permission-levels.html

This is a list of SharePoint 2007 and 2010 permissions and related notes (mostly for my own use :-)  ).

SharePoint users/groups are granted access to SharePoint objects by being assigned one or more Permission Levels (Roles in the API). Permission Levels are created from individual Site, List and Personal permissions represented as a 64 bit bitmap known in the object model as a PermissionMask property.

SharePoint 2007 and 2010 include 33 permissions, plus two additional not in the UI: EmptyMask and FullMask. Note the the definition of FullMask can change!  See here: http://www.cjvandyk.com/blog/Lists/Posts/Post.aspx?List=744536f4%2D127e%2D4c4a%2Dbcff%2Db85408e7e7e5&ID=225

API notes:

  Permission Level = Role       myuser.Roles.Count     mygroup.Roles.Count

foreach ( SPRole role in mygroup.Roles)
     {
          Console.Write(” Role: ” + role.Name);
      }

  Permission test:

if (web.DoesUserHavePermissions(user.LoginName,SPBasePermissions.DeleteListItems)
   {    }

  Permission levels are OR’d ( “|” in C#), so user gets all permissions for all levels assigned to them.
  (and there is no “Deny”)

  Two other places to find user related info:

     Owners:
       site.SecondaryContact.Name
       site.SystemAccount.Name

    Site Collection Administrators:
       user.IsSiteAdmin

Permission Levels, SPBasePermissions, PermissionMask bit, and default assignments

 

enum = order of item in the enumeration of  SPBasePermissions

Enum Name = Enumeration name (SPBasePermissions.ManageLists)

bit = bit position SPRole.PermissionMask

Group = Group name in  the “Edit Permission Level” page  (_layouts/editrole.aspx)

Name in Browser = name in  the “Edit Permission Level” page  (_layouts/editrole.aspx)

R = included in the default Read permission level and the “sitename Reader” group

C = included in the default Contribute permission level and the “sitename Members” group

D = included in the default Design permission level (no default group)

FC = included in the default Full Control permission level and the “sitename Owner” group

The View permission level is the same as Read, except it is missing Open Items.

enum bit Group Enum Name Name in browser Description R C D FC
12 12 List ManageLists Manage Lists Create and delete lists, add or remove columns in a list, and add or remove public views of a list.       X
10 9 List CancelCheckout Override Checkout Discard or check in a document which is checked out to another user.     X X
3 2 List AddListItems Add Items Add items to lists, add documents to document libraries, and add Web discussion comments.   X X X
4 3 List EditListItems Edit Items Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.   X X X
5 4 List DeleteListItems Delete Items Delete items from a list, documents from a document library, and Web discussion comments in documents.   X X X
2 1 List ViewListItems View Items View items in lists, documents in document libraries, and view Web discussion comments. X X X X
6 5 List ApproveItems Approve Items Approve a minor version of a list item or document.     X X
7 6 List OpenItems Open Items View the source of documents with server-side file handlers. X X X X
8 7 List ViewVersions View Versions View past versions of a list item or document. X X X X
9 8 List DeleteVersions Delete Versions Delete past versions of a list item or document.   X X X
32 40 List CreateAlerts Create Alerts Create e-mail alerts. X X X X
13 13 List ViewFormPages View Application Pages View forms, views, and application pages, and enumerate lists. X X X X
23 26 Site ManagePermissions Manage Permissions Create and change permission levels on the Web site and assign permissions to users and groups.       X
19 22 Site ViewUsageData View Usage Data View reports on Web site usage.       X
21 24 Site ManageSubwebs Create Subsite Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.        X
28 31 Site ManageWeb Manage Web Site Grant the ability to perform all administration tasks for the Web site as well as manage content. Activate, deactivate, or edit properties of Web site scoped Features through the object model or through the user interface (UI). When granted on the root Web site of a site collection, activate, deactivate, or edit properties of site collection scoped Features through the object model. To browse to the Site Collection Features page and activate or deactivate site collection scoped Features through the UI, you must be a site collection administrator.       X
16 19 Site AddAndCustomizePages Add and Customize Pages Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor.     X X
17 20 Site ApplyThemeAndBorder Apply Theme and Border Apply a theme or borders to the entire Web site.     X X
18 21 Site ApplyStyleSheets Apply Style Sheets Apply a style sheet (.css file) to the Web site.     X X
22 25 Site CreateGroups Create Groups Create a group of users that can be used anywhere within the site collection.       X
24 27 Site BrowseDirectories Browse Directories Enumerate files and folders in a Web site using Microsoft Office SharePoint Designer 2007 and WebDAV interfaces.   X X X
20 23 Site CreateSSCSite Use Self-Service Site Creation Create a Web site using Self-Service Site Creation.        
15 18 Site ViewPages View Pages View pages in a Web site. X X X X
34 63 Site EnumeratePermissions Enumerate Permissions Enumerate permissions on the Web site, list, folder, document, or list item.       X
25 28 Site BrowseUserInfo Browse User Information View information about users of the Web site. X X X X
31 39 Site ManageAlerts Manage Alerts Manage alerts for all users of the Web site.       X
30 38 Site UseRemoteAPIs Use Remote Interfaes Use SOAP, WebDAV, or Microsoft Office SharePoint Designer 2007 interfaces to access the Web site. X X X X
29 37 Site UseClientIntegration Use Client Integration Features Use features that launch client applications; otherwise, users must work on documents locally and upload changes.  X X X X
14 17 Site Open Open Allow users to open a Web site, list, or folder to access items inside that container. X X X X
33 41 Site EditMyUserInfo Edit Personal User Information Allows a user to change his or her user information, such as adding a picture.   X X X
11 10 Personal ManagePersonalViews Manage Personal Views Create, change, and delete personal views of lists.   X X X
26 29 Personal AddDelPrivateWebParts Add/Remove Personal Web Parts Add or remove personal Web Parts on a Web Part Page.   X X X
27 30 Personal UpdatePersonalWebParts Update Personal Web Parts Update Web Parts to display personalized information.   X X X
                   
1 0   EmptyMask EmptyMask Has no permissions on the Web site. Not available through the user interface.        
35 1   FullMask FullMask Has all permissions on the Web site. Not available through the user interface.
About these ads
 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 63 other followers