SharePoint 2010 change permissions on lists using Powershell

It might getting interesting if your customer needs functionalitiy like freeze or publish documents, whole site or webs or just special lists. If the process needs something that can stop users from being able to edit or delete items, lists or do anything in the current site. You have many options for this:

One of the basics are the scripts. Below you will find a script which iterates through the permissions and set the permissions to read (except the full control). So every user who does not have full control, will get read access to the lists. The script can also be used for a site or a web.  This powershell script can be used in a workflow, if you installed the custom actions for SPD from codeplex.

As i experienced, if you need the functionality to freeze something and also want to provide a unfreeze function, it is easier to change the permissions on list level, cause then you just can reset the breakroleinheritance foreach list. If you reset the breakroleinheritance on the site and the site is a subsite, then you get the permissions from the toplevel site. But if the subsite should have other access permissions as the top level site, you won’t be happy changing permissions on the web(subsite).

Let’s have a look at the code:



Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function Change-RoleAssignments($SPElement)
{
foreach($ElementRole in $SPElement.RoleAssignments)
{
$FullControlUser = $false
$LimitedAccessUser = $true

Foreach($ElementRoleDef in $ElementRole.RoleDefinitionBindings)
{
if($ElementRoleDef.Id -eq "1073741829")
{
$FullControlUser = $true
$LimitedAccessUser = $false
}
elseif($ElementRoleDef -ne "1073741825")
{
$LimitedAccessUser = $false
}
}
if($FullControlUser -eq $false -and $LimitedAccessUser -eq $false)
{
$ElementRole.RoleDefinitionBindings.RemoveAll()
$ElementRole.RoleDefinitionBindings.Add($Read)
$ElementRole.Update()
}
}
}

$Url = "http://servername/sites/sitecollection"
$Web = Get-SPWeb $Url

#Get Contribute permission
$Read = $web.RoleDefinitions.GetById("1073741826")

Change-RoleAssignments $Web

foreach($List in $Web.Lists | ? {$_.hidden -eq $false -and $_.AllowDeletion -eq $true})
{
if($List.HasUniqueRoleAssignments)
{
Change-RoleAssignments $List
}
else
{
$List.BreakRoleInheritance($true)
Change-RoleAssignments $List
}
}


As i told you, below you will find the code / script to reset the inheritance.



Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
$Url = "http://servername/sites/sitecollection"
$Web = Get-SPWeb $Url

$Read = $web.RoleDefinitions.GetById("1073741826")

foreach($List in $Web.Lists | ? {$_.hidden -eq $false -and $_.AllowDeletion -eq $true})
{
if($List.HasUniqueRoleAssignments)
{
$List.ResetRoleInheritance()
}
}


It’s not that complicated.

..:: I LIKE SHAREPOINT ::..

The article or information provided here represents completely my own personal view & thought. It is recommended to test the content or scripts of the site in the lab, before making use in the production environment & use it completely at your own risk. The articles, scripts, suggestions or tricks published on the site are provided AS-IS with no warranties or guarantees and confers no rights.

Karsten Pohnke About Karsten Pohnke
He is Consultant for SharePoint Solutions for collaboration, communication and business processes. He provides his customers applications based on standard features as well as development or combining the power of several microsoft tools like Dynamics CRM. In his free time he tries to collect tipps and worthy experience in this blog.