GetPermissionCollection, Converting Permission Mask to Roles
Locked
-
Monday, April 21, 2008 6:20 PM
Hi, I'm retrieving permissions on a list of files using SharePoint's Permission Web Service and the GetPermissionCollection method. I'm able to retrieve the Permissions, but i'd like to be able to convert the permission mask into the role(s) it belongs to. (just like if you view the Permissions through the web site).
Is there a straight forward way to do this through Share Points Web Services?
For example:
GetPermissionCollection may give me the following Permission
<Permission MemberID="6" Mask="134287360" MemberIsUser="False" MemberGlobal="True" GroupName="Style Resource Readers" />
Looking at the Permissions on the file though the Web I see that Style Resource Readers have the "Limited Access" Role on that file.
Any help on this would be greatly appreciated
All Replies
-
Monday, April 21, 2008 9:05 PM Hi Jamie,
like I posted on my blog, you can get the permissions by
Code SnippetSPBasePermissions permissions = (SPBasePermissions) Enum.Parse(typeof(SPBasePermissions), permissionMask.ToString());
The problem is, that this only lists the rights, an not which permission level (Reader...) it means. I did not find a way to do this by now.
René -
Tuesday, April 22, 2008 11:36 AM
Hi,
I actually read your blog before
Unfortunatly it does not solve my problem.I'm running this from a remote machine (XP), the only way i can get your snippet to run is from a windows 2003 server that has Share Point installed. I need to be able to do this purely through SharePoint's Web Services.
-
Thursday, May 01, 2008 5:14 PM
I was able to get this partly to work. After finding the enumeration values for all the possible base permissions. I'm able to take the Mask integer and convert it into its base permissions.
Using the UserGroup Webservice , I can retrieve the list of Roles and their base permissions, which i can convert into the integer mask value. Comparing the mask values i can find out what role a user has.
This solution works only if a users or groups permission consists of one role. For more than one role you could permute the different role combinations and compare the mask value, but there are roles which just have subset of base permissions compared to other roles which can cuase false-positive.(ex. Reader base-permissions are a subset of Contributor so the resulting mask is exactly the same as Contributor)
I can post some code samples if requested
Note to be able to get all the infmormation need you must connect with a user which has administrative rights.
Here is the list of enum values
EmptyMask 0x0000000000000000 Grant no permissions. FullMask 0x7FFFFFFFFFFFFFFF Grant all permissions. ViewListItems 0x0000000000000001 Allow viewing of List Items in Lists, Documents in Document Libraries, and Web Discussion comments. AddListItems 0x0000000000000002 Allow addition of List Items to Lists, Documents to Document Libraries, and Web Discussion comments. EditListItems 0x0000000000000004 Allow editing of List Items in Lists, Documents in Document Libraries, Web Discussion comments, and to customize Web Part Pages in Document Libraries. DeleteListItems 0x0000000000000008 Allow deletion of List Items from Lists, Documents from Document Libraries, and Web Discussion comments. ApproveItems 0x0000000000000010 Allow approval of minor versions of a List Item or Document. OpenItems 0x0000000000000020 Allow viewing the source of Documents with server-side file handlers. ViewVersions 0x0000000000000040 Allow viewing of past versions of a List Item or Document. DeleteVersions 0x0000000000000080 Allow deletion of past versions of a List Item or Document. CancelCheckout 0x0000000000000100 Allow discard or check in of a Document which is checked out to another user. ManagePersonalViews 0x0000000000000200 Allow creation, change, and deletion of Personal Views of Lists. ManageLists 0x0000000000000800 Allow creation and deletion of Lists, addition or removal of Fields to the schema of a List, and addition or removal of Public Views of a List. ViewFormPages 0x0000000000001000 Allow viewing of Forms, Views, and application Pages, and enumerate Lists. Open 0x0000000000010000 Allow access to the items contained within a Site, List, or Folder. ViewPages 0x0000000000020000 Allow viewing of Pages in a Site. AddAndCustomizePages 0x0000000000040000 Allow addition, modification, or deletion of HTML Pages or Web Part Pages, and editing the Site using a Windows SharePoint Services compatible editor. ApplyThemeAndBorder 0x0000000000080000 Allow application of a theme or borders to the entire Site. ApplyStyleSheets 0x0000000000100000 Allow application of a style sheet (.css file) to the Site. ViewUsageData 0x0000000000200000 Allow viewing of reports on Site usage. CreateSSCSite 0x0000000000400000 Allow creation of a Site using Self-Service Site Creation, an implementation-specific capability of Windows SharePoint Services. ManageSubwebs 0x0000000000800000 Allow creation of Subsites within the Site or Site Collection. CreateGroups 0x0000000001000000 Allow creation of a group of Users that can be used anywhere within the Site Collection. ManagePermissions 0x0000000002000000 Allow creation and modification of permission levels on the Site and assigning permissions to Users and Site Groups. BrowseDirectories 0x0000000004000000 Allow enumeration of Documents and Folders in a Site using [MS-FPSE] and WebDAV interfaces. BrowseUserInfo 0x0000000008000000 Allow viewing the information about all users of the Site. AddDelPrivateWebParts 0x0000000010000000 Allow addition or removal of personal Web Parts on a Web Part Page. UpdatePersonalWebParts 0x0000000020000000 Allow updating of Web Parts to display personalized information. ManageWeb 0x0000000040000000 Allow all administration tasks for the Site as well as manage content. UseClientIntegration 0x0000001000000000 Allow use of features that launch client applications; otherwise, Users must work on Documents on their local machines and upload changes to the WFE. UseRemoteAPIs 0x0000002000000000 Allow use of SOAP, WebDAV, or [MS-FPSE] to access the Site. ManageAlerts 0x0000004000000000 Allow management of alerts for all Users of the Site. CreateAlerts 0x0000008000000000 Allow creation of email alerts. EditMyUserInfo 0x0000010000000000 Allow a user to change his or her own User information, such as adding a picture. EnumeratePermissions 0x4000000000000000 Allow enumeration of permissions on the Site, List, Folder, Document, or List Item. -
Thursday, September 04, 2008 7:06 AMDoes anyone has a solid solution or there is impossible to get this working?
-
Friday, March 27, 2009 12:30 AMhi,
Did you find any solution to get mask names like (Full control,Read,Limited Access) using web service
<Permission MemberID="6" Mask="134287360" MemberIsUser="False" MemberGlobal="True" GroupName="Style Resource Readers")
Thanks
ravi -
Friday, March 27, 2009 10:32 AMJamie Redman said:A slight correction:
Note to be able to get all the infmormation need you must connect with a user which has administrative rights.
As far as I know, you need to have full control over the querried object, while you may have limited rights on parent objects. -
Friday, March 27, 2009 10:38 AM magham_ravi said:
Did you find any solution to get mask names like (Full control,Read,Limited Access) using web service
<Permission MemberID="6" Mask="134287360" MemberIsUser="False" MemberGlobal="True" GroupName="Style Resource Readers")
Aren't these "mask names" actually the names of the roles defined on the site collection? I'm not sure, but I suppose so and saw some proofs.
If so, you need to get role definitions from the site collection and get their masks, then determine which masks are combined to give the mask a group or a user has. Unfortunately, this is likely to require you to have full control over the root web or even to be the site collection administrator. If you don' have such permissions, consider not determining the role names, but determining the set of base permissions from the permission mask.- Proposed As Answer by Azhdar Wednesday, July 29, 2009 10:13 AM
-
Wednesday, July 29, 2009 10:22 AM
Hi,
my solution (only for the rights):
System.Collections.Generic.Dictionary<int, string> DicoRights = new System.Collections.Generic.Dictionary<int, string>(); DicoRights.Add(0, " ViewListItems"); // 1 DicoRights.Add(1, " AddListItems"); // 2 DicoRights.Add(2, " EditListItems"); // 4 DicoRights.Add(3, " DeleteListItems"); // 8 DicoRights.Add(4, " ApproveItems"); // 16 DicoRights.Add(5, " OpenItems"); // 32 DicoRights.Add(6, " ViewVersions"); // 64 DicoRights.Add(7, " DeleteVersions"); // 128 DicoRights.Add(8, " CancelCheckout"); // 256 DicoRights.Add(9, " ManagePersonalViews"); // 512 DicoRights.Add(11, " ManageLists"); // 2 048 DicoRights.Add(12, " ViewFormPages"); // 4 096 DicoRights.Add(16, " Open"); // 65 536 DicoRights.Add(17, " ViewPages"); // 131 072 DicoRights.Add(18, " AddAndCustomizePages"); // 262 144 DicoRights.Add(19, " ApplyThemeAndBorder"); // 524 288 DicoRights.Add(20, " ApplyStyleSheets"); // 1 048 576 DicoRights.Add(21, " ViewUsageData"); // 2 097 152 DicoRights.Add(22, " CreateSSCSite"); // 4 194 304 DicoRights.Add(23, " ManageSubwebs"); // 8 388 608 DicoRights.Add(24, " CreateGroups"); // 16 777 216 DicoRights.Add(25, " ManagePermissions"); // 33 554 432 DicoRights.Add(26, " BrowseDirectories"); // 67 108 864 DicoRights.Add(27, " BrowseUserInfo"); // 134 217 728 DicoRights.Add(28, " AddDelPrivateWebParts"); // 268 435 456 DicoRights.Add(29, " UpdatePersonalWebParts"); // 536 870 912 DicoRights.Add(30, " ManageWeb"); // 1 073 741 824 DicoRights.Add(36, " UseClientIntegration "); // 68 719 476 736 DicoRights.Add(37, " UseRemoteAPIs"); // 137 438 953 472 DicoRights.Add(38, " ManageAlerts"); // 274 877 906 944 DicoRights.Add(39, " CreateAlerts"); // 549 755 813 888 DicoRights.Add(40, " EditMyUserInfo"); // 1 099 511 627 776 string MaskBin = Convert.ToString(Convert.ToInt32(row[column]), 2); int tailleMaks = MaskBin.Length; string UserRights = null; foreach(System.Collections.Generic.KeyValuePair<int, string> kvp in DicoRights) { try { if (MaskBin[ (MaskBin.Length - (kvp.Key + 1)) ] == '1') UserRights += kvp.Value; } catch { } } -
Tuesday, July 13, 2010 9:06 AM
The following code might help to get the appropriate Role.//<Permission MemberID="1" Mask="138612833" MemberIsUser="True" MemberGlobal="False" UserLogin="laptop\administrator" /> var mask = ulong.Parse("138612833"); bool OpenItems = false; SPBasePermissions permissions = (SPBasePermissions)Enum.Parse(typeof(SPBasePermissions), mask.ToString(), true); if ((permissions & SPBasePermissions.OpenItems) == SPBasePermissions.OpenItems) OpenItems = true; [Flags()] public enum SPBasePermissions : ulong { AddAndCustomizePages = 0x40000L, AddDelPrivateWebParts = 0x10000000L, AddListItems = 2L, ApplyStyleSheets = 0x100000L, ApplyThemeAndBorder = 0x80000L, ApproveItems = 0x10L, BrowseDirectories = 0x4000000L, BrowseUserInfo = 0x8000000L, CancelCheckout = 0x100L, CreateAlerts = 0x8000000000L, CreateGroups = 0x1000000L, CreateSSCSite = 0x400000L, DeleteListItems = 8L, DeleteVersions = 0x80L, EditListItems = 4L, EditMyUserInfo = 0x10000000000L, EmptyMask = 0L, EnumeratePermissions = 0x4000000000000000L, FullMask = 0x7fffffffffffffffL, ManageAlerts = 0x4000000000L, ManageLists = 0x800L, ManagePermissions = 0x2000000L, ManagePersonalViews = 0x200L, ManageSubwebs = 0x800000L, ManageWeb = 0x40000000L, Open = 0x10000L, OpenItems = 0x20L, UpdatePersonalWebParts = 0x20000000L, UseClientIntegration = 0x1000000000L, UseRemoteAPIs = 0x2000000000L, ViewFormPages = 0x1000L, ViewListItems = 1L, ViewPages = 0x20000L, ViewUsageData = 0x200000L, ViewVersions = 0x40L }
- Proposed As Answer by Balaji_Milo Tuesday, July 13, 2010 9:06 AM
-
Tuesday, October 05, 2010 1:57 PM
Hi Jamie,
You posted "Using the UserGroup Webservice , I can retrieve the list of Roles and their base permissions, which i can convert into the integer mask value. Comparing the mask values i can find out what role a user has. "
From"GetRolesAndPermissionsForSite in UserGroup Webservie I get something like this:
<Role ID="1073741829" Name="Full Control" Description="Has full control." Hidden="False" Type="Administrator"
BasePermissions="9223372036854775807" xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/" />You mean that you can convert BasePersmissions into mask value?
I will be very greatfull for some code sample.
Chris.
-
Tuesday, February 01, 2011 9:24 PM
I made this javascript sample thanks to @zanlok answer on stackoverflow
I used JQuery, SPServices js (http://spservices.codeplex.com/) and this link for the masks codes http://msdn.microsoft.com/en-us/library/dd304243%28PROT.13%29.aspx I Hope this helps you, I did this because I was needing it also, however it may also help others.
You need to replace the divid with the value of the control you want to place the html, and the LIST NAME HERE with the name of the list.
The script will spit everyone that has access to a list, and say if they can read, add, change and delete things. Hopes this helps you.
I Thinks this looks easy enough to edit and add more permissions if you like!
Moderator Note: Do NOT propose your own posts. The "Propose as Answer" function is to propose the good answers of other people.
$('#divid').html('Working...').SPServices({ operation: "GetPermissionCollection", objectName: 'LIST NAME HERE', objectType: "List", completefunc: function (xData, Status) { var out = "<ul>"; $(xData.responseXML).find("Permission").each(function () { if ($(this).attr("MemberIsUser") === "True") { out += "<li>User: " + $(this).attr("UserLogin") + "</li>"; } else { out += "<li>Group: " + $(this).attr("GroupName") + "</li>"; } var readmask = 0x0000000000000001; var addmask = 0x0000000000000002; var editmask = 0x0000000000000004; var deletemask = 0x0000000000000008; out += "<li>Mask: " + $(this).attr("Mask") + "</li>"; var canread = readmask & $(this).attr("Mask").toString(16) > 0 ? "Yes" : "No"; var canadd = addmask & $(this).attr("Mask").toString(16) > 0 ? "Yes" : "No"; var canedit = editmask & $(this).attr("Mask").toString(16) > 0 ? "Yes" : "No"; var candelete = deletemask & $(this).attr("Mask").toString(16) > 0 ? "Yes" : "No"; out += "<li>Can Read: " + canread + "</li>"; out += "<li>Can Add: " + canadd + "</li>"; out += "<li>Can Edit: " + canedit + "</li>"; out += "<li>Can Delete: " + candelete + "</li>"; }); out += "</ul>"; $('#divid').html(out); } });
Gabriel Guimarães- Edited by Gabriel Guimarães Tuesday, February 01, 2011 9:25 PM edit code
- Proposed As Answer by Gabriel Guimarães Tuesday, February 01, 2011 9:25 PM
- Unproposed As Answer by Mike Walsh FIN Wednesday, February 02, 2011 9:43 AM
- Edited by Mike Walsh FIN Wednesday, February 02, 2011 10:06 AM Moderator Note added
