Custom SharePoint permission level

Source: Internet
Author: User

1. customize existing permission levels
On the "website Settings" page, under "users and permissions", click "Advanced Permissions ".

1. on the toolbar, click "Settings" and then "permission level ".

2. In the permission level list, click the name of the permission level you want to customize.

3. In the permission list, select or clear the check boxes to add or delete permissions to or from the permission level.

4. Click Submit ".

The permission structure in MOSS consists of website permissions, list permissions, and personal permissions.

There are 18 types of website permissions:


There are 12 types of list permissions, such:


There are three types of personal permissions:


2. Permission level

The above provides basic permissions. Different permissions constitute the permission level in MOSS. MOSS itself provides us with some permission levels, and we can also customize them based on our own needs.

When we customize our own permission levels, we can refer to the Moss itself and modify it based on it. We edit the existing website level, which provides a copy permission level function,
We can copy a copy and modify it on this basis to define our own permission level.


3. Demonstrate MOSS permissions, relationships between users and permission objects:


4. Use the SharePoint object model to control permissions

The following classes are used:

SPUser, SPGroup, SPRoleDefinition, and SPRoleAssignment.

SPRoleDefinition is used to define a role (that is, the "permission level" mentioned above ).

Its important attributes include:

Name: role Name
Description: Role Description.
BasePermissions: Role permissions (that is, detailed permissions are specified here)
In addition, the Type attribute is of the SPRoleType Enumeration Type, and the permission enumeration is SPBasePermissions.

SPRoleAssignment is used for permission allocation. It is relatively simple and has only three public attributes:

Member: Who will assign permissions
Parent: Assign permissions on something
RoleDefinitionBindings: Permission assigned

Member is the SPPrincipal type and is the SPUser and SPGroup parent class.
Parent: implements the ISecurityxxxx interface.
RoleDefinitionBindings: a collection of SPRoleDefinition.

In 2007, each item (SPWeb, SPList, and SPListItem) that can be assigned permissions has a RoleAssignments attribute, which is an attribute of the SPRoleAssignmentCollection type,
Used to assign Permissions

In addition, the RoleDefinitions attribute is available in SPWeb (only available in SPWeb, that is, the role can only be defined on the website)


We want to assign a user a permission on the list. The permission uses a role named "xxx ".

The Code is as follows:

SPRoleAssignment ra = new SPRoleAssignment (user );

SPRoleDefinition rd = web. RoleDefinitions ["xxx"];

Ra. RoldDefinitionBindings. Add (rd );

List. RoleAssignments. Add (ra );

For example, modify the permissions of a user:

SPRoleAssignment ra = list. RoleAssignments. GetAssignmentByPrincipal (user );

SPRoleDefinition rd = web. RoleDefinitions ["xxx"];

Ra. RoldDefinitionBindings. Add (rd );

Ra. Update (); however, if the permissions of this list are inherited from the website,

The above Code does not automatically modify the inheritance, but throws an exception.

We must manually remove this inheritance relationship:

List. BreakRoleInheritance (true );

True in the parameter indicates re-copy the inherited permission (if you do not change it, it is the same as the website permission). If it is false, use the default permissions defined in the list template.

If you want to create a new role, you can directly create a new SPRoleDefinition, modify its Name, Description, and BasePermissions attributes, and then add them to web. RoleDefinitions;
Alternatively, you can select an existing role to copy the new role and change it. I will not write this code.

In addition, there are some other minor changes to permissions:

In section 2003, xxx. Permissions is used to obtain the permission of xxx (which can be SPWeb or SPList), but the Permissions attribute in section 2007 is also discarded.

Permissions is a very useful thing called DoesUserHavePermissions to judge the current user permission,

After the Permissions attribute is discarded, this method is transplanted to the SPWeb, SPList, and other classes.

Use list. DoesUserHavePermissions directly.

In addition, this method can determine not only the permissions of the current user, but also the permissions of the specified user (through SPUser)

In addition, SPWeb, SPList, and SPListItem are added with the CheckPermissions method to determine user Permissions. If not, an exception is thrown, which is consistent with the previous xxx. Permissions. Demand method.

5. Define, assign, and inherit roles

A role consists of two parts: Role Definition and role allocation.

The role definition, or permission level, is the list of permissions associated with the role. Permissions are only controllable operations on SharePoint websites. For example, a user with the Read role can browse pages on the website and view projects in the list. Unlike Windows SharePoint Services 2.0, Windows SharePoint Services 3.0 never directly uses permissions to manage user permissions. All user permissions and group permissions are managed by roles. A role definition is a set of permissions bound to a specific object. Roles are defined within the scope of a website (for example, Full Control, Read, Contribute, Design, or Limited Access) and have the same meaning in each location of the website, however, the websites in the same website set may be different. Role definitions can also be inherited from the parent website, just like permissions.

Role assignment is the relationship between role definitions, users, groups, and ranges (for example, one user may be the reader on List 1, and the other user is the reader on List 2 ). The relationship represented by role assignment is the key to making Windows SharePoint Services Security Management Based on roles. All permissions are managed by roles. You do not directly assign permissions to users, but only assign a set of well-defined, consistent, and meaningful permissions (role definitions ). You can add or remove users and groups from a role definition by assigning roles to manage unique permissions.

Website administrators can use the "Manage Roles" page to customize default role definitions and create other custom roles. The "Manage Roles" page lists available role definitions on the website.

Role Definition inheritance
Windows SharePoint Services supports inherited role definitions, just as it supports inherited permissions, and canceling role definition inheritance also requires canceling permission inheritance.

Each SharePoint object can have its own permission set or inherit permissions from its parent container. Windows SharePoint Services does not support partial inheritance. An object inherits all permissions of its parent and has its own permissions. Permissions Can Be unique or inherited. Windows SharePoint Services does not support targeted inheritance. For example, an object can only inherit from its parent container, but not from some other objects or containers.

When a website inherits the role definition, these roles are read-only, just as they inherit the read-only permissions of the website. The user will get a link to the parent website with a unique role definition. Default settings for all new websites (including new websites with unique permissions) are defined by the role inherited from the parent website. If the permission is exclusive, the role definition can be restored to the inherited role definition, or edited as the local role definition.

According to the following prohibition rules, the role definition inheritance in the website has an impact on permission inheritance:

· The permission cannot be inherited unless it also inherits the role definition.

· You cannot create a unique role definition unless it also creates unique permissions.

· Cannot be restored to the inherited role definition, unless it also restores all unique permissions on the website. The existing permission depends on the role definition.

· It cannot be restored to an inherited permission, unless it is also restored to an inherited role definition. Website permissions are always associated with the website role definitions.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.