MOSS MVP

I've moved my blog to http://blog.falchionconsulting.com!. Please update your links. This blog is no longer in use--you can find all posts and comments at my new blog; I will no longer be posting to this site and comments have been disabled.

Thursday, August 9, 2007

User Permissions for Web Applications

One of the nice things about SharePoint 2007 is that you now have the ability to control what permissions are available for a given web application. As an administrator this is nice because you can now prevent site collection administrators from handing out permissions which violate your security policies. As part of my upgrade I wanted to be able to remove some of the available permissions such as the ability to set themes and cascading style sheets for our main portal application (thus preventing users from messing with our corporate brand). You can set the available permissions via the central admin tool here: Central Administration > Application Management > User Permissions for Web Application. Controlling these permissions programmatically is fairly straightforward as well - you simply set the RightsMask property of an SPWebApplication object. RightsMask is a bitmask so you are basically just turning on or off the flag of interest using the SPBasePermissions enum. Once you've set the property you call Update() on the web application.

string url = keyValues["url"];

SPWebApplication wa = SPWebApplication.Lookup(new Uri(url));

foreach (KeyValuePair permission in permsDict)
{
 if (!permission.Value)
  continue;

 wa.RightsMask = wa.RightsMask & ~(SPBasePermissions)Enum.Parse(typeof(SPBasePermissions), permission.Key, true);
}
wa.Update();

The code above will disable a permission but to do the opposite you would simply do the following:

wa.RightsMask = wa.RightsMask | (SPBasePermissions)Enum.Parse(typeof(SPBasePermissions), permission.Key, true);

I chose to implement the enabling and disabling of permissions as separate commands to make it more explicit - it would, howerver, be extremely easy to merge these into one command and just take in an extra parameter to determine which action to take. The syntax of the two commands can be seen below.

1. gl-disableuserpermissionforwebapp

C:\>stsadm -help gl-disableuserpermissionforwebapp

stsadm -o gl-disableuserpermissionforwebapp

Disable permissions that can be used in permission levels within the web application.

Parameters:
        -url <web application>
        [-EmptyMask]
        [-ViewListItems]
        [-AddListItems]
        [-EditListItems]
        [-DeleteListItems]
        [-ApproveItems]
        [-OpenItems]
        [-ViewVersions]
        [-DeleteVersions]
        [-CancelCheckout]
        [-ManagePersonalViews]
        [-ManageLists]
        [-ViewFormPages]
        [-Open]
        [-ViewPages]
        [-AddAndCustomizePages]
        [-ApplyThemeAndBorder]
        [-ApplyStyleSheets]
        [-ViewUsageData]
        [-CreateSSCSite]
        [-ManageSubwebs]
        [-CreateGroups]
        [-ManagePermissions]
        [-BrowseDirectories]
        [-BrowseUserInfo]
        [-AddDelPrivateWebParts]
        [-UpdatePersonalWebParts]
        [-ManageWeb]
        [-UseClientIntegration]
        [-UseRemoteAPIs]
        [-ManageAlerts]
        [-CreateAlerts]
        [-EditMyUserInfo]
        [-EnumeratePermissions]
        [-FullMask]

Here’s an example of how to remove the Apply Style Sheets permission:

stsadm –o gl-disableuserpermissionforwebapp –url “http://intranet/” –ApplyStyleSheets

2. gl-enableuserpermissionforwebapp

C:\>stsadm -help gl-enableuserpermissionforwebapp

stsadm -o gl-enableuserpermissionforwebapp

Enable permissions that can be used in permission levels within the web application.

Parameters:
        -url <web application>
        [-EmptyMask]
        [-ViewListItems]
        [-AddListItems]
        [-EditListItems]
        [-DeleteListItems]
        [-ApproveItems]
        [-OpenItems]
        [-ViewVersions]
        [-DeleteVersions]
        [-CancelCheckout]
        [-ManagePersonalViews]
        [-ManageLists]
        [-ViewFormPages]
        [-Open]
        [-ViewPages]
        [-AddAndCustomizePages]
        [-ApplyThemeAndBorder]
        [-ApplyStyleSheets]
        [-ViewUsageData]
        [-CreateSSCSite]
        [-ManageSubwebs]
        [-CreateGroups]
        [-ManagePermissions]
        [-BrowseDirectories]
        [-BrowseUserInfo]
        [-AddDelPrivateWebParts]
        [-UpdatePersonalWebParts]
        [-ManageWeb]
        [-UseClientIntegration]
        [-UseRemoteAPIs]
        [-ManageAlerts]
        [-CreateAlerts]
        [-EditMyUserInfo]
        [-EnumeratePermissions]
        [-FullMask]

Here’s an example of how to add the Apply Style Sheets permission:

stsadm –o gl-enableuserpermissionforwebapp –url “http://intranet/” –ApplyStyleSheets

6 comments:

Barry said...

I think it's a pretty good way of doing things. Thanks, Gary. Central Administration tools are sometimes a bit complicated to use. It's nice to have some extra ways to do the same things. In addition to your way there is also a 3rd party tool for managing SharePoint security permissions that was released not long ago as written on scriptlogic.com. Im about security explorer for SharePoint. It uses tree-style interface that really simplifies navigation across SharePoint site objects and assigning permissons, permission levels and SharePoint groups.

Gary Lapointe said...

Thanks for the feedback. Keep checking back here as I'll be adding new commands all the time. I just posted an enumfeatures command (http://stsadm.blogspot.com/2007/08/enumerate-features.html). I took a look at the scriptlogic product - looks nice - I think one thing that stsadm extensions such as mine offer over something like this is the ability to make those scripted changes during deployment (which is what my focus with this project has been). A tool like scriptlogics would be extremely handy post deployment but I'm not sure it would help me out much during the deployment itself (assuming of course that I can script everything or that it makes sense to script everything - some things just don't).

Gary Lapointe said...

I've made a minor bug fix. Now when you assign all permissions it automatically re-adds the FullMask permission. This is critical for some aspects of SharePoint which only check whether FullMask is applied (see my post on the enumeffectivebasepermissions command for further details). Note that this is something that is not happening when done via the browser - Microsoft has confirmed this as a bug. Use of this command is (or your own code) is the only way around the bug.

Anonymous said...

Hi Gary,

I used some of your extensions (especially the bug workaround - enumeffectivebasepermissions). I've a question regarding permissions. I've modified permissions the wrong way, I want to restore permissions to the OOTB permissions (all groups and permissions).

Do you know a solution to restore permissions and groups to 'Out of the Box' state?

Thank you for your time!

Remon Boonstra
email: firstname.lastname@crmpartners.nl

Gary Lapointe said...

Remon - unfortunately I don't know of a way out of the box to do reset the permissions - easiest thing to do would be to just create a temporary site collection and just recreate the permissions manually based on how they are set in that site collection.

skurocks said...

An Intersting thing to Note about the User Permissions for Web Application
Refer to the below link

http://skurocks.wordpress.com/2009/06/26/enable-client-integration-user-permissions-for-web-application-%e2%80%93-caution/