none
Lookup a security Scope via powershell RRS feed

  • Question

  • So here it my scenario.   I need to restore permissions that a user has accidentally deleted. 

    Only when I look in the audit logs this is my only indication of what was removed


    <roleid>-1</rolid><principalid>15</principalid><scope>longGUIDlookingnumber</scope><operation>ensure removed</operation>

    In this case, I can translate the following:

    1. <roleid>-1  - this from other blogs indicates a permissions being removed

                          - to grab the real role id, I would have to look where the same principal was added

                          - 1073741827 = Contribute

                            example below

    <roleid>1073741827</rolid><principalid>15</principalid><scope>longGUIDlookingnumber</scope><operation>ensure added</operation>

    2. <principalid>15 - translates to a user or group.

    3. <scope>longGUIDlookingnumber - this from what I understand is a combination of a permission level and where the permissions is applied.  but a bit more complicated.  This reference explains it better.

    https://technet.microsoft.com/en-gb/library/dn169567.aspx


    Now, I know how to add a permissions to a web site using the below code below.

    My question is, Is there a way to add a permission back using the reference<scope>longGUIDlookingnumber</scope>

    Or at least translate it, so I know what where to add permissions back to a site?



    $web = Get-SPWeb "https://DOMAINName/Subsite/Sub-Subsite"
    function AddGroupToSite ($web, $groupName, $permLevel)
    {
        $account = $web.SiteGroups[$groupName]
        $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
        $role = $web.RoleDefinitions[$permLevel]
        $assignment.RoleDefinitionBindings.Add($role);
        $web.RoleAssignments.Add($assignment)
    }
    AddGroupToSite -web $web -groupName "GROUP NAME HERE" -permLevel "READ-OnLY"




    pfcjt@hotmail.com


    • Edited by Chilly Moon Monday, February 6, 2017 8:01 PM
    Monday, February 6, 2017 7:58 PM

Answers

  • Ok, So with digging into the database itself, I found my answer.

    in the table dbo.perms  there is a column called ScopeURL and ScopeID.

    So if I query on the scope id is, I can find the base scope url where the permissions are applied.


    pfcjt@hotmail.com

    Wednesday, February 15, 2017 3:25 PM

All replies