locked
GetPermissionCollection, Converting Permission Mask to Roles

    Question

  •  

    Hi, I'm retrieving permissions on a list of files using SharePoint's Permission Web Service and the GetPermissionCollection method. I'm able to retrieve the Permissions, but i'd like to be able to convert the permission mask into the role(s) it belongs to. (just like if you view the Permissions through the web site).

     

    Is there a straight forward way to do this through Share Points Web Services?

     

    For example:

     GetPermissionCollection may give me the following Permission

    <Permission MemberID="6" Mask="134287360" MemberIsUser="False" MemberGlobal="True" GroupName="Style Resource Readers" />

     

    Looking at the Permissions on the file though the Web I see that Style Resource Readers have the "Limited Access" Role on that file.

     

    Any help on this would be greatly appreciated

    Monday, April 21, 2008 6:20 PM

Answers

  • I was able to get this partly to work. After finding the enumeration values for all the possible base permissions. I'm able to take the Mask integer and convert it into its base permissions.

     

    Using the UserGroup Webservice , I can retrieve the list of Roles and their base permissions, which i can convert into the integer mask value. Comparing the mask values i can find out what role a user has.

     

    This solution works only if a users or groups permission consists of one role. For more than one role you could permute the different role combinations and compare the mask value, but there are roles which just have subset of base permissions compared to other roles which can cuase false-positive.(ex. Reader base-permissions are a subset of Contributor so the resulting mask is exactly the same as Contributor)

     

    I can post some code samples if requested

     

    Note to be able to get all the infmormation need you must connect with a user which has administrative rights.

     

    Here is the list of enum values

    EmptyMask 0x0000000000000000 Grant no permissions.
    FullMask 0x7FFFFFFFFFFFFFFF Grant all permissions.
    ViewListItems 0x0000000000000001 Allow viewing of List Items in Lists, Documents in Document Libraries, and Web Discussion comments.
    AddListItems 0x0000000000000002 Allow addition of List Items to Lists, Documents to Document Libraries, and Web Discussion comments.
    EditListItems 0x0000000000000004 Allow editing of List Items in Lists, Documents in Document Libraries, Web Discussion comments, and to customize Web Part Pages in Document Libraries.
    DeleteListItems 0x0000000000000008 Allow deletion of List Items from Lists, Documents from Document Libraries, and Web Discussion comments.
    ApproveItems 0x0000000000000010 Allow approval of minor versions of a List Item or Document.
    OpenItems 0x0000000000000020 Allow viewing the source of Documents with server-side file handlers.
    ViewVersions 0x0000000000000040 Allow viewing of past versions of a List Item or Document.
    DeleteVersions 0x0000000000000080 Allow deletion of past versions of a List Item or Document.
    CancelCheckout 0x0000000000000100 Allow discard or check in of a Document which is checked out to another user.
    ManagePersonalViews 0x0000000000000200 Allow creation, change, and deletion of Personal Views of Lists.
    ManageLists 0x0000000000000800 Allow creation and deletion of Lists, addition or removal of Fields to the schema of a List, and addition or removal of Public Views of a List.
    ViewFormPages 0x0000000000001000 Allow viewing of Forms, Views, and application Pages, and enumerate Lists.
    Open 0x0000000000010000 Allow access to the items contained within a Site, List, or Folder.
    ViewPages 0x0000000000020000 Allow viewing of Pages in a Site.
    AddAndCustomizePages 0x0000000000040000 Allow addition, modification, or deletion of HTML Pages or Web Part Pages, and editing the Site using a Windows SharePoint Services compatible editor.
    ApplyThemeAndBorder 0x0000000000080000 Allow application of a theme or borders to the entire Site.
    ApplyStyleSheets 0x0000000000100000 Allow application of a style sheet (.css file) to the Site.
    ViewUsageData 0x0000000000200000 Allow viewing of reports on Site usage.
    CreateSSCSite 0x0000000000400000 Allow creation of a Site using Self-Service Site Creation, an implementation-specific capability of Windows SharePoint Services.
    ManageSubwebs 0x0000000000800000 Allow creation of Subsites within the Site or Site Collection.
    CreateGroups 0x0000000001000000 Allow creation of a group of Users that can be used anywhere within the Site Collection.
    ManagePermissions 0x0000000002000000 Allow creation and modification of permission levels on the Site and assigning permissions to Users and Site Groups.
    BrowseDirectories 0x0000000004000000 Allow enumeration of Documents and Folders in a Site using [MS-FPSE] and WebDAV interfaces.
    BrowseUserInfo 0x0000000008000000 Allow viewing the information about all users of the Site.
    AddDelPrivateWebParts 0x0000000010000000 Allow addition or removal of personal Web Parts on a Web Part Page.
    UpdatePersonalWebParts 0x0000000020000000 Allow updating of Web Parts to display personalized information.
    ManageWeb 0x0000000040000000 Allow all administration tasks for the Site as well as manage content.
    UseClientIntegration 0x0000001000000000 Allow use of features that launch client applications; otherwise, Users must work on Documents on their local machines and upload changes to the WFE.
    UseRemoteAPIs 0x0000002000000000 Allow use of SOAP, WebDAV, or [MS-FPSE] to access the Site.
    ManageAlerts 0x0000004000000000 Allow management of alerts for all Users of the Site.
    CreateAlerts 0x0000008000000000 Allow creation of email alerts.
    EditMyUserInfo 0x0000010000000000 Allow a user to change his or her own User information, such as adding a picture.
    EnumeratePermissions 0x4000000000000000 Allow enumeration of permissions on the Site, List, Folder, Document, or List Item.

    Thursday, May 01, 2008 5:14 PM
  • Hi Jamie,
    like I posted on my blog, you can get the permissions by
    Code Snippet

    SPBasePermissions permissions = (SPBasePermissions) Enum.Parse(typeof
    (SPBasePermissions), permissionMask.ToString());


    The problem is, that this only lists the rights, an not which permission level (Reader...) it means. I did not find a way to do this by now.

    René
    Monday, April 21, 2008 9:05 PM

All replies

  • Hi Jamie,
    like I posted on my blog, you can get the permissions by
    Code Snippet

    SPBasePermissions permissions = (SPBasePermissions) Enum.Parse(typeof
    (SPBasePermissions), permissionMask.ToString());


    The problem is, that this only lists the rights, an not which permission level (Reader...) it means. I did not find a way to do this by now.

    René
    Monday, April 21, 2008 9:05 PM
  • Hi,

     

    I actually read your blog before Smile Unfortunatly it does not solve my problem.

     

    I'm running this from a  remote machine (XP), the only way i can get your snippet to run is from a windows 2003 server that has Share Point installed. I need to be able to do this purely through SharePoint's Web Services.

    Tuesday, April 22, 2008 11:36 AM
  • I was able to get this partly to work. After finding the enumeration values for all the possible base permissions. I'm able to take the Mask integer and convert it into its base permissions.

     

    Using the UserGroup Webservice , I can retrieve the list of Roles and their base permissions, which i can convert into the integer mask value. Comparing the mask values i can find out what role a user has.

     

    This solution works only if a users or groups permission consists of one role. For more than one role you could permute the different role combinations and compare the mask value, but there are roles which just have subset of base permissions compared to other roles which can cuase false-positive.(ex. Reader base-permissions are a subset of Contributor so the resulting mask is exactly the same as Contributor)

     

    I can post some code samples if requested

     

    Note to be able to get all the infmormation need you must connect with a user which has administrative rights.

     

    Here is the list of enum values

    EmptyMask 0x0000000000000000 Grant no permissions.
    FullMask 0x7FFFFFFFFFFFFFFF Grant all permissions.
    ViewListItems 0x0000000000000001 Allow viewing of List Items in Lists, Documents in Document Libraries, and Web Discussion comments.
    AddListItems 0x0000000000000002 Allow addition of List Items to Lists, Documents to Document Libraries, and Web Discussion comments.
    EditListItems 0x0000000000000004 Allow editing of List Items in Lists, Documents in Document Libraries, Web Discussion comments, and to customize Web Part Pages in Document Libraries.
    DeleteListItems 0x0000000000000008 Allow deletion of List Items from Lists, Documents from Document Libraries, and Web Discussion comments.
    ApproveItems 0x0000000000000010 Allow approval of minor versions of a List Item or Document.
    OpenItems 0x0000000000000020 Allow viewing the source of Documents with server-side file handlers.
    ViewVersions 0x0000000000000040 Allow viewing of past versions of a List Item or Document.
    DeleteVersions 0x0000000000000080 Allow deletion of past versions of a List Item or Document.
    CancelCheckout 0x0000000000000100 Allow discard or check in of a Document which is checked out to another user.
    ManagePersonalViews 0x0000000000000200 Allow creation, change, and deletion of Personal Views of Lists.
    ManageLists 0x0000000000000800 Allow creation and deletion of Lists, addition or removal of Fields to the schema of a List, and addition or removal of Public Views of a List.
    ViewFormPages 0x0000000000001000 Allow viewing of Forms, Views, and application Pages, and enumerate Lists.
    Open 0x0000000000010000 Allow access to the items contained within a Site, List, or Folder.
    ViewPages 0x0000000000020000 Allow viewing of Pages in a Site.
    AddAndCustomizePages 0x0000000000040000 Allow addition, modification, or deletion of HTML Pages or Web Part Pages, and editing the Site using a Windows SharePoint Services compatible editor.
    ApplyThemeAndBorder 0x0000000000080000 Allow application of a theme or borders to the entire Site.
    ApplyStyleSheets 0x0000000000100000 Allow application of a style sheet (.css file) to the Site.
    ViewUsageData 0x0000000000200000 Allow viewing of reports on Site usage.
    CreateSSCSite 0x0000000000400000 Allow creation of a Site using Self-Service Site Creation, an implementation-specific capability of Windows SharePoint Services.
    ManageSubwebs 0x0000000000800000 Allow creation of Subsites within the Site or Site Collection.
    CreateGroups 0x0000000001000000 Allow creation of a group of Users that can be used anywhere within the Site Collection.
    ManagePermissions 0x0000000002000000 Allow creation and modification of permission levels on the Site and assigning permissions to Users and Site Groups.
    BrowseDirectories 0x0000000004000000 Allow enumeration of Documents and Folders in a Site using [MS-FPSE] and WebDAV interfaces.
    BrowseUserInfo 0x0000000008000000 Allow viewing the information about all users of the Site.
    AddDelPrivateWebParts 0x0000000010000000 Allow addition or removal of personal Web Parts on a Web Part Page.
    UpdatePersonalWebParts 0x0000000020000000 Allow updating of Web Parts to display personalized information.
    ManageWeb 0x0000000040000000 Allow all administration tasks for the Site as well as manage content.
    UseClientIntegration 0x0000001000000000 Allow use of features that launch client applications; otherwise, Users must work on Documents on their local machines and upload changes to the WFE.
    UseRemoteAPIs 0x0000002000000000 Allow use of SOAP, WebDAV, or [MS-FPSE] to access the Site.
    ManageAlerts 0x0000004000000000 Allow management of alerts for all Users of the Site.
    CreateAlerts 0x0000008000000000 Allow creation of email alerts.
    EditMyUserInfo 0x0000010000000000 Allow a user to change his or her own User information, such as adding a picture.
    EnumeratePermissions 0x4000000000000000 Allow enumeration of permissions on the Site, List, Folder, Document, or List Item.

    Thursday, May 01, 2008 5:14 PM
  • Does anyone has a solid solution or there is impossible to get this working?
    Thursday, September 04, 2008 7:06 AM
  • hi,
     Did you find any solution to get mask names like (Full control,Read,Limited Access) using web service
    <Permission MemberID="6" Mask="134287360" MemberIsUser="False" MemberGlobal="True" GroupName="Style Resource Readers")


    Thanks
    ravi
    Friday, March 27, 2009 12:30 AM
  • Jamie Redman said:

    Note to be able to get all the infmormation need you must connect with a user which has administrative rights.

    A slight correction:
    As far as I know, you need to have full control over the querried object, while you may have limited rights on parent objects.
    Friday, March 27, 2009 10:32 AM
  • magham_ravi said:

     Did you find any solution to get mask names like (Full control,Read,Limited Access) using web service
    <Permission MemberID="6" Mask="134287360" MemberIsUser="False" MemberGlobal="True" GroupName="Style Resource Readers")



    Aren't these "mask names" actually the names of the roles defined on the site collection? I'm not sure, but I suppose so and saw some proofs.

    If so, you need to get role definitions from the site collection and get their masks, then determine which masks are combined to give the mask a group or a user has. Unfortunately, this is likely to require you to have full control over the root web or even to be the site collection administrator. If you don' have such permissions, consider not determining the role names, but determining the set of base permissions from the permission mask.
    • Proposed as answer by Azhdar Wednesday, July 29, 2009 10:13 AM
    Friday, March 27, 2009 10:38 AM
  • Hi,

    my solution (only for the rights):
     
                                                System.Collections.Generic.Dictionary<int, string> DicoRights = new System.Collections.Generic.Dictionary<int, string>(); 
                                                DicoRights.Add(0, " ViewListItems");             //                 1
                                                DicoRights.Add(1, " AddListItems");              //                 2
                                                DicoRights.Add(2, " EditListItems");             //                 4
                                                DicoRights.Add(3, " DeleteListItems");           //                 8
                                                DicoRights.Add(4, " ApproveItems");              //                16
                                                DicoRights.Add(5, " OpenItems");                 //                32
                                                DicoRights.Add(6, " ViewVersions");              //                64
                                                DicoRights.Add(7, " DeleteVersions");            //               128
                                                DicoRights.Add(8, " CancelCheckout");            //               256
                                                DicoRights.Add(9, " ManagePersonalViews");       //               512
                                                DicoRights.Add(11, " ManageLists");              //             2 048
                                                DicoRights.Add(12, " ViewFormPages");            //             4 096
                                                DicoRights.Add(16, " Open");                     //            65 536
                                                DicoRights.Add(17, " ViewPages");                //           131 072
                                                DicoRights.Add(18, " AddAndCustomizePages");     //           262 144
                                                DicoRights.Add(19, " ApplyThemeAndBorder");      //           524 288
                                                DicoRights.Add(20, " ApplyStyleSheets");         //         1 048 576
                                                DicoRights.Add(21, " ViewUsageData");            //         2 097 152
                                                DicoRights.Add(22, " CreateSSCSite");            //         4 194 304
                                                DicoRights.Add(23, " ManageSubwebs");            //         8 388 608
                                                DicoRights.Add(24, " CreateGroups");             //        16 777 216
                                                DicoRights.Add(25, " ManagePermissions");        //        33 554 432
                                                DicoRights.Add(26, " BrowseDirectories");        //        67 108 864
                                                DicoRights.Add(27, " BrowseUserInfo");           //       134 217 728
                                                DicoRights.Add(28, " AddDelPrivateWebParts");    //       268 435 456
                                                DicoRights.Add(29, " UpdatePersonalWebParts");   //       536 870 912
                                                DicoRights.Add(30, " ManageWeb");                //     1 073 741 824
                                                DicoRights.Add(36, " UseClientIntegration ");    //    68 719 476 736                                           
                                                DicoRights.Add(37, " UseRemoteAPIs");            //   137 438 953 472
                                                DicoRights.Add(38, " ManageAlerts");             //   274 877 906 944
                                                DicoRights.Add(39, " CreateAlerts");             //   549 755 813 888
                                                DicoRights.Add(40, " EditMyUserInfo");           // 1 099 511 627 776
                                                
                                                string MaskBin = Convert.ToString(Convert.ToInt32(row[column]), 2);
                                                int tailleMaks = MaskBin.Length;
                                                string UserRights = null;
                                                foreach(System.Collections.Generic.KeyValuePair<int, string> kvp in DicoRights)
                                                {
                                                    try
                                                    {
                                                        if (MaskBin[ (MaskBin.Length - (kvp.Key + 1)) ] == '1') UserRights += kvp.Value;
                                                    }
                                                    catch { }
                                                }
    

    Wednesday, July 29, 2009 10:22 AM
  • The following code might help to get the appropriate Role.
    
    //<Permission MemberID="1" Mask="138612833" MemberIsUser="True" MemberGlobal="False" UserLogin="laptop\administrator" />
    var mask = ulong.Parse("138612833");
    bool OpenItems = false;
    SPBasePermissions permissions = (SPBasePermissions)Enum.Parse(typeof(SPBasePermissions), mask.ToString(), true);
    if ((permissions & SPBasePermissions.OpenItems) == SPBasePermissions.OpenItems)
      OpenItems = true;
    
     [Flags()]
      public enum SPBasePermissions : ulong
      {
        AddAndCustomizePages = 0x40000L,
        AddDelPrivateWebParts = 0x10000000L,
        AddListItems = 2L,
        ApplyStyleSheets = 0x100000L,
        ApplyThemeAndBorder = 0x80000L,
        ApproveItems = 0x10L,
        BrowseDirectories = 0x4000000L,
        BrowseUserInfo = 0x8000000L,
        CancelCheckout = 0x100L,
        CreateAlerts = 0x8000000000L,
        CreateGroups = 0x1000000L,
        CreateSSCSite = 0x400000L,
        DeleteListItems = 8L,
        DeleteVersions = 0x80L,
        EditListItems = 4L,
        EditMyUserInfo = 0x10000000000L,
        EmptyMask = 0L,
        EnumeratePermissions = 0x4000000000000000L,
        FullMask = 0x7fffffffffffffffL,
        ManageAlerts = 0x4000000000L,
        ManageLists = 0x800L,
        ManagePermissions = 0x2000000L,
        ManagePersonalViews = 0x200L,
        ManageSubwebs = 0x800000L,
        ManageWeb = 0x40000000L,
        Open = 0x10000L,
        OpenItems = 0x20L,
        UpdatePersonalWebParts = 0x20000000L,
        UseClientIntegration = 0x1000000000L,
        UseRemoteAPIs = 0x2000000000L,
        ViewFormPages = 0x1000L,
        ViewListItems = 1L,
        ViewPages = 0x20000L,
        ViewUsageData = 0x200000L,
        ViewVersions = 0x40L
      }
    
    • Proposed as answer by Balaji_Milo Tuesday, July 13, 2010 9:06 AM
    Tuesday, July 13, 2010 9:06 AM
  • Hi Jamie,

    You posted "Using the UserGroup Webservice , I can retrieve the list of Roles and their base permissions, which i can convert into the integer mask value. Comparing the mask values i can find out what role a user has. "

    From"GetRolesAndPermissionsForSite in UserGroup Webservie I get something like this:

    <Role ID="1073741829" Name="Full Control" Description="Has full control." Hidden="False" Type="Administrator"
     BasePermissions="9223372036854775807" xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/" />

    You mean that you can convert BasePersmissions into mask value?

    I will be very greatfull for some code sample.

    Chris.

     

    Tuesday, October 05, 2010 1:57 PM
  • I made this javascript sample thanks to @zanlok answer on stackoverflow

    I used JQuery, SPServices js (http://spservices.codeplex.com/) and this link for the masks codes http://msdn.microsoft.com/en-us/library/dd304243%28PROT.13%29.aspx I Hope this helps you, I did this because I was needing it also, however it may also help others.

    You need to replace the divid with the value of the control you want to place the html, and the LIST NAME HERE with the name of the list.

    The script will spit everyone that has access to a list, and say if they can read, add, change and delete things. Hopes this helps you.

    I Thinks this looks easy enough to edit and add more permissions if you like!

     Moderator Note: Do NOT propose your own posts. The "Propose as Answer" function is to propose the good answers of other people.

    $('#divid').html('Working...').SPServices({
     operation: "GetPermissionCollection",
     objectName: 'LIST NAME HERE',
     objectType: "List",
     completefunc: function (xData, Status) {
      var out = "<ul>";
      $(xData.responseXML).find("Permission").each(function () {
       if ($(this).attr("MemberIsUser") === "True") {
        out += "<li>User: " + $(this).attr("UserLogin") + "</li>";
       } else {
        out += "<li>Group: " + $(this).attr("GroupName") + "</li>";
       }
       var readmask = 0x0000000000000001;
       var addmask = 0x0000000000000002;
       var editmask = 0x0000000000000004;
       var deletemask = 0x0000000000000008;
       out += "<li>Mask: " + $(this).attr("Mask") + "</li>";
       var canread = readmask & $(this).attr("Mask").toString(16) > 0 ? "Yes" : "No";
       var canadd = addmask & $(this).attr("Mask").toString(16) > 0 ? "Yes" : "No";
       var canedit = editmask & $(this).attr("Mask").toString(16) > 0 ? "Yes" : "No";
       var candelete = deletemask & $(this).attr("Mask").toString(16) > 0 ? "Yes" : "No";
       out += "<li>Can Read: " + canread + "</li>";
       out += "<li>Can Add: " + canadd + "</li>";
       out += "<li>Can Edit: " + canedit + "</li>";
       out += "<li>Can Delete: " + candelete + "</li>";
      });
      out += "</ul>";
      $('#divid').html(out);
     }
    });
    

     



    Gabriel Guimarães
    Tuesday, February 01, 2011 9:24 PM