none
Generate Report User Permission and Role RRS feed

  • Question

  • Hello,

    How to generate dynamic report for User Permission/ Access Matrix?

    There are almost 15 site collections, 50 Document Libraries and 100 folders.

    The report should be displayed as follows :

    

    Thank You.

    Thursday, March 28, 2019 3:55 AM

All replies

  • Hi, 

    If there are many unique permissions in your list/library.

    You could check the sample script shared by Adnan Amin.

    https://gallery.technet.microsoft.com/office/SharePoint-Permissions-f42ea9db

    # Credits to Adnan Amin and Salaudeen Rajack for their original ideas
    # This script gets permissions for all users in a web application on all objects (web application > site collection > web > list/library > item) 
    # Note that unlike Salaudeen's original script, this script shows Limited Access permissions.
    # Note that AD groups and users in AD groups are not included
    
    Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
    
    Function GetUserAccessReport($WebAppURL, $FileUrl)
    {
    	Write-Host "Generating permission report..."
    
    	#Get All Site Collections of the WebApp
    	$SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All
    
    	#Write CSV- TAB Separated File) Header
    	"URL`tSite/List/Folder/Item`tTitle/Name`tPermissionType`tPermissions `tLoginName" | out-file $FileUrl
    
    	#Check Web Application Policies
    	$WebApp= Get-SPWebApplication $WebAppURL
    
    	foreach ($Policy in $WebApp.Policies) 
      	{
    		$PolicyRoles=@()
    		foreach($Role in $Policy.PolicyRoleBindings)
    		{
    			$PolicyRoles+= $Role.Name +";"
    		}
    		
    		"$($AdminWebApp.URL)`tWeb Application`t$($AdminSite.Title)`tWeb Application Policy`t$($PolicyRoles)`t$($Policy.UserName)" | Out-File $FileUrl -Append
    	}
    
    	#Loop through all site collections
    	foreach($Site in $SiteCollections) 
        {
    	  #Check Whether the Search User is a Site Collection Administrator
    	  foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
          	{
    			"$($Site.RootWeb.Url)`tSite`t$($Site.RootWeb.Title)`tSite Collection Administrator`tSite Collection Administrator`t$($SiteCollAdmin.LoginName)" | Out-File $FileUrl -Append
    		}
      
    	   #Loop throuh all Sub Sites
           foreach($Web in $Site.AllWebs) 
           {	
    			if($Web.HasUniqueRoleAssignments -eq $True)
    			{
    				#Get all the users granted permissions to the list
    				foreach($WebRoleAssignment in $Web.RoleAssignments ) 
    				{ 
    					#Is it a User Account?
    					if($WebRoleAssignment.Member.userlogin)    
    					{
    						#Get the Permissions assigned to user
    						$WebUserPermissions=@()
    						foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
    						{
    							$WebUserPermissions += $RoleDefinition.Name +";"
    						}
    						
    						#Send the Data to Log file
    						"$($Web.Url)`tSite`t$($Web.Title)`tDirect Permission`t$($WebUserPermissions) `t$($WebRoleAssignment.Member.LoginName)" | Out-File $FileUrl -Append
    					}
    					#Its a SharePoint Group, So search inside the group and check if the user is member of that group
    					else  
    					{
    						foreach($user in $WebRoleAssignment.member.users)
    						{
    							#Get the Group's Permissions on site
    							$WebGroupPermissions=@()
    							foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
    							{
    								$WebGroupPermissions += $RoleDefinition.Name +";"
    							}
    							
    							#Send the Data to Log file
    							"$($Web.Url)`tSite`t$($Web.Title)`tMember of $($WebRoleAssignment.Member.Name) Group`t$($WebGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
    						}
    					}
    				}
    			}
    				
    			#********  Check Lists, Folders, and Items with Unique Permissions ********/
    			foreach($List in $Web.lists)
    			{
    				if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
    				{
    					#Get all the users granted permissions to the list
    					foreach($ListRoleAssignment in $List.RoleAssignments ) 
    					{ 
    						#Is it a User Account?
    						if($ListRoleAssignment.Member.userlogin)    
    						{
    							#Get the Permissions assigned to user
    							$ListUserPermissions=@()
    							foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
    							{
    								$ListUserPermissions += $RoleDefinition.Name +";"
    							}
    							
    							#Send the Data to Log file
    							"$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tDirect Permission`t$($ListUserPermissions) `t$($ListRoleAssignment.Member)" | Out-File $FileUrl -Append
    						}
    						#Its a SharePoint Group, So search inside the group and check if the user is member of that group
    						else  
    						{
    							foreach($user in $ListRoleAssignment.member.users)
    							{
    								#Get the Group's Permissions on site
    								$ListGroupPermissions=@()
    								foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
    								{
    									$ListGroupPermissions += $RoleDefinition.Name +";"
    								}
    								
    								#Send the Data to Log file
    								"$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tMember of $($ListRoleAssignment.Member.Name) Group`t$($ListGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
    							}
    						}	
    					}
    				}
    				
    				#Get Folder level permissions
    				foreach($Folder in $List.folders)
    				{
    					if($Folder.HasUniqueRoleAssignments -eq $True)
    					{
    						#Get all the users granted permissions to the folder
    						foreach($FolderRoleAssignment in $Folder.RoleAssignments ) 
    						{ 
    							#Is it a User Account?
    							if($FolderRoleAssignment.Member.userlogin)    
    							{
    								#Get the Permissions assigned to user
    								$FolderUserPermissions=@()
    								foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings)
    								{
    									$FolderUserPermissions += $RoleDefinition.Name +";"
    								}
    								
    								#Send the Data to Log file
    								"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tDirect Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member)" | Out-File $FileUrl -Append
    							}
    							#Its a SharePoint Group, So search inside the group and check if the user is member of that group
    							else  
    							{
    								foreach($user in $FolderRoleAssignment.member.users)
    								{
    									#Get the Group's Permissions on site
    									$FolderGroupPermissions=@()
    									foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings)
    									{
    										$FolderGroupPermissions += $RoleDefinition.Name +";"
    									}
    									
    									#Send the Data to Log file
    									"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tMember of $($FolderRoleAssignment.Member.Name) Group`t$($FolderGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
    
    								}
    							}	
    						}
    					}
    				}
    				
    				#Get Item level permissions
    				foreach($Item in $List.items)
    				{
    					if($Item.HasUniqueRoleAssignments -eq $True)
    					{
    						#Get all the users granted permissions to the item
    						foreach($ItemRoleAssignment in $Item.RoleAssignments ) 
    						{ 
    							#Is it a User Account?
    							if($ItemRoleAssignment.Member.userlogin)    
    							{
    								#Get the Permissions assigned to user
    								$ItemUserPermissions=@()
    								foreach ($RoleDefinition  in $ItemRoleAssignment.RoleDefinitionBindings)
    								{
    									$ItemUserPermissions += $RoleDefinition.Name +";"
    								}
    
                                    #Prepare item's absolute Url and Name
                                    $ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1
                                    if ($ItemDispForm.Url)
                                    {
                                        $ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)" 
                                    }
                                    else
                                    {
                                        $ItemUrl = "$($Item.Url)"
                                    }
    
                                    if ($Item.Name)
                                    {
                                        $ItemTitle = $Item.Name
                                    }
                                    else
                                    {
                                        $ItemTitle = $Item.Title
                                    }
    								
    								#Send the Data to Log file
    								"$($ItemUrl)`tItem`t$($ItemTitle)`tDirect Permission`t$($ItemUserPermissions) `t$($ItemRoleAssignment.Member)" | Out-File $FileUrl -Append
    							}
    							#Its a SharePoint Group, So search inside the group and check if the user is member of that group
    							else  
    							{
    								foreach($user in $ItemRoleAssignment.member.users)
    								{
    									#Get the Group's Permissions on site
    									$ItemGroupPermissions=@()
    									foreach ($RoleDefinition  in $ItemRoleAssignment.RoleDefinitionBindings)
    									{
    										$ItemGroupPermissions += $RoleDefinition.Name +";"
    									}
    									
                                        #Prepare item's absolute Url and Name
                                        $ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1
                                        if ($ItemDispForm.Url)
                                        {
                                            $ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)" 
                                        }
                                        else
                                        {
                                            $ItemUrl = "$($Item.Url)"
                                        }
    
                                        if ($Item.Name)
                                        {
                                            $ItemTitle = $Item.Name
                                        }
                                        else
                                        {
                                            $ItemTitle = $Item.Title
                                        }
    
                                        #Send the Data to Log file
                                        "$($ItemUrl)`tItem`t$($ItemTitle)`tMember of $($ItemRoleAssignment.Member.Name) Group`t$($ItemGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
    
    								}
    							}	
    						}
    					}
    				}
    			}
    		}	
    	}
    }
    
    #Call the function to Check User Access
    GetUserAccessReport "http://mysite" "C:\SharePoint_Permission_Report.csv"
    Write-Host "Complete"
    

    Best Regards,

    Lee


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Thursday, March 28, 2019 6:50 AM
  • Hello,

    Thank You for your feedback. But, my issue is I want to generate dynamic report for user permission level. Either using JavaScript or  C#. Any idea?

    Thank You.

    Monday, April 1, 2019 2:29 AM
  • Hi,

    Sample code to get unique permission for a list.

    https://www.morgantechspace.com/2017/09/get-item-level-permissions-sharepoint-csom.html

    List list = ctx.Web.Lists.GetByTitle("Documents");
    var listItems = list.GetItems(CamlQuery.CreateAllItemsQuery());
     
    //load all list items with default properties and HasUniqueRoleAssignments property and also
    //load permissions of every items 
    ctx.Load(listItems, a => a.IncludeWithDefaultProperties(b => b.HasUniqueRoleAssignments),
        permsn => permsn.Include(a => a.RoleAssignments.Include(roleAsg => roleAsg.Member.LoginName,
                roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name,
                roleDef => roleDef.Description))));
    ctx.ExecuteQuery();
    foreach (var item in listItems)
    {
        Console.WriteLine("List item: " + item["FileRef"].ToString());
        if (item.HasUniqueRoleAssignments)
        {
            foreach (var roleAsg in item.RoleAssignments)
            {
                Console.WriteLine("User/Group: " + roleAsg.Member.LoginName);
                List<string> roles = new List<string>();
                foreach (var role in roleAsg.RoleDefinitionBindings)
                {
                    roles.Add(role.Description);
                }
                Console.WriteLine("Permissions: " + string.Join(",", roles.ToArray()));
                Console.WriteLine("----------------");
            }
        }
        else
        {
            Console.WriteLine("No unique permission found");
        }
        Console.WriteLine("###############");
    }

    Retrieve all lists.

    https://docs.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/ee538683(v%3Doffice.14)

    string siteUrl = "http://MyServer/sites/MySiteCollection";
    
                ClientContext clientContext = new ClientContext(siteUrl);
                Web oWebsite = clientContext.Web;
                ListCollection collList = oWebsite.Lists;
    
                clientContext.Load(collList);
    
                clientContext.ExecuteQuery();
    
                foreach (SP.List oList in collList)
                {
                    Console.WriteLine("Title: {0} Created: {1}", oList.Title, oList.Created.ToString());
                }

    Best Regards,

    Lee


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Monday, April 1, 2019 3:50 AM
  • Hello,

    Thank you for your feedback. How about generate report in visual web part?

    Thank You.

    Tuesday, April 9, 2019 3:29 AM
  • Hi,

    You could try to use below helper class to generate the csv file and download.

    https://github.com/jitbit/CsvExport

    Best Regards,

    Lee


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, April 9, 2019 9:07 AM