Using Powershell to Add Permission Levels in SharePoint 2010

Besides using PowerShell to modify or adding list permissions, you can also add new Permission Levels. As permission levels don’t persist within site templates, this can be handy when creating deployment scripts for new sites.

Here’s how you do it:

# Add Permission Level to a site
# (c) 2011 Morgan de Jonge

$spSite = Get-SPSite "http://portal.contoso.com"
# We'll assume the list is in the top-level site in the site collection
$spWeb = $spSite | Get-SPWeb

# In this example, we add a new Permission Level labelled "Add Only" to the site, which will allow users to only add new items (no editing or removing)
if($spWeb.RoleDefinitions["Add Only"] -eq $null)
{
    # Role Definition named "Add Only" does not yet exist
    $spRoleDefinition = New-Object Microsoft.SharePoint.SPRoleDefinition
    $spRoleDefinition.Name = "Add Only"
    $spRoleDefinition.Description = "Can only Add items. Use this Permission Level for List or Library Permissions."
    # .Type is a ReadOnly property, hence it'll remain on "None".

    # Use the command [System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") to get a list of possible BasePermission values
    # For this Permission Level, we'll add four base permissions:
    $spRoleDefinition.BasePermissions = "ViewListItems, AddListItems, Open, ViewPages"
    $spWeb.RoleDefinitions.Add($spRoleDefinition)
}

#Display the properties for our new Permission level
$spWeb.RoleDefinitions["Add Only"] | Out-Host

$spWeb.Dispose()
$spSite.Dispose()

Unfortunately, the RoleDefinition.Type property, which contains a RoleType Enum value,  is Read-Only. Hence, it’ll get the default value “None”.

The .BasePermissions Property is a flags attribute which contains the actual permissions granted to users and groups assigned with the permission level. See MSDN for a description of these Permissions, or use the following command to enumerate them in PowerShell:

# Enumerate through SPBasePermissions
PS > [System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")
EmptyMask
ViewListItems
AddListItems
EditListItems
DeleteListItems
ApproveItems
OpenItems
ViewVersions
DeleteVersions
CancelCheckout
ManagePersonalViews
ManageLists
ViewFormPages
Open
ViewPages
AddAndCustomizePages
ApplyThemeAndBorder
ApplyStyleSheets
ViewUsageData
CreateSSCSite
ManageSubwebs
CreateGroups
ManagePermissions
BrowseDirectories
BrowseUserInfo
AddDelPrivateWebParts
UpdatePersonalWebParts
ManageWeb
UseClientIntegration
UseRemoteAPIs
ManageAlerts
CreateAlerts
EditMyUserInfo
EnumeratePermissions
FullMask

See the modify or adding list permissions article for instructions on how to assign this new Permission Level to a user or group.

One thought on “Using Powershell to Add Permission Levels in SharePoint 2010

Leave a Reply

Your email address will not be published. Required fields are marked *